Skip to content

Crash in dl_iterate_phdr when synchronizing module registry on Linux #1086

New issue
New issue
Open
Open
Crash in dl_iterate_phdr when synchronizing module registry on Linux#1086
@tracyliving

Description

@tracyliving
tracyliving
opened on Jan 16, 2026

A segmentation fault occurs in _dl_tls_get_addr_soft when frida-gum attempts to synchronize the module registry during interceptor invocation. The crash happens when iterating over loaded shared libraries via dl_iterate_phdr.

Call stack:

#0  _dl_tls_get_addr_soft (l=<optimized out>) at ../elf/dl-tls.c:990
#1  0x0000791a9ef74d97 in __GI___dl_iterate_phdr (callback=callback@entry=0x791a9e0d30cf <gum_emit_module_from_phdr>, data=data@entry=0x7ffdb403f410) at ./elf/dl-iteratephdr.c:73
#2  0x0000791a9e0d38cd in gum_enumerate_modules_using_libc (user_data=0x791a9f0dfb60, func=0x791a9e0d180d <gum_store_module>, iterate_phdr=0x791a9ef74c10 <__GI___dl_iterate_phdr>) at ../gum/backend-linux/gummoduleregistry-linux.c:154
#3  _gum_module_registry_enumerate_loaded_modules (user_data=0x791a9f0dfb60, func=0x791a9e0d180d <gum_store_module>) at ../gum/backend-linux/gummoduleregistry-linux.c:137
#4  _gum_module_registry_enumerate_loaded_modules (func=func@entry=0x791a9e0d180d <gum_store_module>, user_data=user_data@entry=0x791a9f0dfb60) at ../gum/backend-linux/gummoduleregistry-linux.c:92
#5  0x0000791a9e0d1916 in gum_module_registry_synchronize_modules () at ../gum/backend-elf/gummoduleregistry-elf.c:159
#6  0x0000791a9e0f3414 in _gum_function_context_begin_invocation (function_ctx=0x791a9f0bf170, cpu_context=0x7ffdb403f7b0, caller_ret_addr=0x7ffdb403f848, next_hop=0x7ffdb403f840) at ../gum/guminterceptor.c:1442
#7  0x0000791a9f454072 in ?? ()
#8  0x000000000422037f in ?? ()
#9  0x00000000d21a880b in ?? ()
#10 0x0000000000000000 in ?? ()

The crash occurs because listp (a struct dtv_slotinfo_list *) is NULL when accessed in _dl_tls_get_addr_soft:

(gdb) p listp
$3 = (struct dtv_slotinfo_list *) 0x0

Registers:

rax            0x42                66
rbx            0x5b06c18dc5f0      100084575225328
rcx            0x0                 0
rdx            0x5b06bee852c0      100084530827968
rsi            0x0                 0
rdi            0x42                66
rbp            0x1a1               0x1a1
rsp            0x7ffdb403f358      0x7ffdb403f358
r8             0x34                52
r9             0x0                 0
r10            0x18                24
r11            0x791a9f0e8268      133155244638824
r12            0x7ffdb403f380      140727623611264
r13            0x0                 0
r14            0x0                 0
r15            0x0                 0
rip            0x791a9f586de7      0x791a9f586de7 <_dl_tls_get_addr_soft+103>
eflags         0x10246             [ PF ZF IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
k0             0xf8000000          4160749568
k1             0x1100              4352
k2             0xffff7bff          4294933503
k3             0x0                 0
k4             0xffffff7f          4294967167
k5             0x0                 0
k6             0x1                 1
k7             0xfe0000            16646144

To WAR this issue, I force the _gum_module_registry_enumerate_loaded_modules to always use gum_enumerate_modules_using_proc_maps instead of gum_enumerate_modules_using_libc.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions