Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix code swap region permissions #1134

Merged
merged 2 commits into from
Jan 23, 2025
Merged

Fix code swap region permissions #1134

merged 2 commits into from
Jan 23, 2025

Conversation

kaftejiman
Copy link

@kaftejiman kaftejiman commented Jan 21, 2025
edited
Loading

I/O error began appearing after installing the latest ART update (version 351110190) on my Pixel 6 Android 12. The bootstrapper code was written into a non-writable region, causing the ptrace pokedata call to fail with an I/O error. My understanding of Frida internals is limited, so the breakdown below might be incomplete or off-target

At the start of the injection flow a comparison occurs between the remote and local libc here. Libc is delivered as part of the runtime APEX; since apexd can mount the APEX packages multiple times—each with a separate loop device—both system_server and Frida obtain their APEX mount through separate activation or bind-mount operations. This results in different loop devices (with distinct minor numbers), making the identity comparison (based on dev major+minor and inode) between local and remote libc fail.

As a consequence, the injection flow falls back to the code swap route here, where Frida tries to load the bootstrapper into an RX-mapped region. Prior to ART version 351110190, this route worked because Frida correctly matched the boot image segment loaded as RWX. After the update, the runtime behavior changed: the RWX region no longer exists, and the enumeration now selects the memfd:jit-zygote-cache region, which is not writable. Consequently, the ptrace call here fails with an I/O error.

This PR refines both the libc comparison and the permissions matching for the code swap region.

Debugged on:

  • Pixel 6
  • Android 12
  • Frida: 16.6.3
  • ART version: 351110190

@amor-riscure @oleavr
linux: Relax injector's libc matching for Android
e181785 
Due to how APEXes are bind-mounted.
@amor-riscure @oleavr
linux: Avoid risky code swaps with memfd regions
ffdfc52 
As they may not be writable, and unlike regular regions, ptrace() won't
help us in case of a missing writable bit.
@oleavr oleavr merged commit 72a9622 into frida:main Jan 23, 2025
@oleavr
Copy link
Member

oleavr commented Jan 23, 2025

Thanks a lot! 🙌

  • I made some minor style tweaks to your libc matching patch, mainly introducing variables to avoid the need for comments.
  • The suggested change to the code swap logic would require every such target to have at least one RWX region, which could be a bit much to ask and result in a regression. So I changed the logic there to skip memfd regions. For plain regions we don't need the W bit set, as ptrace() will help us out, but it appears it won't do that for memfd regions. Hopefully we won't have to add too many additional exceptions to this heuristic :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kaftejiman @oleavr @amor-riscure