Oddbean new post about | logout
 nostr:nprofile1qqsyvrp9u6p0mfur9dfdru3d853tx9mdjuhkphxuxgfwmryja7zsvhqpzamhxue69uhhv6t5daezumn0wd68yvfwvdhk6tcppemhxue69uhkummn9ekx7mp0qyghwumn8ghj7mn0wd68ytnhd9hx2tcewvzaw GrapheneOS is detecting a memory corruption bug in v92.1  
 Interesting. How are they doing that?  
 ^ 
 I haven't got an MTE crash so it is likely an edge case, uses memory tagging extensions on arm V8
https://source.android.com/docs/security/test/memory-safety/arm-mte 
 With memory tagging enabled I'm getting the following crash log:

```
type: crash
osVersion: google/shiba/shiba:14/AP2A.240905.003/2024091900:user/release-keys
uid: 10159 (u:r:untrusted_app:s0:c159,c256,c512,c768)
cmdline: com.vitorpamplona.amethyst
processUptime: 12439s

signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr 100c6ec1e9d6518
threadName: tor
MTE: enabled

backtrace:
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (pc 37b264)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (circuit_id_in_use_on_channel+36, pc 37b3f0)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (circuit_deliver_create_cell+348, pc 38d9cc)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (circuit_send_next_onion_skin+600, pc 38d0dc)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (circuit_n_chan_done+468, pc 38d73c)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (channel_do_open_actions+332, pc 392ab0)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (channel_change_state_open+44, pc 392930)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (channel_tls_handle_state_change_on_orconn+104, pc 332014)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (connection_or_set_state_open+36, pc 330b9c)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (pc 332a2c)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (connection_or_process_inbuf+408, pc 32d7f8)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (connection_handle_read+1872, pc 328e38)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (pc 317338)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (pc 4bbd7c)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (pc 4bb2d8)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (pc 4b51dc)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (event_base_loop+920, pc 4b3e90)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (do_main_loop+228, pc 3198c0)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (tor_run_main+256, pc 3091cc)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/base.apk (Java_org_torproject_jni_TorService_runMain+36, pc 307a5c)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/oat/arm64/base.odex (art_jni_trampoline+112, pc 1347d70)
    /data/app/~~3mZMaba6CFXaMkolL4Aizw==/com.vitorpamplona.amethyst-m5rTyBYz2_Gg6YrD7MDGGQ==/oat/arm64/base.odex (org.torproject.jni.TorService$3.run+2856, pc 32eb808)
    /apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+612, pc 3a9174)
    /apex/com.android.art/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+148, pc 3454c4)
    /apex/com.android.art/lib64/libart.so (art::Thread::CreateCallback(void*)+1724, pc 4a4e5c)
    /apex/com.android.art/lib64/libart.so (art::Thread::CreateCallbackWithUffdGc(void*)+12, pc 4a478c)
    /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204, pc 7969c)
    /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68, pc 6a064)
```
 
 send logs next time 🙏🏻