Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

android: Handle correctly the CMC GC strategy #326

Merged
merged 2 commits into from
Jul 17, 2024
Merged

Conversation

matbrik
Copy link
Contributor

@matbrik matbrik commented Jul 16, 2024

Fixes #323.

The fix in #325 had 2 problems:

  • with the Google Play System Updates the base version of libart can differ from the Android version( i.e. Android 12 device with libart 34)
  • the function we were hooking in the MarkCompact GC was not stable enough causing crashes after some time. tombstone_01.txt

The proposed solution to the first point is to check if an exported symbol introduced in libart 34 is present.

The solution for the second problem is to hook the onEnter of art::Thread::RunFlipFunction

  • this function is called also during in the ConcurrentCopying GC and in my tests didn't cause troubles but to avoid compatibility problems with untested version I've reintroduced the check on the GC strategy;
  • the downside of hooking art::Thread::RunFlipFunction is that it is called several times (tens) every run of the GC but anyother place I've tried was causing crashes.

@oleavr
Copy link
Member

oleavr commented Jul 16, 2024

Thanks! 💥 Just applied some style tweaks and refactored a little bit. It would take me some time to be able to test this code though, so was wondering if you could take it for a quick spin? :)

@matbrik
Copy link
Contributor Author

matbrik commented Jul 17, 2024

I've tested on 3 devices and it looks like it is working fine

mbricchi added 2 commits July 17, 2024 22:00
Equivalent to the system version on Android 14.
- With Google Play System Updates the base version of libart may differ
  from the Android version. For example, an Android 12 system could be
  using libart equivalent to the system version on Android 14.
- The function we were hooking in the MarkCompact GC was not the right
  spot to update the class pointers, causing crashes after some time.

Fixes frida#323, for real this time.
@oleavr oleavr merged commit eb0fa83 into frida:main Jul 17, 2024
5 of 11 checks passed
@oleavr
Copy link
Member

oleavr commented Jul 17, 2024

Thanks! 🙌

@esauvisky
Copy link
Contributor

This fails in Android 15/SDK35 though:

Error: libart.so: unable to find export '_ZNK3art2gc4Heap15MayUseCollectorENS0_13CollectorTypeE'
    at Function.value [as getExportByName] (frida/runtime/core.js:250:1)
    at Ft (frida/node_modules/frida-java-bridge/lib/android.js:837:1)
    at Tt (frida/node_modules/frida-java-bridge/lib/android.js:762:1)
    at mn.replace (frida/node_modules/frida-java-bridge/lib/android.js:1331:1)
    at Function.set [as implementation] (frida/node_modules/frida-java-bridge/lib/class-factory.js:1189:1)
    at Function.set [as implementation] (frida/node_modules/frida-java-bridge/lib/class-factory.js:1103:1)
    at agent/utils.js:65:51
    at c.perform (frida/node_modules/frida-java-bridge/lib/vm.js:12:1)
    at _.perform (frida/node_modules/frida-java-bridge/index.js:205:1)

This is because MayUseCollector is no longer exported by libart. Furthermore, the previous strategy is still ineffective since none of the three methods below are exported either:

  • _ZN3art2gc9collector17ConcurrentCopying12CopyingPhaseEv
  • _ZN3art2gc9collector17ConcurrentCopying12MarkingPhaseEv
  • _ZN3art2gc9collector11MarkCompact15CompactionPhaseEv

The function RunFlipFunction is exported, but apparently they removed a parameter, so its signature has changed from _ZN3art6Thread15RunFlipFunctionEPS0_b to _ZN3art6Thread15RunFlipFunctionEPS0_.

@pig837
Copy link

pig837 commented Jul 26, 2024

Fixes #323.

The fix in #325 had 2 problems:

  • with the Google Play System Updates the base version of libart can differ from the Android version( i.e. Android 12 device with libart 34)
  • the function we were hooking in the MarkCompact GC was not stable enough causing crashes after some time. tombstone_01.txt

The proposed solution to the first point is to check if an exported symbol introduced in libart 34 is present.

The solution for the second problem is to hook the onEnter of art::Thread::RunFlipFunction

  • this function is called also during in the ConcurrentCopying GC and in my tests didn't cause troubles but to avoid compatibility problems with untested version I've reintroduced the check on the GC strategy;
  • the downside of hooking art::Thread::RunFlipFunction is that it is called several times (tens) every run of the GC but anyother place I've tried was causing crashes.

[Related Issues]

Thank you, you saved me!

Hooking art::Thread::RunFlipFunction function is work well for me.

  • Google Pixel 6 Pro + Android 14 (AP2A.240705.004, 2024.07) + KernelSU 1.0.0 (LKM Mode) + Frida 16.4.7

But, Frida 16.4.7 don't have the feature bypassing RunFlipFunction on Frida native support.
Hopefully a new version will be released that addresses this issue.

@NgoHuy
Copy link

NgoHuy commented Aug 15, 2024

the fix is incomplete and introduce new bug, I added some comments, I also create new pull to correct it (I didnot add #330 fix, it should be merged seperately)

NgoHuy pushed a commit to NgoHuy/frida-java-bridge that referenced this pull request Aug 15, 2024
When the fix is merged, it introduces new issue, exportName is never
null, it always attaches to null functions, then crash our server.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

SIGSEGV in artQuickGenericJniTrampoline while hooking java methods
5 participants