LSPosed/LSPlant

Crash on all 32bit Unisoc & JLQ Android Go devices

OfficialKatana opened this issue · 4 comments

OfficialKatana commented

Both test cases and app with lsplant initializer were crashed on start up.
e.g. POCO C40 / Nokia C2
Logs may looks like these:

2023-06-16 20:32:56.884 10343-10365/? A/libc: Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xb22018a8 in tid 10365 (pool-2-thread-1), pid 10343 (com.whatsapp)
2023-06-16 20:32:56.946 10368-10368/? I/crash_dump32: obtaining output fd from tombstoned, type: kDebuggerdTombstone
2023-06-16 20:32:56.946 358-358/? I//system/bin/tombstoned: received crash request for pid 10365
2023-06-16 20:32:56.950 10368-10368/? I/crash_dump32: performing dump of process 10343 (target tid = 10365)
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG: Native Crash TIME: 75389841
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG: Build fingerprint: 'PSZ/alsgs8990_io09/alsgs8990_io09_go:9/PPR1.180610.011/372:user/release-keys'
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG: Revision: '0'
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG: ABI: 'arm'
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG: pid: 10343, tid: 10365, name: pool-2-thread-1  >>> com.whatsapp <<<
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xb22018a8
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG:     r0  b22018a8  r1  4731a6b1  r2  9c20e2b2  r3  0000001a
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG:     r4  9c225954  r5  9bd806f0  r6  0000001c  r7  9c20ea87
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG:     r8  aa25d700  r9  9c225ac8  r10 aa25d700  r11 9c225b40
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG:     ip  b22018a8  sp  9bd7f498  lr  b2aedaa7  pc  9c21230c
2023-06-16 20:32:56.975 10368-10368/? A/DEBUG: backtrace:
2023-06-16 20:32:56.975 10368-10368/? A/DEBUG:     #00 pc 0000630c  /data/app/com.whatsapp-DIUPK6U6RRcSp-EVXuCxBA==/lib/arm/liblsplant.so (lsplant::v2::Init(_JNIEnv*, lsplant::v2::InitInfo const&)+3952)
yujincheng08 commented

看起来并没有在主线程掉用 Init,这不是正确使用。应该要在主线成调用。并且没看到 JniOnLoad 的 native 调用栈,可能并没有 bypass 掉 Non-SDK API restriction 而引发崩溃。

OfficialKatana commented

看起来并没有在主线程掉用 Init,这不是正确使用。应该要在主线成调用。并且没看到 JniOnLoad 的 native 调用栈,可能并没有 bypass 掉 Non-SDK API restriction 而引发崩溃。

The probable was found, devices carrying UniSoc may miss this function: _ZN3artL18DexFile_setTrustedEP7_JNIEnvP7_jclassP8_jobject
Which may cause initialization failed, searching this function will lead to collapse, maybe due to the malformed functions on Android Go devices.
Changing code below may fix:

        if (sdk_int >= __ANDROID_API_P__) [[likely]] {
            if (!RETRIEVE_FUNC_SYMBOL(DexFile_setTrusted,
                                      "_ZN3artL18DexFile_setTrustedEP7_JNIEnvP7_jclassP8_jobject",
                                      true)) {
                return false;
            }
        }

to

        if (sdk_int >= __ANDROID_API_P__) [[likely]] {
            if (!RETRIEVE_FUNC_SYMBOL(DexFile_setTrusted,
                                      "_ZN3artL18DexFile_setTrustedEP7_JNIEnvP7_jclassP8_jobject",
                                      true)) {
                LOGE("Dex files trusting method not found?");
            }
        }

The actual reason may cause by the compiler's InstrProfSymtab pass which may modify specific (libart) functions and cause bugs.

yujincheng08 commented

Your fix is correct. Since this function is not mandatory.

yujincheng08 commented

Can you provide libart.so?