Returning a released pointer from RangeDetails::with_address

Question

Returning a released pointer from RangeDetails::with_address

mkravchik opened this issue 8 months ago · 6 comments

Hi,
I consistently encountered this in the code I'm debugging. There is a call to RangeDetails::with_address. The returned value is complete nonsense.
When I debug it, I can see that when the save_range_details_by_address is called, it is passed a pointer to a details struct with correct data. However when we get back to with_address, the pointer points to garbage. I can only assume that the native Gum has freed this object and don't see anything preventing it from doing so.

pub fn with_address(address: u64) -> Option<RangeDetails<'a>> {
    let mut context = SaveRangeDetailsByAddressContext {
        address,
        details: core::ptr::null_mut(),
    };
    unsafe {
        gum_sys::gum_process_enumerate_ranges(
            gum_sys::_GumPageProtection_GUM_PAGE_NO_ACCESS as u32,
            Some(save_range_details_by_address),
            &mut context as *mut _ as *mut c_void,
        );
    }

    if !context.details.is_null() {
        Some(RangeDetails::from_raw(context.details))
    } else {
        None
    }
}

Answer 1 · 2024-01-04T06:40:09.000Z

Nice catch!

The upstream code is (for linux) https://github.com/frida/frida-gum/blob/a50dae75a25cb7fe95ed09883527dbd6777f28be/gum/backend-linux/gumprocess-linux.c#L1398.

I will attempt a fix now.

Answer 2 · 2024-01-04T07:08:52.000Z

@mkravchik can you try this fix and confirm it is working?

Answer 3 · 2024-01-04T07:09:50.000Z

Oh wait. I'm dumb... This doesn't fix at all...

Answer 4 · 2024-01-04T07:21:25.000Z

Ok. Try now

Answer 5 · 2024-01-07T10:25:14.000Z

I tried it, and it looks good. In the meantime (until the version is out) I've found the following workaround useful:

/// Get the start and end of the memory region containing the given address
/// Uses RangeDetails::enumerate_with_prot as RangeDetails::with_address seems to have a bug
/// Returns (start, end)
fn range_for_address(address: usize) -> (usize, usize) {
    let mut start = 0; 
    let mut end = 0; 
    RangeDetails::enumerate_with_prot(PageProtection::NoAccess, &mut |range: &RangeDetails| {
        let range_start = range.memory_range().base_address().0 as usize;
        let range_end = range_start + range.memory_range().size();
        if range_start <= address && range_end >= address {
            start = range_start;
            end = range_end;
            // I want to stop iteration here
            return false;
        }
        true
    });

    if start == 0 {
        log::error!("range_for_address: no range found for address {:#x}", address);
    }
    (start, end)
}

Answer 6 · 2024-01-07T11:02:02.000Z

I'll wait till the next frida version to release.