Skip to content

shadowhook v1.0.8
Compare
Choose a tag to compare
@caikelun caikelun released this 11 Oct 12:42
· 3 commits to main since this release
v1.0.8
This tag was signed with the committer’s verified signature.
caikelun Kelun Cai
GPG key ID: B40C473E6929CB03
Learn about vigilant mode.
b2537df
This commit was signed with the committer’s verified signature.
caikelun Kelun Cai
GPG key ID: B40C473E6929CB03
Learn about vigilant mode.

Announcements

1. Compatible with Android 14 (API level 34).

Bugs fixed

1. Fixed an occasional crash with SIGILL caused by arm64 BTI.

In the previous version, if the system supported arm64 BTI and the hooked ELF was compiled with BTI instructions, there would be about a 1/1024 probability of a crash. The crash will not occur randomly, it will only occur when the "1st instruction and the 2nd instruction (or the 4th instruction and the 5th instruction)" at the head of the hooked function belong to two different memory pages.

2. Fixed a bug that caused the arm64 MTE mechanism to fail.

The crash protection mechanism of shadowhook registers the signal handler of sigsegv and sigbus, but SA_EXPOSE_TAGBITS was not added in previous versions. Because the signal handler of shadowhook will be executed before the art sigchain, the tag bits in the address will be lost, which will lead to the failure of the MTE mechanism.

Improve

1. Optimized the signal stack memory usage issue of the crash protection mechanism.

In previous versions, shadowhook's signal handler would occupy some signal stack memory (64 bytes for arm32 and 128 bytes for arm64). After optimization, the signal stack memory will not be occupied.

Since the Android signal stack memory space is very limited (depending on the Android version and CPU architecture, each thread is approximately between 8KB and 32KB), the additional occupation of the signal stack memory space can easily aggravate the risk of signal stack overflow.

公告

1. 兼容 Android 14 (API level 34)。

Bugs 修复

1. 修复了一个 arm64 BTI 导致的 SIGILL 偶发崩溃。

在之前的版本中,如果系统支持 arm64 BTI 并且被 hook 的 ELF 编译时也加入了 BTI 指令,那么大约会有 1/1024 的概率发生崩溃。崩溃不会随机发生,只有当被 hook 函数头部的“第1条指令和第2条指令(或者第4条指令和第5条指令)”分别属于两个不同的内存页时才会发生。

2. 修复了一个导致 arm64 MTE 机制失效的 bug。

shadowhook 的崩溃保护机制注册了 sigsegv 和 sigbus 的信号处理函数,但是在之前的版本中没有添加 SA_EXPOSE_TAGBITS。因为 shadowhook 的信号处理函数会比 art sigchain 的先执行,于是导致了地址中 tag bits 丢失,进而导致 MTE 机制失效。

改进

1. 优化了崩溃保护机制的信号栈内存占用问题。

在之前的版本中,shadowhook 的信号处理函数会占用一些信号栈内存(arm32 为 64 字节,arm64 为 128 字节)。优化后不会占用信号栈内存。

由于 Android 信号栈内存空间十分有限(根据 Android 版本和 CPU 架构不同,每个线程大约在 8KB 到 32 KB 之间),所以对信号栈内存空间的额外占用,很容易加剧信号栈溢出的风险。

Assets 2
Loading
0 Join discussion