yo,
is there any way to circumvent the negate-overflow in typical ubsan?
i'm trying to do security research on android binder services
(targeting a specific vendor library) and running into an unexpected
issue, ubsan instrumentation in libbinder.so on a production build.
when triggering integer overflow in service implementations through
binder ipc, i'm hitting a ubsan negate-overflow check in
BBinder::transact. specifically in the transaction recording path:
BBinder::transact() {
...
pthread_mutex_lock(extras + 0x14);
CMP WZR, W0 // compare 0 - return_value
B.VS ubsan_abort // crashes here
}
what happens is the service heap state gets corrupted, but when binder
tries to record the transaction, pthread_mutex_lock reads corrupted
mutex data and returns INT_MIN. then the "0 - INT_MIN" comparison
triggers ubsan and aborts before i can see the actual memory corruption
behavior.
the abort message:
ubsan: negate-overflow by 0x<address>
i have root and can test out different things, but the poc must not
require root to run or setup.
-- veygax
_______________________________________________
libreplanet-discuss mailing list
[email protected]
https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss
