procursusteam / libiosexec Goto Github PK

View Code? Open in Web Editor NEW

29.0 29.0 8.0 108 KB

an execve shim to allow executing shell scripts on ios

License: BSD 2-Clause "Simplified" License

C 93.92% Makefile 5.66% Shell 0.42%

hacktoberfest

libiosexec's People

Contributors

Stargazers

Watchers

Forkers

crkatri khronos31 crystall1nedev torrekie linhbg1998 asdfugil therealketo palera1n

libiosexec's Issues

failed to run tar on Dopamine jailbroken ios15.4.1

Abstract

tar failed on Dopamine jailbroken ios15.4.1

Details

run tar on jailbroken ios15.4.1 reports:

minamishatekiiPhone:~ root# tar -czf a.tgz gen1.xml 
tar (child): gzip: Cannot exec: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error is not recoverable: exiting now

dig into the problem, tar will call into libiosexec!ie_execv with args ["/bin/sh", "-c", "gzip"]

Target 0: (tar1) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step into
  * frame #0: 0x00000001026b1b50 libiosexec.1.dylib`ie_execv
    frame #1: 0x000000010252e8e4 tar1`___lldb_unnamed_symbol1055 + 52
    frame #2: 0x000000010252e79c tar1`sys_child_open_for_compress + 872
    frame #3: 0x00000001025111e4 tar1`open_archive + 600
    frame #4: 0x00000001025172e8 tar1`create_archive + 92
    frame #5: 0x0000000102530d18 tar1`main + 3692
    frame #6: 0x0000000102939ce4 dyld`start + 520
(lldb) x/s $x0
0x10256636e: "/bin/sh"
(lldb) x/s ((long*)$x1)[0]
0x10256636e: "/bin/sh"
(lldb) x/s ((long*)$x1)[1]
0x102566487: "-c"
(lldb) x/s ((long*)$x1)[2]
0x1025662d3: "gzip"
(lldb) x/s ((long*)$x1)[3]
error: failed to read memory from 0x0.

However, on IOS 15.4.1 there is no /bin/sh at all, so it fails.

Environment

IOS: 15.4.1
Dopamine version: 1.0.5
iPhone 11 64G: iPhone12,1 (A2223)

`posix_spawn` is setting errno even succeeded

Recently compiling GNU Guile but it's internal posix_spawn wrapper seems encountering the failure logic, by inspecting the code I see the root cause is an errno has been set on iOS, but this doesn't happen on macOS

Simple test program

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <spawn.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <sys/wait.h>

extern char **environ;

int main() {
    pid_t child_pid;
    posix_spawn_file_actions_t file_actions;

    // Initialize file actions
    if (posix_spawn_file_actions_init(&file_actions) != 0) {
        perror("posix_spawn_file_actions_init");
        return EXIT_FAILURE;
    }

    // Define command to execute
    const char *command = "/bin/ls";
    char *const argv[] = {"/bin/ls", "-l", "/", NULL};

    // Spawn a child process using posix_spawn
    if (posix_spawnp(&child_pid, command, &file_actions, NULL, argv, environ) != 0) {
        perror("posix_spawnp");
        return EXIT_FAILURE;
    }

    // Wait for the child process to complete
    int status;
    if (waitpid(child_pid, &status, 0) == -1) {
        perror("waitpid");
        return EXIT_FAILURE;
    }

    if (WIFEXITED(status)) {
        printf("Child process exited with status: %d\n", WEXITSTATUS(status));
    } else if (WIFSIGNALED(status)) {
        printf("Child process terminated by signal: %d\n", WTERMSIG(status));
    } else {
        printf("Child process did not exit normally.\n");
    }

    // Clean up file actions
    if (posix_spawn_file_actions_destroy(&file_actions) != 0) {
        perror("posix_spawn_file_actions_destroy");
        return EXIT_FAILURE;
    }

    printf("errno: %d (%s)\n", errno, strerror(errno));

    return EXIT_SUCCESS;
}

On macOS:

TorrekiedeMacBook-Pro:proj torrekie$ ./a.out
total 10
drwxrwxr-x  38 root  admin  1216  8  3 18:10 Applications
drwxr-xr-x  67 root  wheel  2144  3 13 01:00 Library
drwxr-xr-x@  9 root  wheel   288  1  1  2020 System
drwxr-xr-x   5 root  admin   160  1 17  2023 Users
drwxr-xr-x   3 root  wheel    96  8  9 22:48 Volumes
drwxr-xr-x@ 38 root  wheel  1216  1  1  2020 bin
drwxr-xr-x   2 root  wheel    64  1  1  2020 cores
dr-xr-xr-x   4 root  wheel  4852  8  1 01:02 dev
lrwxr-xr-x@  1 root  wheel    11  1  1  2020 etc -> private/etc
lrwxr-xr-x   1 root  wheel    25  8  1 01:03 home -> /System/Volumes/Data/home
drwxr-xr-x   3 root  wheel    96  1 17  2023 opt
drwxr-xr-x   6 root  wheel   192  1  1  2020 private
drwxr-xr-x@ 65 root  wheel  2080  1  1  2020 sbin
lrwxr-xr-x@  1 root  wheel    11  1  1  2020 tmp -> private/tmp
drwxr-xr-x@ 11 root  wheel   352  1  1  2020 usr
lrwxr-xr-x@  1 root  wheel    11  1  1  2020 var -> private/var
Child process exited with status: 0
errno: 0 (Undefined error: 0)

