rwx size is too small to hold 56 bytes backup instructions

[axnsan12]

When trying to hook some system functions (e.g. fork, execve), I see an error in logcat that reads rwx size is too small to hold 56 bytes backup instructions, and hooking fails. Looking at https://github.com/rrrfff/And64InlineHook/blob/master/And64InlineHook.cpp the hook trampoline size seems to be limited to 50 bytes, hence the error.

Call site looks like so:

#include <jni.h>
#include <unistd.h>
#include <sys/types.h>
#include "AndHook.h"

#define AKLog(...) __android_log_print(ANDROID_LOG_INFO, "AndHook", __VA_ARGS__)

static decltype(fork) *sys_fork;

pid_t __unused hook_fork() {
    AKLog("fork called");
    pid_t child_pid = sys_fork();
    if (child_pid != 0) {
        AKLog("fork child pid: %d, parent pid: %d", static_cast<int>(child_pid), static_cast<int>(getpid()));
    }
    return child_pid;
}

extern "C" JNIEXPORT jint JNICALL __unused JNI_OnLoad(JavaVM *vm, void __unused *reserved) {
    JNIEnv *env;
    if (vm->GetEnv(reinterpret_cast<void **>(&env), JNI_VERSION_1_6) != JNI_OK) {
        return JNI_EVERSION;
    }

    AKHookFunction(fork, hook_fork, &sys_fork);
    return JNI_VERSION_1_6;
}

My system is a OnePlus 3 running OxygenOS - Android 8.0.0, arm64-v8a.

I seem to have gotten it working by copying the A64HookFunction as a wrapper around theAKHookFunctionV exported from the .so files here, and increasing the trampoline size to 70 from 50.

Attached is libc.so pulled from my device:
libc.so.zip

[Rprop]

Yes, it may require more room if there are too many pc-relative instructions (e.g, mixed adr/adrp) that need to be relocated and aligned.
I will fix it as soon as possible, thanks.

[axnsan12]

Update: same device, more functions

03-30 18:41:09.062 30170 30170 I AndHook : hooking execv
03-30 18:41:09.062 30170 30170 E AndHook : rwx size is too small to hold 80 bytes backup instructions!
03-30 18:41:09.062 30170 30170 I AndHook : hooking execve
03-30 18:41:09.062 30170 30170 E AndHook : rwx size is too small to hold 88 bytes backup instructions!

[axnsan12]

After inspecting the attached libc.so, it seems that the functions I'm trying to hook are just thin wrappers around syscalls/other functions:

So I am guessing the errors are caused by AndHook stepping on itself since it has no room to write its hooking code for each function.

I'm really not sure what can be done here...

[Rprop]

Hi, @axnsan12, I have just released the v3.5.0, could you have a try?

[axnsan12]

Hello and thanks a lot! Will have a look in a day or two 😄

[axnsan12]

So I tried it, and I have both good and bad news.

Good news is the original error doesn't happen any more and I can hook adjacent functions without crashing the program when they're called! Yay! 😄

Bad news is that I now sometimes see crashes when calling the original function. For example, if I hook only execve, and then call

if (fork() == 0) {
    system("ps");
}

I can actually see my hook function being executed, and log its arguments:

