2

I'm writing an iPhone application using Monotouch and recently the app has started crashing stating 

Mprotect failed at 0x863a000 (length 8192) with errno 12

followed by a rather lengthly stack trace and Springboard informing that "the application exited abormally with signal 6".

I've read this question which states that the app has exhaused all the memory available on the iPhone. We have applied some general Dispose patterns to the app and generally disposed of any heavy objects as soon as we could. This meant the app now runs using less memory. However we are still getting the MProtect failed message.

Also curious to note is that when running the app under instruments, instruments is reporting that there is plenty of free memory available to the device (~40mb).

I was wondering whether anyone would be able to explain MProtect and this failure as I don't think I've quite understood it properly.

Community
  • 1
  • 1
Luke
  • 3,665
  • 1
  • 19
  • 39
  • Exactly same issue here: http://stackoverflow.com/questions/5808833/exception-when-webservice-is-called-after-device-got-locked You accepted an answer but I can't really find out what the answer is...!? – Krumelur Apr 27 '11 at 18:34
  • The reason I accepted this answer was because it answered my question of explaining what MProtect is. While it didn't directly answer the questions specific to my problems, it did give me some ideas of how to attack this problem. – Luke Apr 28 '11 at 07:57
  • FYI, see http://stackoverflow.com/questions/5819700/ for the probable solution to the root cause of your question. – mj2008 May 02 '11 at 08:11
  • Brilliant, thankyou ever so much mj! – Luke May 02 '11 at 22:30

2 Answers2

1

mprotect(2) asks the operating system kernel to change the protection mode for some portion of address space.

mprotect(2) is often used to make data sections of an address space non-executable, so that buffer overflows, format string vulnerabilities, use after free or freeing unallocated memory errors, or similar attacks cannot return into attacker-supplied data. Also, mprotect(2) is used to ensure that the program text space cannot be modified by those same vulnerabilities. (If an attacker can simply overwrite the functions you've supplied, that's no good.)

But mprotect(2) isn't magic; it cannot prevent against return to libc attacks, or improper use of system(3) or other code interpreters, etc.

What is the C symbol for the errno value 12 on the iPhone? Where and why does Monotouch use mprotect(2) itself? Any chance your software uses mprotect(2)?

sarnold
  • 102,305
  • 22
  • 181
  • 238
  • I'm not sure how to get the C symbol for `errno 12` (sorry). I can say certainly that our app doesn't call `mprotect(2)` explicitly. I'm not sure why Monotouch uses `mprotect(2)` and I haven't been able to find much out either. I have seen someone suggest making less mono objects...it couldn't be related to trampolines could it? I set a compiler arg to increase type 2 trampolines to 2048 – Luke Mar 23 '11 at 10:52
  • @Luke, I think you've hit it! :) The compiler (linker?) will need to use `mprotect(2)` to change the page protections to allow execution for the pages that store the trampolines. I haven't got a clue what to do about it, but I think you've found the cause. :) To find the text description of `errno 12`, you can run `printf("%s\n", strerror(12));` – sarnold Mar 23 '11 at 10:59
1

Does your app use Generics?

Beware of having virtual methods on types with Generics, for Monotouch, which has to do lots of hacks while pre-jitting and some more magic with trampolines, it can cause some method hijacking, or memory corruption, on my experience, YMMV.

Make all methods non-virtual on Generic classes for safety.

Monoman
  • 721
  • 10
  • 12
  • Thank you for the suggestion. The app does indeed use generics and we had one class which was full of virtual generics. I swapped this out so we were no longer using said generics but the problem still persists. – Luke Mar 24 '11 at 09:51