Steps to reproduce/复现步骤
- Use Vector/LSPosed source at commit
cf1153e025318045d76ba64d0667e2a41c58ceaf.
- Build a minimal native harness against the vendored
external/lsplant/.../dex_builder/slicer sources with release-compatible flags, especially -DNDEBUG.
- Feed the harness a malformed DEX-like input that contains the obfuscation target signature
Lorg/matrix/vector/core/, sets class_defs_size = 1, and sets class_defs_off outside the file.
- Run the same harness in debug, release-compatible, and ASAN release-compatible modes.
I attached vector_dex_obfuscation_verification.zip, which contains the local verification log, ASAN output, harness source, build script, PoC generator, and the minimal malformed DEX-like input. The input is only a malformed parser trigger and contains no executable payload.
Expected behaviour/预期行为
Malformed module DEX data should be rejected safely.
The daemon should skip the invalid module or report a recoverable module load/obfuscation error. Native DEX parser failures should not terminate the daemon process.
Actual behaviour/实际行为
In release-compatible mode, the native DEX parser dereferences an invalid class definition pointer and crashes.
Observed results from a local harness using the vendored slicer sources:
- Debug harness: aborts via
SLICER_CHECK, return code 134.
- Release-compatible harness with
-DNDEBUG: crashes with SIGSEGV, return code 139.
- Release-compatible ASAN harness: reports
AddressSanitizer: SEGV.
ASAN stack:
dex::Reader::ParseClass(unsigned int)
dex::Reader::GetClass(unsigned int)
dex::Reader::CreateFullIr()
main
The root cause appears to be that SLICER_CHECK bounds checks are compiled out under NDEBUG, while ObfuscationManager.obfuscateDex passes module-controlled DEX bytes into dex::Reader::CreateFullIr() after only a signature memmem gate.
Xposed Module List/Xposed 模块列表
N/A for this report. This is a native parser robustness/security issue reproduced with a local harness. The attacker-controlled input would be a malformed enabled module APK.
Root implementation/Root 方案
N/A for local harness reproduction. The affected runtime scenario is the Vector/LSPosed daemon processing an enabled module APK in a rooted environment.
System Module List/系统模块列表
N/A for local harness reproduction.
LSPosed version/LSPosed 版本
3043
Android version/Android 版本
N/A
Version requirement/版本要求
Logs/日志
This is not a usage/activation issue, but I also attached vector_dex_obfuscation_verification.zip, which contains the local verification log, ASAN output, harness source, build script, PoC generator, and the minimal malformed DEX-like input.
vector_dex_obfuscation_verification.zip
Steps to reproduce/复现步骤
cf1153e025318045d76ba64d0667e2a41c58ceaf.external/lsplant/.../dex_builder/slicersources with release-compatible flags, especially-DNDEBUG.Lorg/matrix/vector/core/, setsclass_defs_size = 1, and setsclass_defs_offoutside the file.I attached
vector_dex_obfuscation_verification.zip, which contains the local verification log, ASAN output, harness source, build script, PoC generator, and the minimal malformed DEX-like input. The input is only a malformed parser trigger and contains no executable payload.Expected behaviour/预期行为
Malformed module DEX data should be rejected safely.
The daemon should skip the invalid module or report a recoverable module load/obfuscation error. Native DEX parser failures should not terminate the daemon process.
Actual behaviour/实际行为
In release-compatible mode, the native DEX parser dereferences an invalid class definition pointer and crashes.
Observed results from a local harness using the vendored slicer sources:
SLICER_CHECK, return code134.-DNDEBUG: crashes withSIGSEGV, return code139.AddressSanitizer: SEGV.ASAN stack:
The root cause appears to be that
SLICER_CHECKbounds checks are compiled out underNDEBUG, whileObfuscationManager.obfuscateDexpasses module-controlled DEX bytes intodex::Reader::CreateFullIr()after only a signaturememmemgate.Xposed Module List/Xposed 模块列表
Root implementation/Root 方案
N/A for local harness reproduction. The affected runtime scenario is the Vector/LSPosed daemon processing an enabled module APK in a rooted environment.
System Module List/系统模块列表
LSPosed version/LSPosed 版本
3043
Android version/Android 版本
N/A
Version requirement/版本要求
Logs/日志
This is not a usage/activation issue, but I also attached
vector_dex_obfuscation_verification.zip, which contains the local verification log, ASAN output, harness source, build script, PoC generator, and the minimal malformed DEX-like input.vector_dex_obfuscation_verification.zip