STREX Rd cannot be Rt or Rn
czlee32 opened this issue · 6 comments
czlee32 commented
signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0xe2601ca0
r0 00000000 r1 1513fb78 r2 e1263490 r3 e2601c81
r4 1513fb78 r5 ad593068 r6 ad593038 r7 0000000b
r8 00000000 r9 e1c9ba00 r10 e1263880 r11 b44d9acc
ip e3d8b6f0 sp ad593020 lr e126c540 pc e2601ca0
backtrace:
#00 pc **00000ca0** [anon:Pine CreateBridgeJumpTrampoline]
memory near r1 ([anon:dalvik-main space (region space)]):
1513fb50 00000000 00000000 00000000 00000000 ................
1513fb60 00000000 00000000 00000000 00000000 ................
1513fb70 00000000 00000000 6fc1e090 00000000 ...........o....
memory near r2 (/apex/com.android.art/lib/libart.so):
e1263470 d4d4d4d4 d4d4d4d4 d4d4d4d4 d4d4d4d4 ................
e1263480 00000000 00000000 00000000 0000d1e4 ................
e1263490 e24dca02 e59cc000 e92d4ff0 ed2d8a10 ..M......O-...-.
memory near r3 ([anon:Pine CreateBridgeJumpTrampoline]):
e2601c60 f8df466b f8df0010 bf00f010 c727c074 kF..........t.'.
e2601c70 e3ec9d40 d243baec e1263490 e152ec11 @.....C..4&...R.
e2601c80 c068f8df bf184560 f070f8df c060f8df ..h.`E....p...`.
e2601c90 0f00e85c bf182801 f04fbf20 bf080000 \....(.. .O.....
e2601ca0 0000e84c 2800bf08 f3bfd1f2 f8cc8f5f L......(...._...
e2601cb0 f8cc1004 f8cc2008 ed8c300c ed8c0b04 ..... ...0......
e2601cc0 ed8c1b06 ed8c2b08 ed8c3b0a ed8c4b0c .....+...;...K..
e2601cd0 ed8c5b0e ed8c6b10 f8df7b12 46621010 .[...k...{....bF
e2601ce0 f8df466b f8df0010 bf00f010 cd7e193c kF..........<.~.
e2601cf0 e3d8b6f0 d243babc e1263490 e1263490 ......C..4&..4&.
e2601d00 c068f8df bf184560 f070f8df c060f8df ..h.`E....p...`.
e2601d10 0f00e85c bf182801 f04fbf20 bf080000 \....(.. .O.....
e2601d20 0000e84c 2800bf08 f3bfd1f2 f8cc8f5f L......(...._...
e2601d30 f8cc1004 f8cc2008 ed8c300c ed8c0b04 ..... ...0......
e2601d40 ed8c1b06 ed8c2b08 ed8c3b0a ed8c4b0c .....+...;...K..
e2601d50 ed8c5b0e ed8c6b10 f8df7b12 46621010 .[...k...{....bF
memory near sp ([anon:stack_and_tls:2555]):
ad593000 6fd9a030 ad593068 ad593038 00001071 0..oh0Y.80Y.q...
ad593010 00000000 e1263880 b44d9acc e1267134 .....8&...M.4q&.
ad593020 c6dcfbfc 00000010 13a5c398 00000000 ................
ad593030 b44d9acc ad59309c 15342ba8 00000000 ..M..0Y..+4.....
ad593040 00000000 00000000 00000000 00000000 ................
ad593050 00000000 00000000 00000000 00000000 ................
ad593060 15342b98 1513fb78 15342ba8 00000000 .+4.x....+4.....
ad593070 00000020 15342b08 e7f8e4c9 00000000 ....+4.........
ad593080 00026964 00000000 00000001 00000002 di..............
ad593090 15342b98 1513fb78 15342b08 00000000 .+4.x....+4.....
ad5930a0 00000000 00000000 00000000 00000000 ................
ad5930b0 00000000 00000000 00000000 00000000 ................
ad5930c0 00000000 00000000 00000000 00000000 ................
ad5930d0 00000000 00000000 00000000 b44d9a88 ..............M.
ad5930e0 ad593124 ad593114 00002070 00000000 $1Y..1Y.p ......
ad5930f0 e1c9ba00 e1263880 b44d9d40 e126cf84 .....8&.@.M...&.
memory near pc ([anon:Pine CreateBridgeJumpTrampoline]):
e2601c80 c068f8df bf184560 f070f8df c060f8df ..h.`E....p...`.
e2601c90 0f00e85c bf182801 f04fbf20 bf080000 \....(.. .O.....
