fix: munmap wrong region

ThePedroo · ThePedroo · commit 5b28906f9276 · 2025-11-01T15:11:22.000-03:00
This commit fixes the issue that due to wrong heuristics logic, getting the "wrong" offset, it would cause the gap size to be unrealistic to the real one, causing issues. Moreover, the gaps was never an issue as "dlclose" would internally call "soinfo_free", freeing those regions, if existing.
diff --git a/loader/src/injector/hook.cpp b/loader/src/injector/hook.cpp
@@ -741,18 +741,15 @@ bool load_modules_only() {
     zygisk_modules[zygisk_module_length].size = solist_get_size(entry);
 
     zygisk_modules[zygisk_module_length].deconstructors = solist_get_deconstructors(entry);
-    zygisk_modules[zygisk_module_length].gap = solist_get_gap_info(entry);
 
-    LOGD("Loaded module [%s]. Entry: %p, Base: %p, Size: %zu, Deconstructors: fini_func=%p, fini_array=%p (size: %zu), Gap: %p (size: %zu)",
+    LOGD("Loaded module [%s]. Entry: %p, Base: %p, Size: %zu, Deconstructors: fini_func=%p, fini_array=%p (size: %zu)",
          lib_path,
          entry,
          zygisk_modules[zygisk_module_length].base,
          zygisk_modules[zygisk_module_length].size,
          zygisk_modules[zygisk_module_length].deconstructors.fini_func,
          zygisk_modules[zygisk_module_length].deconstructors.fini_array,
-         zygisk_modules[zygisk_module_length].deconstructors.fini_array_size,
-         zygisk_modules[zygisk_module_length].gap.start,
-         zygisk_modules[zygisk_module_length].gap.size);
+         zygisk_modules[zygisk_module_length].deconstructors.fini_array_size);
 
     zygisk_modules[zygisk_module_length].unload = false;
 
@@ -791,24 +788,28 @@ void ZygiskContext::run_modules_post() {
 
         /* INFO: If module is unloaded by dlclose, there's no need to
                    hide it from soinfo manually. */
-        if (m->unload) {
-            /* INFO: Deconstructors are called in the inverted order, and following fini array then fini
-                       function order. It must not change. */
-            for (size_t j = m->deconstructors.fini_array_size; j > 0; j--) {
-                void (*destructor)(void) = m->deconstructors.fini_array[j - 1];
-                if (destructor) {
-                    LOGD("Calling destructor %p for module %p", (void *)destructor, (void *)m->zygisk_module_entry);
-
-                    destructor();
-                }
+        if (!m->unload) continue;
+
+        /* INFO: Deconstructors are called in the inverted order, and following fini array then fini
+                    function order. It must not change. */
+        for (size_t j = m->deconstructors.fini_array_size; j > 0; j--) {
+            void (*destructor)(void) = m->deconstructors.fini_array[j - 1];
+            if (destructor) {
+                LOGD("Calling destructor %p for module %p", (void *)destructor, (void *)m->zygisk_module_entry);
+
+                destructor();
             }
+        }
 
-            if (m->deconstructors.fini_func) m->deconstructors.fini_func();
+        if (m->deconstructors.fini_func) m->deconstructors.fini_func();
 
-            solist_unload_lib(&m->gap, m->base, m->size);
+        if (munmap(m->base, m->size) == -1) {
+            PLOGE("Failed to unmap module library at %p with size %zu", m->base, m->size);
 
-            modules_unloaded++;
+            continue;
         }
+
+        modules_unloaded++;
     }
 
     if (zygisk_module_length > 0)
diff --git a/loader/src/injector/module.h b/loader/src/injector/module.h
@@ -153,7 +153,6 @@ struct rezygisk_module {
   size_t size;
 
   struct soinfo_deconstructor deconstructors;
-  struct soinfo_gap gap;
 
   bool unload;
 };
diff --git a/loader/src/injector/solist.c b/loader/src/injector/solist.c
@@ -2,7 +2,6 @@
 #include <stdbool.h>
 #include <string.h>
 #include <dlfcn.h>
-#include <sys/mman.h>
 
 #include <linux/limits.h>
 
@@ -28,25 +27,17 @@
   size_t solist_fini_array_offset = 0xa8;
   size_t solist_fini_array_size_offset = 0xb0;
   size_t solist_fini_offset = 0xc0;
-
-  size_t solist_version_offset = 0x10c;
-  size_t solist_gap_start_offset = 0x248;
-  size_t solist_gap_size_offset = 0x250;
 #else
   size_t solist_base_offset = 0x8;
   size_t solist_size_offset = 0xc;
 
   size_t solist_fini_array_offset = 0x58;
   size_t solist_fini_array_size_offset = 0x5c;
   size_t solist_fini_offset = 0x64;
-
-  size_t solist_version_offset = 0x94;
-  size_t solist_gap_start_offset = 0x140;
-  size_t solist_gap_size_offset = 0x144;
 #endif
 
 bool base_size_found = false;
-bool fini_version_gap_found = false;
+bool fini_found = false;
 
 static const char *(*get_realpath)(SoInfo *) = NULL;
 static SoInfo *(*find_containing_library)(const void *) = NULL;
@@ -177,7 +168,7 @@ static bool solist_init() {
 
   ElfImg_destroy(linker);
 
-  for (size_t i = 0; i < 1024 / sizeof(void *); i++) {
+  for (size_t i = 0; i < 680 / sizeof(void *); i++) {
     size_t possible_size_of_somain = *(size_t *)((uintptr_t)somain + i * sizeof(void *));
 
     if (!base_size_found && possible_size_of_somain < 0x100000 && possible_size_of_somain > 0x100) {
@@ -191,7 +182,7 @@ static bool solist_init() {
     }
 
     struct link_map *possible_link_map_head = (struct link_map *)((uintptr_t)solinker + i * sizeof(void *));
-    if (!fini_version_gap_found && possible_link_map_head->l_name == solinker_map->l_name) {
+    if (!fini_found && possible_link_map_head->l_name == solinker_map->l_name) {
       #ifdef __arm__
         /* INFO: For arm32, ARM_exidx and ARM_exidx_count is defined between them. */
         solist_fini_array_offset = (i - 7) * sizeof(void *);
@@ -209,29 +200,10 @@ static bool solist_init() {
         LOGD("solist_fini_offset is %zu * %zu = %p", (i - 2), sizeof(void *), (void *)solist_fini_offset);
       #endif
 
-      /* INFO: Offsets are hardcoded. They will not change. They have been retrieved through the same
-                 ways as the ones in the top of the file.
-      */
-      #ifndef __LP64__
-        solist_version_offset = (i * sizeof(void *)) + 0x20;
-        solist_gap_start_offset = solist_version_offset + 0xAC;
-        solist_gap_size_offset = solist_gap_start_offset + sizeof(ElfW(Addr));
-
-        LOGD("solist_version_offset is %zu * %zu + 0x20 = %p", i, sizeof(void *), (void *)solist_version_offset);
-        LOGD("solist_gap_start_offset is %zu + 0xAC = %p", solist_version_offset, (void *)solist_gap_start_offset);
-        LOGD("solist_gap_size_offset is %zu + %zu = %p", solist_gap_start_offset, sizeof(ElfW(Addr)), (void *)solist_gap_size_offset);
-      #else
-        solist_version_offset = (i * sizeof(void *)) + 0x3C;
-        solist_gap_start_offset = solist_version_offset + 0x13C;
-        solist_gap_size_offset = solist_gap_start_offset + sizeof(ElfW(Addr));
-
-        LOGD("solist_version_offset is %zu * %zu + 0x3C = %p", i, sizeof(void *), (void *)solist_version_offset);
-        LOGD("solist_gap_start_offset is %zu + 0x13C = %p", solist_version_offset, (void *)solist_gap_start_offset);
-        LOGD("solist_gap_size_offset is %zu + %zu = %p", solist_gap_start_offset, sizeof(ElfW(Addr)), (void *)solist_gap_size_offset);
-      #endif
-
-      fini_version_gap_found = true;
+      fini_found = true;
     }
+
+    if (base_size_found && fini_found) break;
   }
 
   return true;
@@ -368,18 +340,6 @@ void solist_reset_counters(size_t load, size_t unload) {
   }
 }
 
