Open Radar

 
22-Apr-2013 02:45 PM Landon Fuller:
Summary:

When update_dyld_shared_cache combines LINKEDIT segments and writes a new segment_command(_64).vmsize field for cached libraries, it /appears/ to write a too-long vmsize length.

Steps to Reproduce:

Compare the dyld_shared_cache_*.map LINKEDIT range values against the actual vmaddr/vmsize values written in the dyld_shared_cache_*.

Expected Results:

The values should be equal.

Actual Results:

The vmsize value is larger than the actual mapping. I've attached two reproduction cases.

The first is a hacked up version of dyld_decache. It will print the on-disk vmaddr/vmsize-defined range as it parses out the dyld cache. Comparison against the dyld_shared_cache_*.map will show that the ranges do not match.

Example usage:
   make BOOST_PREFIX=/opt/local && ./dyld_decache /var/db/dyld/dyld_shared_cache_i386

Observe that the LINKEDIT ranges found within dyld_shared_cache_i386 actually extend beyond the end of the mapping listed in dyld_shared_cache_i386.map.

The second reproduction case walks the currently loaded images, reads each LC_SEGMENT_* command,  and attempts to create a memory object for the full LINKEDIT segment range. If the resulting memory object is smaller than vmsize declared, it will print an error message.

Example usage:
  clang macho_case.c -o macho_case && ./macho_case
  [snip]
  Parsing: /usr/lib/libc++.1.dylib
  Architecture: x86_64
  Checking for LC_SEGMENT_* LINKEDIT mapping at 0x7fff9816f000-0x7fff9bde2000 (unslid 0x7fff8d180000-0x7fff90df3000)
  Mapped fewer bytes than expected. Actual range is 0x7fff9816f000-0x7fff9b572000 (unslid 0x7fff8d180000-0x7fff90583000), difference of 0x870000 bytes.

If you compare against the dyld_shared_cache_x86_64.map, the mapped range is supposed to be __LINKEDIT 0x7FFF8D180000 -> 0x7FFF904FE000.