A question about gum_memory_allocate_near and GumAddressSpec
X1aoR0 opened this issue · 1 comments
When I try to use stalker to trace JNI code, I found that a memory access error is always reported. After debugging many times, I found out that the reason is that gum_code_slab_new
called gum_memory_allocate_near
and then got an address 0. Afterwards, initializing the slab at address 0 triggered a memory access exception.
I added some print information in gum_memory_allocate_near
and found that it uses mmap internally to allocate memory, but it will call gum_address_spec_is_satisfied_by
to verify whether the allocated memory is within 0x7fffffff offset. I noticed this feature was added in 14.2.14. I don't know what is the meaning of this restriction.
And the problem is that if the original address(spec->near_address) has been allocated, mmap cannot guarantee that the allocated memory can meet the conditions. And in my scenario, I found that the subsequent gum_enumerate_free_ranges could not also get the appropriate memory, so the address 0 was returned.
Later, I deleted the part about address spec, and found that the code can still run normally, so I want to know what is the function of checking the offset of 0x7fffffff, and what will be the impact after deletion
I have the same issue on android-arm64
and I also fixed it by removing the spec
distance. Maybe this quick fix is wrong according to the following comment in gumstalker-arm64.c / gum_exec_ctx_compute_code_address_spec
:
Code must be able to reference ExecCtx fields using 32-bit offsets.