**e2601ca0 0000e84c 2800bf08 f3bfd1f2 f8cc8f5f L......(...._...**
e2601cb0 f8cc1004 f8cc2008 ed8c300c ed8c0b04 ..... ...0......
e2601cc0 ed8c1b06 ed8c2b08 ed8c3b0a ed8c4b0c .....+...;...K..
e2601cd0 ed8c5b0e ed8c6b10 f8df7b12 46621010 .[...k...{....bF
e2601ce0 f8df466b f8df0010 bf00f010 cd7e193c kF..........<.~.
e2601cf0 e3d8b6f0 d243babc e1263490 e1263490 ......C..4&..4&.
e2601d00 c068f8df bf184560 f070f8df c060f8df ..h.`E....p...`.
e2601d10 0f00e85c bf182801 f04fbf20 bf080000 \....(.. .O.....
e2601d20 0000e84c 2800bf08 f3bfd1f2 f8cc8f5f L......(...._...
e2601d30 f8cc1004 f8cc2008 ed8c300c ed8c0b04 ..... ...0......
e2601d40 ed8c1b06 ed8c2b08 ed8c3b0a ed8c4b0c .....+...;...K..
e2601d50 ed8c5b0e ed8c6b10 f8df7b12 46621010 .[...k...{....bF
e2601d60 f8df466b f8df0010 bf00f010 cd7e1c0c kF............~.
e2601d70 acda6f10 d243babc e1263490 e1263490 .o....C..4&..4&.
-------------------- objdump ---------------------------
00007c70 <pine_thumb_bridge_jump_trampoline>:
7c70: f8df c068 ldr.w ip, [pc, #104] ; 7cdc <pine_thumb_bridge_jump_trampoline_target_method>
7c74: 4560 cmp r0, ip
7c76: bf18 it ne
7c78: f8df f070 ldrne.w pc, [pc, #112] ; 7cec <pine_thumb_bridge_jump_trampoline_call_origin_entry>
7c7c: f8df c060 ldr.w ip, [pc, #96] ; 7ce0 <pine_thumb_bridge_jump_trampoline_extras>
00007c80 <acquire_lock>:
7c80: e85c 0f00 ldrex r0, [ip]
7c84: 2801 cmp r0, #1
7c86: bf18 it ne
7c88: bf20 wfene
7c8a: f04f 0000 mov.w r0, #0
7c8e: bf08 it eq
**7c90: e84c 0000 strexeq r0, r0, [ip]**
7c94: bf08 it eq
7c96: 2800 cmpeq r0, #0
7c98: d1f2 bne.n 7c80 <acquire_lock>
7c9a: f3bf 8f5f dmb sy
7c9e: f8cc 1004 str.w r1, [ip, #4]
7ca2: f8cc 2008 str.w r2, [ip, #8]
7ca6: f8cc 300c str.w r3, [ip, #12]
7caa: ed8c 0b04 vstr d0, [ip, #16]
7cae: ed8c 1b06 vstr d1, [ip, #24]
7cb2: ed8c 2b08 vstr d2, [ip, #32]
7cb6: ed8c 3b0a vstr d3, [ip, #40] ; 0x28
7cba: ed8c 4b0c vstr d4, [ip, #48] ; 0x30
7cbe: ed8c 5b0e vstr d5, [ip, #56] ; 0x38
7cc2: ed8c 6b10 vstr d6, [ip, #64] ; 0x40
7cc6: ed8c 7b12 vstr d7, [ip, #72] ; 0x48
7cca: f8df 1010 ldr.w r1, [pc, #16] ; 7cdc <pine_thumb_bridge_jump_trampoline_target_method>
7cce: 4662 mov r2, ip
7cd0: 466b mov r3, sp
7cd2: f8df 0010 ldr.w r0, [pc, #16] ; 7ce4 <pine_thumb_bridge_jump_trampoline_bridge_method>
7cd6: f8df f010 ldr.w pc, [pc, #16] ; 7ce8 <pine_thumb_bridge_jump_trampoline_bridge_entry>
7cda: bf00 nop
00007cdc <pine_thumb_bridge_jump_trampoline_target_method>:
7cdc: 00000000 .word 0x00000000
00007ce0 <pine_thumb_bridge_jump_trampoline_extras>:
7ce0: 00000000 .word 0x00000000
00007ce4 <pine_thumb_bridge_jump_trampoline_bridge_method>:
7ce4: 00000000 .word 0x00000000
00007ce8 <pine_thumb_bridge_jump_trampoline_bridge_entry>:
7ce8: 00000000 .word 0x00000000
00007cec <pine_thumb_bridge_jump_trampoline_call_origin_entry>:
7cec: 00000000 .word 0x00000000
canyie commented
Upload full logcat?
czlee32 commented
logcat 不太方便发出来,strexeq r0, r0, [ip] 还有别的写法吗,
我这s23上 hook 了一个静态函数,但是 s21 没问题,都是 android 13,多跑了几次就报 ILL_ILLOPC,看上边的日志是不是这行报错的?
canyie commented
也就是说,第一次跑没问题?那我怀疑不是 strexeq 的问题,是这里的内存被不知道谁改掉了。你确定崩溃的时候这里还是 strexeq 指令?我倾向于野指针破坏了这里的内存
czlee32 commented
canyie commented
我不确定,那段汇编我基本上是写下来就没管过,应该有三年了,调用约定全忘光了……
刚刚翻了一下 art 源码,R4 寄存器在 art 上在调用 jni 方法时被用了存储 “locking register” 和 “hidden argument” ,可能需要测试执行 synchonized 的 jni 方法时触发 SIGQUIT 信号产生 ANR dump 时会不会有问题
我其实觉得 r4 能用就没道理 r0 不能用,而且执行几次后才崩溃不像典型的非法指令,我怀疑可能是指令缓存之类的有问题
公司有一台 Pixel 4 XL 刷了 android 13,有空我去试一下
canyie commented
能提供一下 hook 的是哪个方法吗,我这里没有复现出来