-void solist_unload_lib(struct soinfo_gap *gap, void *base, size_t size) {
-  if (munmap(base, size) == -1) {
-    PLOGE("Failed to unmap library from %p (size %zu)", base, size);
-  }
-
-  if (gap->size) {
-    if (munmap(gap->start, gap->size) == -1) {
-      PLOGE("Failed to unmap gap from %p (size %zu)", gap->start, gap->size);
-    }
-  }
-}
-
 ssize_t solist_get_size(void *lib_memory) {
   if (somain == NULL && !solist_init()) {
     LOGE("Failed to initialize solist");
@@ -438,33 +398,3 @@ struct soinfo_deconstructor solist_get_deconstructors(void *lib_memory) {
 
   return result;
 }
-
-struct soinfo_gap solist_get_gap_info(void *lib_memory) {
-  struct soinfo_gap result = { 0 };
-
-  if (somain == NULL && !solist_init()) {
-    LOGE("Failed to initialize solist");
-
-    return result;
-  }
-
-  SoInfo *found = (*find_containing_library)(lib_memory);
-  if (found == NULL) {
-    LOGD("Could not find containing library for %p", lib_memory);
-
-    return result;
-  }
-
-  if (*(uint32_t *)((uintptr_t)found + solist_version_offset) < 6) {
-    LOGD("soinfo for %p has no gap info (version %d)",
-         lib_memory,
-         *(uint32_t *)((uintptr_t)found + solist_version_offset));
-
-    return result;
-  }
-
-  result.start = *(void **)((uintptr_t)found + solist_gap_start_offset);
-  result.size = *(size_t *)((uintptr_t)found + solist_gap_size_offset);
-
-  return result;
-}
diff --git a/loader/src/injector/solist.h b/loader/src/injector/solist.h
@@ -20,11 +20,6 @@ struct soinfo_deconstructor {
   void (**fini_array)();
 };
 
-struct soinfo_gap {
-  void *start;
-  size_t size;
-};
-
 /* 
   INFO: When dlopen'ing a library, the system will save information of the
           opened library so a structure called soinfo, which contains another
@@ -71,20 +66,6 @@ bool solist_drop_so_path(void *lib_memory, bool unload);
 */
 void solist_reset_counters(size_t load, size_t unload);
 
-/*
-  INFO: Loaded libraries have several mappings to load the different parts of their ELF
-          in the memory. Some libraries might include a padding (gap) in case it is extended.
-
-        This function deals with both those jobs, and is purely here for organization, as it
-          is simple.
-
-  SOURCES:
-   - https://android.googlesource.com/platform/bionic/+/refs/heads/android15-release/linker/linker.cpp#333
-   - https://android.googlesource.com/platform/bionic/+/refs/heads/android15-release/linker/linker_phdr.cpp#584
-*/
-void solist_unload_lib(struct soinfo_gap *gap, void *base, size_t size);
-
-
 /*
   INFO: Helper function to get the size of the mappings of a loaded library.
 
@@ -112,15 +93,6 @@ void *solist_get_base(void *lib_memory);
 */
 struct soinfo_deconstructor solist_get_deconstructors(void *lib_memory);
 
-/*
-  INFO: Helper function to get the information of the padding/gap.
-
-  SOURCES:
-   - https://android.googlesource.com/platform/bionic/+/refs/heads/android15-release/linker/linker_soinfo.h#450
-   - https://android.googlesource.com/platform/bionic/+/refs/heads/android15-release/linker/linker_soinfo.h#451
-*/
-struct soinfo_gap solist_get_gap_info(void *lib_memory);
-
 #ifdef __cplusplus
 }
 #endif /* __cplusplus */
