Skip to content
GitLab
Closed
Issue created by Administrator@rootContributor

CRASH in running ARM Android Youtube APK

Created by: sudakshina-das-arm

Hi

I am using a Nexus 7 with Android version 6.0.1 to run DynamoRIO without any client with different APKs using a wrapper script. This works fine with APKs like Calculator, Calender, Clock, etc but with other apps like YouTube, Facebook, or even games apps like Fruit Ninja or Ballz, I get a DynamoRIO internal crash.

I am using drrun version 6.2.17301 -- build 0

I used https://github.com/DynamoRIO/dynamorio/wiki/How-To-Build#cross-compiling-for-arm-android to download and build it. My wrap.sh is

#!/system/bin/sh
export TMPDIR=/data/data/com.google.android.youtube
exec /data/local/tmp/fresh-build/bin32/drrun  -- $*

This is a spinet of the logcat when I tried with YouTube. [logcat -v time | grep wrap]

06-05 11:28:39.293 I/logwrapper( 9055): type=1400 audit(0.0:43): avc: denied { execute } for name="wrap.sh" dev="mmcblk0p30" ino=228085 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
06-05 11:28:39.303 I/logwrapper( 9055): type=1400 audit(0.0:44): avc: denied { execute_no_trans } for path="/data/local/tmp/DynamoRIO/wrap.sh" dev="mmcblk0p30" ino=228085 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
06-05 11:28:48.826 I/wrap.sh ( 9054): referenceTable GDEF length=814 1
06-05 11:28:48.832 I/wrap.sh ( 9054): referenceTable GSUB length=11364 1
06-05 11:28:48.851 I/wrap.sh ( 9054): referenceTable GPOS length=47302 1
06-05 11:28:59.170 I/wrap.sh ( 9054): WARNING: linker: /data/app/com.google.android.gms-1/lib/arm/libgmscore.so: unused DT entry: type 0x7ffffffd arg 0x795
06-05 11:28:59.618 I/wrap.sh ( 9054): WARNING: linker: /data/app/com.google.android.gms-1/lib/arm/libconscrypt_gmscore_jni.so: unused DT entry: type 0x1d arg 0xe0
06-05 11:28:59.619 I/wrap.sh ( 9054): WARNING: linker: /data/app/com.google.android.gms-1/lib/arm/libconscrypt_gmscore_jni.so: unused DT entry: type 0x7ffffffd arg 0x1c9
06-05 11:29:25.455 I/wrap.sh ( 9054): <Application /system/bin/app_process32 (9055).  DynamoRIO internal crash at PC 0xb6ed750e.  Please report this at http://dynamorio.org/issues/.  Program aborted.
06-05 11:29:25.455 I/wrap.sh ( 9054): Received SIGSEGV at pc 0xb6ed750e in thread 9120
06-05 11:29:25.455 I/wrap.sh ( 9054): Base: 0xb6e15000
06-05 11:29:25.455 I/wrap.sh ( 9054): Registers:  r0 =0x00000000 r1 =0x00000000 r2 =0xb6f53000 r3 =0xeafffffe
06-05 11:29:25.455 I/wrap.sh ( 9054): 	r4 =0x00000000 r5 =0x4a30237c r6 =0x00000000 r7 =0x00000000
06-05 11:29:25.455 I/wrap.sh ( 9054): 	r8 =0x4a2eec84 r9 =0x4a2eec8c r10=0x00000000 r11=0x00000001
06-05 11:29:25.455 I/wrap.sh ( 9054): 	r12=0x00004c82 r13=0x4a2eec78 r14=0xb6ed74ad r15=0xb6ed750e
06-05 11:29:25.455 I/wrap.sh ( 9054): 	eflags=0x80071830
06-05 11:29:25.455 I/wrap.sh ( 9054): version 6.2.17301, custom build
06-05 11:29:25.455 I/wrap.sh ( 9054): -no_dynamic_options -code_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >

With -debug, I see the following in the logcat with logcat -v time | grep wrap

06-05 11:52:35.564 I/logwrapper(10068): type=1400 audit(0.0:50): avc: denied { execute } for name="wrap.sh" dev="mmcblk0p30" ino=228085 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
06-05 11:52:35.564 I/logwrapper(10068): type=1400 audit(0.0:51): avc: denied { execute_no_trans } for path="/data/local/tmp/DynamoRIO/wrap.sh" dev="mmcblk0p30" ino=228085 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
06-05 11:52:35.610 I/wrap.sh (10067): <Starting application /system/bin/app_process32 (10068)>
06-05 11:52:35.620 I/wrap.sh (10067): <Paste into GDB to debug DynamoRIO clients:
06-05 11:52:35.620 I/wrap.sh (10067): set confirm off
06-05 11:52:35.620 I/wrap.sh (10067): add-symbol-file '/data/local/tmp/fresh-build/lib32/debug/libdynamorio.so' 0xb6cdd498
06-05 11:52:35.620 I/wrap.sh (10067): >
06-05 11:52:35.643 I/wrap.sh (10067): <Initial options = -no_dynamic_options -code_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
06-05 11:52:40.545 I/wrap.sh (10067): <get_memory_info mismatch! (can happen if os combines entries in /proc/pid/maps)
06-05 11:52:40.545 I/wrap.sh (10067): 	os says: 0xb6bfc000-0xb6c00000 prot=0x0000000b
06-05 11:52:40.545 I/wrap.sh (10067): 	cache says: 0xb6bfa000-0xb6c00000 prot=0x0000000b
06-05 11:52:40.545 I/wrap.sh (10067): >
06-05 11:53:36.163 I/wrap.sh (10067): <Application /system/bin/app_process32 (10068).  Internal Error: DynamoRIO debug check failure: <path to dynamorio>/core/unix/memcache.c:411 found
06-05 11:53:36.164 I/wrap.sh (10067): (Error occurred @24669 frags)
06-05 11:53:36.164 I/wrap.sh (10067): version 6.2.17301, custom build
06-05 11:53:36.164 I/wrap.sh (10067): -no_dynamic_options -code_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct 
06-05 11:53:36.164 I/wrap.sh (10067): 0xb6d93319 0x78af04b0>
06-05 11:53:36.170 I/wrap.sh (10067): wrap.sh terminated by exit(255)
06-05 11:53:36.172 W/Zygote  ( 4008): Error reading pid from wrapped process, child may have died

In both the cases (with and without -debug), I see a hang and the logcat shows repeated startup messages and crashes.

Any help would be appreciated.

Thanks Sudi