Skip to content

Commit 92a83c8

Browse files
NickEntinNickEntin
authored
Merge pull request #194 from cashapp/entin/fix-rebinding-crash
Fix crash in UIAccessibilityStatusUtility rebinding logic
2 parents 9dbc6ff + 3a6b9eb commit 92a83c8

File tree

1 file changed

+10
-45
lines changed

1 file changed

+10
-45
lines changed

Sources/AccessibilitySnapshot/Core/ObjC/UIAccessibilityStatusUtility.m

+10-45
Original file line numberDiff line numberDiff line change
@@ -153,41 +153,15 @@ static int prepend_rebindings(struct rebindings_entry **rebindings_head,
153153
return 0;
154154
}
155155

156-
static vm_prot_t get_protection(void *sectionStart) {
157-
mach_port_t task = mach_task_self();
158-
vm_size_t size = 0;
159-
vm_address_t address = (vm_address_t)sectionStart;
160-
memory_object_name_t object;
161-
mach_msg_type_number_t count = VM_REGION_BASIC_INFO_COUNT_64;
162-
vm_region_basic_info_data_64_t info;
163-
kern_return_t info_ret = vm_region_64(task,
164-
&address,
165-
&size,
166-
VM_REGION_BASIC_INFO_64,
167-
(vm_region_info_64_t)&info,
168-
&count,
169-
&object);
170-
if (info_ret == KERN_SUCCESS) {
171-
return info.protection;
172-
} else {
173-
return VM_PROT_READ;
174-
}
175-
}
176-
177156
static void perform_rebinding_with_section(struct rebindings_entry *rebindings,
178157
section_t *section,
179158
intptr_t slide,
180159
nlist_t *symtab,
181160
char *strtab,
182161
uint32_t *indirect_symtab) {
183-
const bool isDataConst = strcmp(section->segname, SEG_DATA_CONST) == 0;
184162
uint32_t *indirect_symbol_indices = indirect_symtab + section->reserved1;
185163
void **indirect_symbol_bindings = (void **)((uintptr_t)slide + section->addr);
186-
vm_prot_t oldProtection = VM_PROT_READ;
187-
if (isDataConst) {
188-
oldProtection = get_protection(rebindings);
189-
mprotect(indirect_symbol_bindings, section->size, PROT_READ | PROT_WRITE);
190-
}
164+
191165
for (uint i = 0; i < section->size / sizeof(void *); i++) {
192166
uint32_t symtab_index = indirect_symbol_indices[i];
193167
if (symtab_index == INDIRECT_SYMBOL_ABS || symtab_index == INDIRECT_SYMBOL_LOCAL ||
@@ -200,33 +174,24 @@ static void perform_rebinding_with_section(struct rebindings_entry *rebindings,
200174
struct rebindings_entry *cur = rebindings;
201175
while (cur) {
202176
for (uint j = 0; j < cur->rebindings_nel; j++) {
203-
if (symbol_name_longer_than_1 &&
204-
strcmp(&symbol_name[1], cur->rebindings[j].name) == 0) {
205-
if (cur->rebindings[j].replaced != NULL &&
206-
indirect_symbol_bindings[i] != cur->rebindings[j].replacement) {
177+
if (symbol_name_longer_than_1 && strcmp(&symbol_name[1], cur->rebindings[j].name) == 0) {
178+
if (cur->rebindings[j].replaced != NULL && indirect_symbol_bindings[i] != cur->rebindings[j].replacement) {
207179
*(cur->rebindings[j].replaced) = indirect_symbol_bindings[i];
208180
}
209-
indirect_symbol_bindings[i] = cur->rebindings[j].replacement;
181+
182+
kern_return_t err = vm_protect(mach_task_self(), (uintptr_t)indirect_symbol_bindings, section->size, 0, VM_PROT_READ | VM_PROT_WRITE | VM_PROT_COPY);
183+
184+
if (err == KERN_SUCCESS) {
185+
indirect_symbol_bindings[i] = cur->rebindings[j].replacement;
186+
}
187+
210188
goto symbol_loop;
211189
}
212190
}
213191
cur = cur->next;
214192
}
215193
symbol_loop:;
216194
}
217-
if (isDataConst) {
218-
int protection = 0;
219-
if (oldProtection & VM_PROT_READ) {
220-
protection |= PROT_READ;
221-
}
222-
if (oldProtection & VM_PROT_WRITE) {
223-
protection |= PROT_WRITE;
224-
}
225-
if (oldProtection & VM_PROT_EXECUTE) {
226-
protection |= PROT_EXEC;
227-
}
228-
mprotect(indirect_symbol_bindings, section->size, protection);
229-
}
230195
}
231196

232197
static void rebind_symbols_for_image(struct rebindings_entry *rebindings,

0 commit comments

Comments
 (0)