execve: /sbin/ps ps PATH=/sbin:/system/sbin:/system/bin:/system/xbin:/vendor/bin:/vendor/xbin DOWNLOAD_CACHE=/data/cache ANDROID_BOOTLOGO=1 ANDROID_ROOT=/system ANDROID_ASSETS=/system/app ANDROID_DATA=/data ANDROID_STORAGE=/storage EXTERNAL_STORAGE=/sdcard ASEC_MOUNTPOINT=/mnt/asec BOOTCLASSPATH=/system/framework/QPerformance.jar:/system/framework/core-oj.jar:/system/framework/core-libart.jar:/system/framework/conscrypt.jar:/system/framework/okhttp.jar:/system/framework/legacy-test.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/system/framework/apache-xml.jar:/system/framework/org.apache.http.legacy.boot.jar:/system/framework/android.hidl.base-V1.0-java.jar:/system/framework/android.hidl.manager-V1.0-java.jar:/system/framework/oneplus_sdk_utils.jar:/system/framework/oneplus_sdk_wrapper.jar:/system/framework/tcmiface.jar:/system/framework/telephony-ext.jar:/system/framework/WfdCommon.jar:/system/framework/oem-services.jar:/system/framework/qcom.fmradio.jar:/system/framework/qcnvitems.jar:/system/framework/qcrilhook.jar:/system/framework/com.qti.snapdragon.sdk.display.jar SYSTEMSERVERCLASSPATH=/system/framework/services.jar:/system/framework/ethernet-service.jar:/system/framework/wifi-service.jar ANDROID_SOCKET_zygote=9 CLASSPATH=/system/framework/XposedBridge.jar

However as soon as I try to execute the original function, the process crashes:

04-03 15:42:32.220 2902-2902/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
04-03 15:42:32.220 2902-2902/? A/DEBUG: Build fingerprint: 'OnePlus/OnePlus3/OnePlus3:8.0.0/OPR6.170623.013/01202200:user/release-keys'
04-03 15:42:32.220 2902-2902/? A/DEBUG: Revision: '0'
04-03 15:42:32.220 2902-2902/? A/DEBUG: ABI: 'arm64'
04-03 15:42:32.220 2902-2902/? A/DEBUG: pid: 2896, tid: 2896, name: <package.name>  >>> <package.name> <<<
04-03 15:42:32.220 2902-2902/? A/DEBUG: signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7c9b3e7000
04-03 15:42:32.220 2902-2902/? A/DEBUG:     x0   0000007cbc02ec47  x1   0000007fceab0a30  x2   0000007cba834e30  x3   0000000000000019
04-03 15:42:32.220 2902-2902/? A/DEBUG:     x4   0000000000000086  x5   0000000000000000  x6   0000000000000000  x7   0000000000800000
04-03 15:42:32.220 2902-2902/? A/DEBUG:     x8   0000007c9b7421b8  x9   b4adc4862297e4b0  x10  0000000000000086  x11  0000000000000000
04-03 15:42:32.220 2902-2902/? A/DEBUG:     x12  0000000000000000  x13  0000007fceab0340  x14  0000007fceab03c8  x15  0000d7a959be9ea9
04-03 15:42:32.220 2902-2902/? A/DEBUG:     x16  0000007cbc057cb0  x17  0000007cbbff5f2c  x18  0000000000000020  x19  0000000000000000
04-03 15:42:32.220 2902-2902/? A/DEBUG:     x20  0000007cba5fac00  x21  0000007cba8bfa00  x22  0000007fceab1038  x23  0000007c9ce36915
04-03 15:42:32.220 2902-2902/? A/DEBUG:     x24  0000000000000004  x25  0000007cba8bfa98  x26  0000007c9c83c0e0  x27  0000000070236658
04-03 15:42:32.220 2902-2902/? A/DEBUG:     x28  0000000000000001  x29  0000007fceab0a10  x30  0000007c9b69d94c
04-03 15:42:32.220 2902-2902/? A/DEBUG:     sp   0000007fceab09f0  pc   0000007c9b3e7000  pstate 0000000060000000
04-03 15:42:32.222 2902-2902/? A/DEBUG: backtrace:
04-03 15:42:32.222 2902-2902/? A/DEBUG:     #00 pc 00000000007ee000  anon_inode:dmabuf
04-03 15:42:32.222 2902-2902/? A/DEBUG:     #01 pc 0000000000016948  /data/data/<package.name>/cache/lib/myjnilib.so (deleted)
04-03 15:42:32.222 2902-2902/? A/DEBUG:     #02 pc 0000000000000ac4  /system/lib64/libc.so (offset 0x64000)

The same test worked on the previous version.

