hook libcore.io.Linux access(Ljava/lang/String;I)Z会崩溃

[shuajinanhai]

libcore.io.Linux access(Ljava/lang/String;I)Z
这是个hidden函数，不过可以先用HiddenApiBypass过掉，
但使用yahfa hook会崩溃，使用pine hook就正常。
都是只hook这个函数，没hook其他api,测试了10系统，11系统，13系统，14系统，15系统都是这个情况
yahfa hook崩溃时可以看到进入hook函数打了log，应该是调用backup时候崩溃的
#00 pc 00000000003435a8 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (art::OatQuickMethodHeader::GetFrameInfo() const+28) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#1 pc 00000000004eacfc /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (art::StackVisitor::GetCurrentQuickFrameInfo() const+44) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#2 pc 00000000004e9e10 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (_ZN3art12StackVisitor9WalkStackILNS0_16CountTransitionsE0EEEvb+440) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#3 pc 00000000004fdf00 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (_jobject* art::Thread::CreateInternalStackTrace(art::ScopedObjectAccessAlreadyRunnable const&) const+316) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#4 pc 0000000000440dd8 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (art::Throwable_nativeFillInStackTrace(_JNIEnv*, _jclass*)+48) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#5 pc 00000000000f72b0 /system/framework/arm64/boot.oat (art_jni_trampoline+144) (BuildId: fcaabf3a53ff79d746d4c0d32c5a36512831b2f0)
#6 pc 00000000001435b8 /apex/com.android.runtime/lib64/libart.so (art_quick_invoke_static_stub+568) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#7 pc 00000000001521b8 /apex/com.android.runtime/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+284) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#8 pc 00000000002ec09c /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+384) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#9 pc 00000000002e6dec /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+900) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#10 pc 00000000005afd30 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (MterpInvokeStatic+552) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#11 pc 000000000013d994 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_static+20) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#12 pc 00000000000eb322 /apex/com.android.runtime/javalib/core-oj.jar (java.lang.Throwable.fillInStackTrace+18)
#13 pc 00000000005ad3d0 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (MterpInvokeVirtual+1432) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#14 pc 000000000013d814 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual+20) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#15 pc 00000000000eb4b6 /apex/com.android.runtime/javalib/core-oj.jar (java.lang.Throwable.+30)
#16 pc 00000000005af76c /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (MterpInvokeDirect+1168) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#17 pc 000000000013d914 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_direct+20) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#18 pc 00000000000db814 /apex/com.android.runtime/javalib/core-oj.jar (java.lang.Exception.)
#19 pc 00000000005af76c /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (MterpInvokeDirect+1168) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#20 pc 000000000013d914 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_direct+20) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#21 pc 00000000001a85c8 /apex/com.android.runtime/javalib/core-libart.jar (android.system.ErrnoException.)
#22 pc 00000000002bc8b0 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEbb.llvm.10694241505231165514+240) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#23 pc 000000000059dfcc /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (artQuickToInterpreterBridge+1024) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#24 pc 000000000014c468 /apex/com.android.runtime/lib64/libart.so (art_quick_to_interpreter_bridge+88) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#25 pc 0000000000143334 /apex/com.android.runtime/lib64/libart.so (art_quick_invoke_stub+548) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#26 pc 0000000000152198 /apex/com.android.runtime/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+252) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#27 pc 00000000004c0668 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#28 pc 00000000004c02cc /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (art::InvokeWithVarArgs(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+408) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#29 pc 00000000003ac0b8 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (art::JNI::CallNonvirtualVoidMethodV(_JNIEnv*, _jobject*, _jclass*, _jmethodID*, std::__va_list)+796) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#30 pc 000000000038f630 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (art::JNI::NewObjectV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+824) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#31 pc 0000000000025314 /apex/com.android.runtime/lib64/libjavacore.so (_JNIEnv::NewObject(_jclass*, _jmethodID*, ...)+116) (BuildId: b944fc1d85104f26ade979edab391738)
#32 pc 00000000000349bc /apex/com.android.runtime/lib64/libjavacore.so (throwException(_JNIEnv*, _jclass*, _jmethodID*, _jmethodID*, char const*, int)+204) (BuildId: b944fc1d85104f26ade979edab391738)
#33 pc 000000000002c528 /apex/com.android.runtime/lib64/libjavacore.so (Linux_access(_JNIEnv*, _jobject*, _jstring*, int)+112) (BuildId: b944fc1d85104f26ade979edab391738)
#34 pc 000000000006d510 /system/framework/arm64/boot-core-libart.oat (art_jni_trampoline+160) (BuildId: 68f7fd7da3697a0f265f780e72f7429d412ec108)
#35 pc 00000000001435b8 /apex/com.android.runtime/lib64/libart.so (art_quick_invoke_static_stub+568) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#36 pc 00000000001521b8 /apex/com.android.runtime/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+284) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#37 pc 00000000002ec09c /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+384) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#38 pc 00000000002e6dec /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+900) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#39 pc 00000000005afd30 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x29e000) (MterpInvokeStatic+552) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#40 pc 000000000013d994 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_static+20) (BuildId: 0e04b9aacefee5e9258af7349d6ef19a)
#41 pc 00000000005933ec [anon:dalvik-classes.dex extracted in memory from /data/app/com.testpine-29t5l5WZn3YJ5KLZvLc2Zg==/base.apk] (com.test.hook_Linux_access.hook)

[shuajinanhai]

还可以对yahfa兼容性上优化一波吗，大神

[shuajinanhai]

测试在mmap(NULL, size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);后多加个memset(buf, 0, size);可以解决10系统崩溃（之前也是(SEGV_MAPERR)），但11系统还是会signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xc0aabb20