fixed adrp imm overflow in save_header

Antibioticss · Antibioticss · commit 4933bdaeea0c · 2025-12-12T15:43:47.000+08:00
diff --git a/src/interpose.c b/src/interpose.c
@@ -6,12 +6,15 @@
 #include <mach-o/nlist.h>
 #include <stdint.h>
 #include <string.h>
+#ifndef COMPACT
+    #include <mach/mach_error.h> // mach_error_string()
+#endif
 
 int tiny_interpose(uint32_t image_index, const char *symbol_name, void *replacement) {
     intptr_t image_slide = _dyld_get_image_vmaddr_slide(image_index);
     struct mach_header_64 *mh_header = (struct mach_header_64 *)_dyld_get_image_header(image_index);
     struct load_command *ld_command = (void *)mh_header + sizeof(struct mach_header_64);
-    struct section_64 *sym_sects[2] = {NULL, NULL};
+    struct section_64 *sym_sects[2] = {NULL, NULL}; // possible to have both!
     struct symtab_command *symtab_cmd = NULL;
     struct dysymtab_command *dysymtab_cmd = NULL;
     struct segment_command_64 *linkedit_cmd = NULL;
@@ -24,7 +27,6 @@ int tiny_interpose(uint32_t image_index, const char *symbol_name, void *replacem
                 for (int j = 0; j < segment->nsects; j++) {
                     if ((data_const_sect[j].flags & SECTION_TYPE) == S_NON_LAZY_SYMBOL_POINTERS) {
                         sym_sects[0] = data_const_sect + j; // __nl_symbol_ptr
-                        break;
                     }
                 }
             }
@@ -34,7 +36,6 @@ int tiny_interpose(uint32_t image_index, const char *symbol_name, void *replacem
                 for (int j = 0; j < segment->nsects; j++) {
                     if ((data_sect[j].flags & SECTION_TYPE) == S_LAZY_SYMBOL_POINTERS) {
                         sym_sects[1] = data_sect + j; // __la_symbol_ptr
-                        break;
                     }
                 }
             }
@@ -78,15 +79,17 @@ int tiny_interpose(uint32_t image_index, const char *symbol_name, void *replacem
                 if (i == 0) { // __nl_symbol_ptr in __DATA_CONST
                     err = mach_vm_protect(mach_task_self(), (mach_vm_address_t)sym_ptrs, sym_sec->size, FALSE,
                                           VM_PROT_READ | VM_PROT_WRITE | VM_PROT_COPY);
-                    if (err != 0) goto exit;
+                    if (err != 0) {
+                        LOG_ERROR("mach_vm_protect: %s", mach_error_string(err));
+                        break;
+                    }
                 }
                 sym_ptrs[j] = replacement;
-                goto exit;
+                break;
             }
         }
     }
 
-exit:
     if (!found) {
         err = -1;
         LOG_ERROR("tiny_interpose: no matching indirect symbol found!");
diff --git a/src/private.h b/src/private.h
@@ -41,6 +41,8 @@
     #define AARCH64_BLR  0xd63f0220 // blr      x17
     #define AARCH64_ADD  0x91000231 // add      x17, x17, 0
     #define AARCH64_SUB  0xd1000231 // sub      x17, x17, 0
+    #define AARCH64_MOVZ 0xd2800000 // movz     xd, 0
+    #define AARCH64_MOVK 0xf2800000 // movk     xd, 0
 #elif __x86_64__
     #define X86_64_CALL     0xe8       // call
     #define X86_64_JMP      0xe9       // jmp
diff --git a/src/tinyhook.c b/src/tinyhook.c
@@ -79,13 +79,32 @@ static inline void save_header(void **src, void **dst, int min_len) {
         if (((insn ^ 0x90000000) & 0x9f000000) == 0) {
             // adrp
             // modify the immediate (len: 4 -> 4)
-            int64_t len = (insn >> 29 & 0x3) | ((insn >> 3) & 0x1ffffc);
-            len += ((int64_t)*src >> 12) - ((int64_t)*dst >> 12);
-            insn &= 0x9f00001f; // clean the immediate
-            insn = ((len & 0x3) << 29) | ((len & 0x1ffffc) << 3) | insn;
+            int64_t addr = ((int64_t)*src >> 12) + ((insn >> 29 & 0x3) | ((insn >> 3) & 0x1ffffc));
+            int64_t len = addr - ((int64_t)*dst >> 12);
+            if ((len << 12) < 4 * GB) {
+                insn &= 0x9f00001f; // clean the immediate
+                insn = ((len & 0x3) << 29) | ((len & 0x1ffffc) << 3) | insn;
+                *(uint32_t *)*dst = insn;
+                *dst += 4;
+            }
+            else {
+                int64_t imm64 = addr << 12;
+                uint16_t rd = insn & 0b11111;
+                bool cleaned = false;
+                for (int j = 0; imm64; imm64 >>= 16, j++) {
+                    uint64_t cur_imm = imm64 & 0xffff;
+                    if (cur_imm) {
+                        *(uint32_t *)*dst = (j << 21) | (cur_imm << 5) | rd | (cleaned ? AARCH64_MOVK : AARCH64_MOVZ);
+                        *dst += 4;
+                        cleaned = true;
+                    }
+                }
+            }
+        }
+        else {
+            *(uint32_t *)*dst = insn;
+            *dst += 4;
         }
-        *(uint32_t *)*dst = insn;
-        *dst += 4;
         *src += 4;
     }
 #elif __x86_64__