[Rprop]

Thanks for Your Feedback!
That is, it crashes at calling the original execve randomly? What about doing this in the parent process? If there is something wrong with instruction relocation, it should crash every time.

[axnsan12]

It crashes only for execve (out of the functions I tried hooking), every time.

For example, here is a sample program where I hooked fork, vfork, system and execve.

    system("pwd");
    if (fork() == 0) {
        AKLog("child");
        char *argv[] = {NULL};
        execv("su", argv);
        AKLog("exec failed... %d", errno);
        exit(1);
    }
    else {
        AKLog("parent");
        char *argv[] = {NULL};
        execv("lsof", argv);
        AKLog("exec failed... %d", errno);
        exit(1);
    }

You can see that the fork and system hooks sucesfully call their original functions, while execve crashes in every situation. I also tried making the execve hook into a no-op that just calls the original function, to make sure it is not my code that segfaults. Removing all hooks except execve also does not fix the issue.

The same code with the same hooks executes sucesfully with the old version of the library.

Here is the log, annotated with my comments on the right

04-03 19:56:22.865 18201-18201/[package.name] I/AndHook: system: pwd<--------- hook of system() prints its arguments
04-03 19:56:22.865 18201-18201/[package.name] I/AndHook: vfork called - calling fork() instead    <-------------- I hooked vfork() to call fork instead - without this, everything crashes and burns because of vfork's weird address space sharing
04-03 19:56:22.874 18201-18201/[package.name] I/AndHook: fork child pid: 18608, parent pid: 18201 <--------- system() calls fork => child 18608
04-03 19:56:22.888 18608-18608/? I/AndHook: execve: /system/bin/sh sh -c pwd PATH=/sbin:/system/sbin:/system/bin:/system/xbin:/vendor/bin:/vendor/xbin DOWNLOAD_CACHE=/data/cache ANDROID_BOOTLOGO=1 ANDROID_ROOT=/system ANDROID_ASSETS=/system/app ANDROID_DATA=/data ANDROID_STORAGE=/storage EXTERNAL_STORAGE=/sdcard ASEC_MOUNTPOINT=/mnt/asec BOOTCLASSPATH=/system/framework/QPerformance.jar:/system/framework/core-oj.jar:/system/framework/core-libart.jar:/system/framework/conscrypt.jar:/system/framework/okhttp.jar:/system/framework/legacy-test.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/system/framework/apache-xml.jar:/system/framework/org.apache.http.legacy.boot.jar:/system/framework/android.hidl.base-V1.0-java.jar:/system/framework/android.hidl.manager-V1.0-java.jar:/system/framework/oneplus_sdk_utils.jar:/system/framework/oneplus_sdk_wrapper.jar:/system/framework/tcmiface.jar:/system/framework/tel           <----------------------- system() cals execve() in child; execve() hook in logs its arguments
04-03 19:56:22.888 18608-18608/? I/AndHook: file open w: /data/user/0/[package.name]/execve-18608-0
04-03 19:56:22.892 18608-18608/? A/libc: Fatal signal 11 (SIGSEGV), code 2, fault addr 0x7c9b3e7000 in tid 18608 ([package.name])        <------------ child 18608 started by system() crashes
04-03 19:56:22.938 464-464/? W/auditd: type=1400 "crash_dump64""[package.name]""dm-0"
04-03 19:56:22.971 18612-18612/? A/DEBUG: pid: 18608, tid: 18608, name: [package.name]  >>> [package.name] <<<
04-03 19:56:22.973 18612-18612/? A/DEBUG:     #01 pc 0000000000016714  /data/data/[package.name]/cache/lib/myjnilib.so (deleted)
