Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parent file descriptors not available in child process (Mac OS) #269

Open
wizche opened this issue Oct 9, 2019 · 1 comment
Open

Parent file descriptors not available in child process (Mac OS) #269

wizche opened this issue Oct 9, 2019 · 1 comment

Comments

@wizche
Copy link
Contributor

wizche commented Oct 9, 2019

It seems that the FD opened by a parent process are being closed by frida somehow and therefore not available on the child/target process instrumented by frida itself.

I attached a testcase.zip to demonstrate the issue. The createfd.c just create a file descriptor (1234) by duplicating its stdout and the checkfd.c just checks that such FD is available via fcntl.

Running the sample directly:

$ ./createfd ./checkfd
Running ./checkfd...
--- [+] FD 1234 is READY!

If we run those with frida in the middle the checkfd process won't have access at the FD.

$ ./createfd `which frida` --no-pause -q ./checkfd
Running /usr/local/bin/frida...
Spawned `./checkfd`. Resuming main thread!                              
--- FD 1234 is NOT ready!

I checked the source code and noticed that for darwin when spawning the process the following flag is set: POSIX_SPAWN_CLOEXEC_DEFAULT. According to the documentation:

Apple Extension: If this bit is set, then only file descriptors explicitly described by the file_actions argument are available in the spawned process; all of the other file descriptors are automatically closed in the spawned process.

I immediately thought that this flag was the cause of the issue (why is there btw?).
I patched frida (by removing such flag) and rebuild the framework but I still get the same issue. I then tried to create a "mocked" version of frida where I only start the process the same way it does with posix_spawn and with the very same flags and setup (sigset, fds) and in such case it works:

$ ./createfd ./fridamock ./checkfd
Running ./fridamock...
- [+] FD 1234 ready in fridamock!
- posix_spawn --
- Child pid: 48996
- Child resumed!
--- [+] FD 1234 is READY!
- Child exited with status 0

Can someone please shine some light?

Additional: Frida version 12.7.6
Mac Mojave: 10.14.6
@wizche
Copy link
Contributor Author

wizche commented Oct 10, 2019

UPDATE: I tested the same scenario on a ubuntu VM and there it works as intended (FD accessible from target process):

$ frida --version
12.7.6
$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.3 LTS
Release:	16.04
Codename:	xenial
$ ./createfd `which frida` --no-pause -q ./checkfd
Running /home/john/.local/bin/frida...
Spawned `./checkfd`. Resuming main thread!                              
--- [+] FD 123 is READY!

PS: I changed the FD to 123 since the dup call didn't like 1234 but this isn't the issue. (on Mac doesn't work for both).

wizche added a commit to geeksonsecurity/frida-core that referenced this issue Nov 23, 2019
@wizche
Fixed frida#269: Parent file descriptors not available in child proce…
a4961f0 
…ss (Mac OS)
@wizche wizche mentioned this issue Nov 23, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wizche