Memory tagging error - Pixel 8 and 8 Pro

[emtreulapollaguera]

Following the recent debbug from Graphene OS about memory tagging exploit in Pixel 8 and Pixel 8 Pro, the Invizivle Pro trigger that vulnerability.

Attached the Graphene OS log report:

type: crash
osVersion: google/shiba/shiba:14/AP1A.240305.019.A1/2024031100:user/release-keys
package: pan.alexander.tordnscrypt:3210
process: pan.alexander.tordnscrypt
processUptime: 0 + 0 ms
installer: com.android.packageinstaller

signal 11 (SIGSEGV), code 9 (SEGV_MTESERR), fault addr 0x0e00c2d543fb70a0

backtrace:
#00 pc 000000000000aa40 /data/app/~~vCHzwJnvssKFEvcggpsviw==/pan.alexander.tordnscrypt-Q0O8YpftVbXDPi91KtcGDg==/lib/arm64/libinvizible.so (handle_events+684) (BuildId: ea0fd6a76bdd6c9e36262d5581ae69c819c73e05)
#1 pc 00000000008ddc44 /data/app/~~vCHzwJnvssKFEvcggpsviw==/pan.alexander.tordnscrypt-Q0O8YpftVbXDPi91KtcGDg==/oat/arm64/base.odex (art_jni_trampoline+116)
#2 pc 00000000008dee64 /data/app/~~vCHzwJnvssKFEvcggpsviw==/pan.alexander.tordnscrypt-Q0O8YpftVbXDPi91KtcGDg==/oat/arm64/base.odex (pan.alexander.tordnscrypt.vpn.service.ServiceVPN.u+868)
#3 pc 0000000000671684 /data/app/~~vCHzwJnvssKFEvcggpsviw==/pan.alexander.tordnscrypt-Q0O8YpftVbXDPi91KtcGDg==/oat/arm64/base.odex (pan.alexander.tordnscrypt.vpn.service.c.run+84)
#4 pc 000000000014b310 /system/framework/arm64/boot.oat (java.lang.Thread.run+64) (BuildId: 1235208ba9cfe671264e87eb4b4dae4dc404ed76)
#5 pc 00000000003e6774 /apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+612) (BuildId: ce9324755fe74aeab83add3986a7e459)
#6 pc 00000000003c7fb4 /apex/com.android.art/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+228) (BuildId: ce9324755fe74aeab83add3986a7e459)
#7 pc 00000000004da9ac /apex/com.android.art/lib64/libart.so (art::Thread::CreateCallback(void*)+1660) (BuildId: ce9324755fe74aeab83add3986a7e459)
#8 pc 00000000004da31c /apex/com.android.art/lib64/libart.so (art::Thread::CreateCallbackWithUffdGc(void*)+12) (BuildId: ce9324755fe74aeab83add3986a7e459)
#9 pc 00000000000d5e6c /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204) (BuildId: d1502eff54d5bd153bc5164ce1722801)
#10 pc 0000000000069a64 /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68) (BuildId: d1502eff54d5bd153bc5164ce1722801)
Learn more about MTE reports: https://source.android.com/docs/security/test/memory-safety/mte-reports

[Gedsh]

From https://source.android.com/docs/security/test/memory-safety/mte-reports

In C/C++, a pointer returned from a call to malloc() or operator new() or similar functions can only be used to access memory within the bounds of that allocation, and only while the allocation is alive (not free-ed or delete-ed). MTE is used in Android to detect violations of this rule, referred to in the crash reports as "Buffer Overflow"/"Buffer Underflow" and "Use After Free" issues.

In VPN mode, InviZible uses objects from native C code, and native C code uses objects from the Java runtime. This way, objects can live longer, causing a crash when memory tagging is enabled. I don't think I can do anything about it.

[Gedsh]

https://gitlab.torproject.org/tpo/core/onionmasq/-/issues/105