04-03 19:56:23.265 18201-18201/[package.name] I/AndHook: fork called 
04-03 19:56:23.274 18201-18201/[package.name] I/AndHook: fork child pid: 18613, parent pid: 18201  <-------- fork() called in parent => child 18613
04-03 19:56:23.274 18201-18201/[package.name] I/AndHook: parent       <------ parent branch executes execv("lsof")
04-03 19:56:23.274 18201-18201/[package.name] I/AndHook: execve: lsof PATH=/sbin:/system/sbin:/system/bin:/system/xbin:/vendor/bin:/vendor/xbin DOWNLOAD_CACHE=/data/cache ANDROID_BOOTLOGO=1 ANDROID_ROOT=/system ANDROID_ASSETS=/system/app ANDROID_DATA=/data ANDROID_STORAGE=/storage EXTERNAL_STORAGE=/sdcard ASEC_MOUNTPOINT=/mnt/asec BOOTCLASSPATH=/system/framework/QPerformance.jar:/system/framework/core-oj.jar:/system/framework/core-libart.jar:/system/framework/conscrypt.jar:/system/framework/okhttp.jar:/system/framework/legacy-test.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/system/framework/apache-xml.jar:/system/framework/org.apache.http.legacy.boot.jar:/system/framework/android.hidl.base-V1.0-java.jar:/system/framework/android.hidl.manager-V1.0-java.jar:/system/framework/oneplus_sdk_utils.jar:/system/framework/oneplus_sdk_wrapper.jar:/system/framework/tcmiface.jar:/system/framework/telephony-ext.jar:/syst           <---------------- execv() calls execve(), execve() hook prints arguments
04-03 19:56:23.274 18201-18201/[package.name] I/AndHook: file open w: /data/user/0/[package.name]/execve-18201-0
04-03 19:56:23.275 18201-18201/[package.name] A/libc: Fatal signal 11 (SIGSEGV), code 2, fault addr 0x7c9b3e7000 in tid 18201 ([package.name])      <--------- parent process crashes
04-03 19:56:23.295 18613-18613/? I/AndHook: child   <-------- child branch of fork, calls execv("su")
04-03 19:56:23.295 18613-18613/? I/AndHook: execve: su PATH=/sbin:/system/sbin:/system/bin:/system/xbin:/vendor/bin:/vendor/xbin DOWNLOAD_CACHE=/data/cache ANDROID_BOOTLOGO=1 ANDROID_ROOT=/system ANDROID_ASSETS=/system/app ANDROID_DATA=/data ANDROID_STORAGE=/storage EXTERNAL_STORAGE=/sdcard ASEC_MOUNTPOINT=/mnt/asec BOOTCLASSPATH=/system/framework/QPerformance.jar:/system/framework/core-oj.jar:/system/framework/core-libart.jar:/system/framework/conscrypt.jar:/system/framework/okhttp.jar:/system/framework/legacy-test.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/system/framework/apache-xml.jar:/system/framework/org.apache.http.legacy.boot.jar:/system/framework/android.hidl.base-V1.0-java.jar:/system/framework/android.hidl.manager-V1.0-java.jar:/system/framework/oneplus_sdk_utils.jar:/system/framework/oneplus_sdk_wrapper.jar:/system/framework/tcmiface.jar:/system/framework/telephony-ext.jar:/system          <--------------- execve() hook in child logs
04-03 19:56:23.295 18613-18613/? I/AndHook: file open w: /data/user/0/[package.name]/execve-18613-0
04-03 19:56:23.296 18613-18613/? A/libc: Fatal signal 11 (SIGSEGV), code 2, fault addr 0x7c9b3e7000 in tid 18613 ([package.name])     <------- child 18613 crashes

[Rprop]

It seems that the crash happened only with Android 8.0 and was caused simply by a misspelling, sorry for the inconvenience.
Please have a try with andhook-lib-3.5.0-r1.zip, thanks!

[axnsan12]

Yep, seems to be working now!

And thank YOU, you're doing this for free 😄

[Rprop]

Well I'm pleased to hear that😄. Close it.