Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Ubuntu][x86_64] Stalker is introducing memory corruption causing apps to misbehave #980

Open
krzyw1x opened this issue Nov 24, 2024 · 1 comment
Open

[Ubuntu][x86_64] Stalker is introducing memory corruption causing apps to misbehave #980

krzyw1x opened this issue Nov 24, 2024 · 1 comment

Comments

@krzyw1x
Copy link

krzyw1x commented Nov 24, 2024

Hi,

I am using frida_gum library from release frida-gum-devkit-16.5.7-linux-x86_64.tar.xz and I noticed corruption introduced while rewriting causing instrumented applications to misbehave.

System config:

> uname -a
Linux 6.8.0-49-generic #49-Ubuntu SMP PREEMPT_DYNAMIC Mon Nov  4 02:06:24 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

> ldd --version
ldd (Ubuntu GLIBC 2.39-0ubuntu8.3) 2.39

> lsb_release -a
Distributor ID: Ubuntu
Description:    Ubuntu 24.04.1 LTS
Release:        24.04
Codename:       noble

> lscpu
Architecture:             x86_64
  CPU op-mode(s):         32-bit, 64-bit
  Address sizes:          48 bits physical, 48 bits virtual
  Byte Order:             Little Endian
CPU(s):                   24
  On-line CPU(s) list:    0-23
Vendor ID:                AuthenticAMD
  Model name:             AMD Ryzen 9 7900X3D 12-Core Processor

PoC:

// clang++-18 -o frida.so ./gum_test.cpp libfrida-gum.a -fPIC -shared
#include "frida-gum.h"
#include <stdlib.h>
#include <stdio.h>

void instrument_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, gpointer user_data) {
        const cs_insn *instr;
        while (gum_stalker_iterator_next(iterator, &instr)) {
                gum_stalker_iterator_keep(iterator);
        }
}

__attribute__((constructor))
static void initialize() {
        gum_init_embedded();
        GumStalker *stalker = gum_stalker_new();
        GumStalkerTransformer *transformer = gum_stalker_transformer_make_from_callback(instrument_basic_block, NULL, NULL);
        gum_stalker_follow_me(stalker, transformer, NULL);
}

Test:

LD_PRELOAD=./frida.so file
: could not find any valid magic files! (No such file or directory)
krzywix:tmp/ $ LD_PRELOAD=./frida.so file                                                                                        
file: could not find any valid magic files! (No such file or directory)

[. . . run few more times and you will notice more artifacts . . .]

krzywix:tmp/ $ LD_PRELOAD=./frida.so file                                                                                        
file: could not find any valid magi 0.000000iles! (No such file or directory)
krzywix:tmp/ $ LD_PRELOAD=./frida.so file                                                                                        
file: could not find any valid magic files! (No such file or directory)
@krzyw1x
Copy link
Author

krzyw1x commented Nov 24, 2024

Might not be related to the root cause but it also crashes with efence:

> gdb file
(gdb) set environment LD_PRELOAD=/usr/lib/libefence.so.0.0:./frida.so
(gdb) r
Starting program: /usr/bin/file 

  Electric Fence 2.2 Copyright (C) 1987-1999 Bruce Perens <[email protected]>

ElectricFence Aborting: free(7ffff72d2000): address not from malloc().
During startup program terminated with signal SIGILL, Illegal instruction.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@krzyw1x