frida/frida-gum

A question about gum_memory_allocate_near and GumAddressSpec

X1aoR0 opened this issue · 1 comments

When I try to use stalker to trace JNI code, I found that a memory access error is always reported. After debugging many times, I found out that the reason is that gum_code_slab_new called gum_memory_allocate_near and then got an address 0. Afterwards, initializing the slab at address 0 triggered a memory access exception.
I added some print information in gum_memory_allocate_near and found that it uses mmap internally to allocate memory, but it will call gum_address_spec_is_satisfied_by to verify whether the allocated memory is within 0x7fffffff offset. I noticed this feature was added in 14.2.14. I don't know what is the meaning of this restriction.
And the problem is that if the original address(spec->near_address) has been allocated, mmap cannot guarantee that the allocated memory can meet the conditions. And in my scenario, I found that the subsequent gum_enumerate_free_ranges could not also get the appropriate memory, so the address 0 was returned.
Later, I deleted the part about address spec, and found that the code can still run normally, so I want to know what is the function of checking the offset of 0x7fffffff, and what will be the impact after deletion

I have the same issue on android-arm64 and I also fixed it by removing the spec distance. Maybe this quick fix is wrong according to the following comment in gumstalker-arm64.c / gum_exec_ctx_compute_code_address_spec :

Code must be able to reference ExecCtx fields using 32-bit offsets.