Original file line number	Diff line number	Diff line change
`@@ -6,12 +6,15 @@`
`6`	`6`	`#include <mach-o/nlist.h>`
`7`	`7`	`#include <stdint.h>`
`8`	`8`	`#include <string.h>`
	`9`	`+#ifndef COMPACT`
	`10`	`+ #include <mach/mach_error.h> // mach_error_string()`
	`11`	`+#endif`
`9`	`12`
`10`	`13`	`int tiny_interpose(uint32_t image_index, const char symbol_name, void replacement) {`
`11`	`14`	`intptr_t image_slide = _dyld_get_image_vmaddr_slide(image_index);`
`12`	`15`	`struct mach_header_64 mh_header = (struct mach_header_64 )_dyld_get_image_header(image_index);`
`13`	`16`	`struct load_command ld_command = (void )mh_header + sizeof(struct mach_header_64);`
`14`		`- struct section_64 *sym_sects[2] = {NULL, NULL};`
	`17`	`+ struct section_64 *sym_sects[2] = {NULL, NULL}; // possible to have both!`
`15`	`18`	`struct symtab_command *symtab_cmd = NULL;`
`16`	`19`	`struct dysymtab_command *dysymtab_cmd = NULL;`
`17`	`20`	`struct segment_command_64 *linkedit_cmd = NULL;`
`@@ -24,7 +27,6 @@ int tiny_interpose(uint32_t image_index, const char symbol_name, void replacem`
`24`	`27`	`for (int j = 0; j < segment->nsects; j++) {`
`25`	`28`	`if ((data_const_sect[j].flags & SECTION_TYPE) == S_NON_LAZY_SYMBOL_POINTERS) {`
`26`	`29`	`sym_sects[0] = data_const_sect + j; // __nl_symbol_ptr`
`27`		`- break;`
`28`	`30`	`}`
`29`	`31`	`}`
`30`	`32`	`}`
`@@ -34,7 +36,6 @@ int tiny_interpose(uint32_t image_index, const char symbol_name, void replacem`
`34`	`36`	`for (int j = 0; j < segment->nsects; j++) {`
`35`	`37`	`if ((data_sect[j].flags & SECTION_TYPE) == S_LAZY_SYMBOL_POINTERS) {`
`36`	`38`	`sym_sects[1] = data_sect + j; // __la_symbol_ptr`
`37`		`- break;`
`38`	`39`	`}`
`39`	`40`	`}`
`40`	`41`	`}`
`@@ -78,15 +79,17 @@ int tiny_interpose(uint32_t image_index, const char symbol_name, void replacem`
`78`	`79`	`if (i == 0) { // __nl_symbol_ptr in __DATA_CONST`
`79`	`80`	`err = mach_vm_protect(mach_task_self(), (mach_vm_address_t)sym_ptrs, sym_sec->size, FALSE,`
`80`	`81`	`VM_PROT_READ \| VM_PROT_WRITE \| VM_PROT_COPY);`
`81`		`- if (err != 0) goto exit;`
	`82`	`+ if (err != 0) {`
	`83`	`+ LOG_ERROR("mach_vm_protect: %s", mach_error_string(err));`
	`84`	`+ break;`
	`85`	`+ }`
`82`	`86`	`}`
`83`	`87`	`sym_ptrs[j] = replacement;`
`84`		`- goto exit;`
	`88`	`+ break;`
`85`	`89`	`}`
`86`	`90`	`}`
`87`	`91`	`}`
`88`	`92`
`89`		`-exit:`
`90`	`93`	`if (!found) {`
`91`	`94`	`err = -1;`
`92`	`95`	`LOG_ERROR("tiny_interpose: no matching indirect symbol found!");`