New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Race condition between hooking function and setting up hook #12

Open
yifanlu opened this Issue Nov 6, 2016 · 1 comment

Comments

Projects
None yet
1 participant
@yifanlu
Owner

yifanlu commented Nov 6, 2016

Right now, if a function is called in middle of the hook, this series of events could be possible

  1. substitute_hook_functions is called
  2. Function is written to, old pointer is saved
  3. taiHEN sets the old pointer into the tai_hook_t object stored in user address space.
  4. Call returns to user with a reference to the tai_hook_t

It is possible, between 2 and 4 that the function is called. In that case, it jumps to the user function, which tries to call TAI_CONTINUE with an uninitialized reference.

There are a couple of possible solutions:

  • We initialize the user reference to NULL before 1, then we modify TAI_CONTINUE to not dereference the hook if NULL and return error. The problem with this is that we cannot call the original function and this may break whatever code depends on it.
  • We set the hook reference early (before returning from the hook call). This doesn't work for user hooks though.
  • We can halt all threads while the hook process is happening. This is what substitute does on iOS. Not sure if we want this for performance reasons.

@yifanlu yifanlu added the bug label Nov 7, 2016

@yifanlu

This comment has been minimized.

Show comment
Hide comment
@yifanlu

yifanlu Nov 7, 2016

Owner

For now a workaround for the user is to set the hook reference to 0 before calling taihen and in the hook function only call TAI_CONTINUE if the reference is non-zero. Not a perfect solution but should prevent crashes.

Owner

yifanlu commented Nov 7, 2016

For now a workaround for the user is to set the hook reference to 0 before calling taihen and in the hook function only call TAI_CONTINUE if the reference is non-zero. Not a perfect solution but should prevent crashes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment