termux-packages
termux-packages copied to clipboard
Published
20 hours ago •
termux
termux
[Bug]: frida-server causes system crashes/soft reboots
Problem description
Starting from last frida update, maybe, running frida-server seem to crash system_server. Most of the times, but not always, my devices also get stuck in a (soft-)bootloop (as in, boot animation runs, but background processes/ssh sessions etc continue running). I have observed this on two Samsung devices running lineage-18.1, so issues could be specific to lineage-18.1 or samsung.
Using a frida-server binary from upstream (https://github.com/frida/frida/releases) works, so issue is specific to our build.
Relevant logcat output from starting our frida-server looks like:
08-01 11:29:37.050 0 0 D [7: frida-server:11121] SELinux: 16384 avtab hash slots, 47507 rules.
08-01 11:29:37.057 0 0 D [7: frida-server:11121] SELinux: 16384 avtab hash slots, 47507 rules.
08-01 11:29:37.057 0 0 D [7: frida-server:11121] SELinux: 1 users, 4 roles, 1708 types, 0 bools, 1 sens, 1024 cats
08-01 11:29:37.057 0 0 D [7: frida-server:11121] SELinux: 99 classes, 47507 rules
08-01 11:29:37.058 0 0 I [7: frida-server:11121] SELinux: Class cap_lod not defined in policy.
08-01 11:29:37.058 0 0 I [7: frida-server:11121] SELinux: Class cap2_lod not defined in policy.
08-01 11:29:37.058 0 0 I [7: frida-server:11121] SELinux: the above unknown classes and permissions will be denied
08-01 11:29:37.041 3927 3927 I auditd : type=1403 audit(0.0:1073): policy loaded auid=4294967295 ses=4294967295
08-01 11:29:37.041 11121 11121 W frida-server: type=1300 audit(0.0:1073): arch=c00000b7 syscall=64 success=yes exit=802112 a0=3 a1=7ca2954040 a2=c3d40 a3=0 items=0 ppid=10922 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 exe="/data/data/com.termux/files/usr/bin/frida-server" subj=u:r:su:s0 key=(null)
08-01 11:29:37.041 3927 3927 W auditd : type=1327 audit(0.0:1073): proctitle="/data/data/com.termux/files/usr/bin/frida-server"
--------- beginning of crash
08-01 11:29:37.357 4376 11127 F libc : Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0 in tid 11127 (system_server), pid 4376 (system_server)
08-01 11:29:37.501 11130 11130 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstone
08-01 11:29:37.502 4056 4056 I tombstoned: received crash request for pid 11127
08-01 11:29:37.503 11130 11130 I crash_dump64: performing dump of process 4376 (target tid = 11127)
08-01 11:29:37.532 11130 11130 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
08-01 11:29:37.532 11130 11130 F DEBUG : LineageOS Version: '18.1-20210821-UNOFFICIAL-dream2lte'
08-01 11:29:37.532 11130 11130 F DEBUG : Build fingerprint: 'samsung/dream2ltexx/dreamlte:8.0.0/R16NW/G955FXXU1CRC7:user/release-keys'
08-01 11:29:37.532 11130 11130 F DEBUG : Revision: '0'
08-01 11:29:37.532 11130 11130 F DEBUG : ABI: 'arm64'
08-01 11:29:37.534 11130 11130 F DEBUG : Timestamp: 2022-08-01 11:29:37+0200
08-01 11:29:37.534 11130 11130 F DEBUG : pid: 4376, tid: 11127, name: system_server >>> system_server <<<
08-01 11:29:37.534 11130 11130 F DEBUG : uid: 1000
08-01 11:29:37.534 11130 11130 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
08-01 11:29:37.534 11130 11130 F DEBUG : Cause: null pointer dereference
08-01 11:29:37.534 11130 11130 F DEBUG : x0 0000006de4e8e360 x1 0000006d7ac0fc30 x2 0000006d7ac0fc38 x3 000000000000006e
08-01 11:29:37.534 11130 11130 F DEBUG : x4 0000006d7ac0fb89 x5 0000000000000000 x6 67615f6164697266 x7 6e69616d5f746e65
08-01 11:29:37.534 11130 11130 F DEBUG : x8 0000000000000001 x9 0000000000004001 x10 0000000000000000 x11 00000070e095c9ad
08-01 11:29:37.534 11130 11130 F DEBUG : x12 00000070e095c998 x13 00000070e095e9ca x14 0000000000000006 x15 ffffffffffffffff
08-01 11:29:37.534 11130 11130 F DEBUG : x16 0000000000000030 x17 00000070e0a146b0 x18 0000006d37c42000 x19 0000000000000000
08-01 11:29:37.534 11130 11130 F DEBUG : x20 0000006de4e8e000 x21 0000000000000134 x22 0000000000001118 x23 0000000000001118
08-01 11:29:37.534 11130 11130 F DEBUG : x24 0000006d7ac0fcc0 x25 0000006d7ac0fcc0 x26 0000006d7ac0fff8 x27 00000000000fc000
08-01 11:29:37.535 11130 11130 F DEBUG : x28 0000006d7ab17000 x29 0000006d7ac0fc60
08-01 11:29:37.535 11130 11130 F DEBUG : lr 0000006de4e8d10c sp 0000006d7ac0fc30 pc 0000000000000000 pst 0000000080000000
08-01 11:29:37.679 11130 11130 F DEBUG : backtrace:
08-01 11:29:37.679 11130 11130 F DEBUG : #00 pc 0000000000000000 <unknown>
08-01 11:29:37.679 11130 11130 F DEBUG : #01 pc 0000000000000108 <anonymous:6de4e8d000>
Haven't managed to track down what in frida that actually causes it, but it happens after frida_system_enumerate_processes is run
What steps will reproduce the bug?
Run frida-server as root
What is the expected behavior?
frida-server should start and not cause a system crash.
System information
termux-info:
Termux Variables:
TERMUX_APP_PACKAGE_MANAGER=apt
TERMUX_MAIN_PACKAGE_FORMAT=debian
TERMUX_VERSION=0.118.0
Packages CPU architecture:
aarch64
Subscribed repositories:
# sources.list
deb https://grimler.se/termux/termux-main stable main
# root-repo (sources.list.d/root.list)
deb https://grimler.se/termux/termux-root root stable
# x11-repo (sources.list.d/x11.list)
deb https://grimler.se/termux/termux-x11 x11 main
# sources.list.d/pointless.list
deb https://its-pointless.github.io/files/24 termux extras
Updatable packages:
All packages up to date
termux-tools version:
1.24
Android version:
11
Kernel build information:
Linux localhost 4.4.111-ge6e6b41f98d8 #1 SMP PREEMPT Sat Aug 21 13:35:28 CEST 2021 aarch64 Android
Device manufacturer:
samsung
Device model:
SM-G955F