On iOS:

iPad:~ root# ./a.out 
total 69
drwxr-xr-x    11 root  staff    352  4 16 20:54 .Fugu14Untether
-rw-r--r--     1 root  wheel      0  4 16 20:53 .Fugu14_Installed
drwx------     2 root  wheel     64  1  1  2020 .ba
-rw-r--r--     1 root  wheel      0  4 16 20:58 .cydia_no_stash
----------     1 root  admin      0  1  1  2020 .file
drwx------  2194 root  wheel  70208  8 10 08:42 .fseventsd
-rw-r--r--     1 root  wheel      0  4 16 20:58 .installed_unc0ver
drwx------     2 root  wheel     64  1  1  2020 .mb
-rw-r--r--     1 root  wheel      0  4 16 20:58 .mount_rw
drwxrwxr-x   119 root  admin   3808  5 24 13:33 Applications
drwxrwxr-x     2 root  admin     64  1  1  2020 Developer
-rw-r--r--     1 root  wheel    148  4 17 16:01 Entitlements.plist
drwxr-xr-x    32 root  wheel   1024  6 19 17:18 Library
-rw-r--r--     1 root  wheel   1821  4 17 16:04 SDKSettings.json
-rw-r--r--     1 root  wheel   1772  4 17 16:01 SDKSettings.plist
drwxr-xr-x     4 root  wheel    128  3 16  2021 System
lrwxr-xr-x     1 root  wheel     13  8  1 19:18 User -> ///var/mobile
drwxr-xr-x    73 root  wheel   2336  6 17 15:32 bin
drwxr-xr-x     2 root  wheel     64 10 28  2006 boot
drwxr-xr-x   420 root  wheel  13440  8 10 14:38 buildroot
-rw-r--r--     1 root  wheel     35  6 28 19:05 conffiles
-rw-r--r--     1 root  wheel    948  6 28 19:05 control
drwxrwxr-t     2 root  admin     64  1  1  2020 cores
dr-xr-xr-x     5 root  wheel   1196  8  1 19:17 dev
lrwxr-xr-x     1 root  wheel     11  1  1  2020 etc -> private/etc
drwxr-xr-x     2 root  wheel     64 10 28  2006 lib
drwxr-xr-x     2 root  wheel     64 10 28  2006 mnt
drwxr-xr-x    66 root  wheel   2112  6 17 15:32 sbin
drwxr-xr-x     3 root  wheel     96  5 24 17:17 stunnel
lrwxr-xr-x     1 root  wheel     15  1  1  2020 tmp -> private/var/tmp
drwxr-xr-x    15 root  wheel    480  6  6 19:09 usr
lrwxr-xr-x     1 root  admin     11  1  1  2020 var -> private/var
Child process exited with status: 0
errno: 60 (Operation timed out)

Child process has been successfully executed and exit with status 0, but this errno still happens due to unknown reason. Might be set by fork or exec, I'm not sure was that an intended behavior so create an issue here

Parsing shebang

shebang.c

#include <stdio.h>
int main(int argc, char* argv[]){
  for (int i=0;i<argc;i++){
    printf("argv[%d]= %s\n", i, argv[i]);
  }
  return 0;
}

test.sh

#!./shebang a b c "d e"

on macOS

khronos31@mac tmp % ls         
shebang		shebang.c	test.sh
khronos31@mac tmp % ./test.sh  
argv[0]= ./shebang
argv[1]= a
argv[2]= b
argv[3]= c
argv[4]= "d
argv[5]= e"
argv[6]= ./test.sh
khronos31@mac tmp %

on older versions of jailbroken iOS (without libiosexec)

iPhone61:~/src/tmp mobile$ ls
shebang*  shebang.c  test.sh*
iPhone61:~/src/tmp mobile$ ./test.sh 
argv[0]= ./shebang
argv[1]= a
argv[2]= b
argv[3]= c
argv[4]= "d
argv[5]= e"
argv[6]= ./test.sh
iPhone61:~/src/tmp mobile$

on jailbroken iOS (with libiosexec)

iPhone101:~/src/tmp mobile% ls       
shebang*  shebang.c  test.sh*
iPhone101:~/src/tmp mobile% ./test.sh
argv[0]= ./shebang
argv[1]= a b c "d e"
argv[2]= ./test.sh
iPhone101:~/src/tmp mobile%

on Linux

khronos31@Ubuntu:~/src/tmp$ ls
shebang  shebang.c test.sh
khronos31@Ubuntu:~/src/tmp$ ./test.sh 
argv[0]= ./shebang
argv[1]= a b c "d e"
argv[2]= ./test.sh
khronos31@Ubuntu:~/src/tmp$

I think it should be aligned with macOS behavior.

POSIX semaphore API

sem_init, sem_destroy and sem_getvalue that marked as deprecated in <sys/semaphore.h> has stub implementations under xnu/libsyscall/wrappers/posix_sem_obsolete.c that always set errno ENOSYS and return -1. But Apple has been provided alternative sem implementations like <dispatch/semaphore.h> and <mach/semaphore.h> and they do use them to implement POSIX sem like this

libuv also have implementations for this

`ie_execve` potentially freeing NULL argv

A bug with get_new_argv could be triggered with some specific argv patterns. To reproduce, change working directory to libplist-2.2.0 and do

$ autoreconf -fiv

with latest Procursus bash.

Resulting to an error that free_new_argv attempts to free an unallocated pointer.

(lldb) process launch --stop-at-entry -- -c "cd /buildroot/libplist-2.2.0 && autoreconf -fiv"
……
sh(14447,0x104f3b8c0) malloc: *** error for object 0x500000008: pointer being freed was not allocated
sh(14447,0x104f3b8c0) malloc: *** set a breakpoint in malloc_error_break to debug
aclocal: error: /usr/bin/autom4te terminated by signal: 6
autoreconf: error: aclocal failed with exit status: 1
Process 14442 exited with status = 1 (0x00000001)