Adding multiple sections to the `__POSTJECT` segment causes a crash

[RaisinTen]

OS

Intel macOS Monterey Version 12.4

$ uname -a
Darwin Darshans-MacBook-Pro.local 21.5.0 Darwin Kernel Version 21.5.0: Tue Apr 26 21:08:22 PDT 2022; root:xnu-8020.121.3~4/RELEASE_X86_64 x86_64

Repro

$ echo "int main() {}" | clang -x c -
$ postject.py --macho-segment-name __POSTJECT a.out NODE_JS_CODE <(shuf -n 100 /usr/share/dict/words | fmt -w 72)
$ postject.py --macho-segment-name __POSTJECT a.out NODE_JS_BOOTSTRAP <(shuf -n 100 /usr/share/dict/words | fmt -w 72)

Crash report

-------------------------------------
Translated Report (Full Report Below)
-------------------------------------

Process:               Python [13660]
Path:                  /usr/local/Cellar/python@3.9/3.9.12/Frameworks/Python.framework/Versions/3.9/Resources/Python.app/Contents/MacOS/Python
Identifier:            org.python.python
Version:               3.9.12 (3.9.12)
Code Type:             X86-64 (Native)
Parent Process:        zsh [12922]
Responsible:           iTerm2 [748]
User ID:               501

Date/Time:             2022-07-13 15:45:24.4525 +0530
OS Version:            macOS 12.4 (21F79)
Report Version:        12
Bridge OS Version:     6.5 (19P5071)
Anonymous UUID:        CDD9CBE9-BEC3-A09F-0243-7CB482668B13

Sleep/Wake UUID:       F873FF55-8F77-43B0-9FFA-77CB2BE2243F

Time Awake Since Boot: 16000 seconds
Time Since Wake:       1529 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       UNKNOWN_0xD at 0x0000000000000000
Exception Codes:       0x000000000000000d, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [13660]

VM Region Info: 0 is not in any region.  Bytes before following region: 4415893504
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                      107353000-107357000    [   16K] r-x/r-x SM=COW  .../MacOS/Python

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   Python                        	       0x107976785 collect + 199
1   Python                        	       0x10797655c collect_with_callback + 75
2   Python                        	       0x1079779c7 PyGC_Collect + 107
3   Python                        	       0x10794f097 Py_FinalizeEx + 413
4   Python                        	       0x107952805 Py_Exit + 13
5   Python                        	       0x1079561cf handle_system_exit + 35
6   Python                        	       0x107955bd6 _PyErr_PrintEx + 42
7   Python                        	       0x10795539c pyrun_simple_file + 455
8   Python                        	       0x1079551af PyRun_SimpleFileExFlags + 67
9   Python                        	       0x107974bfb pymain_run_file + 326
10  Python                        	       0x107974469 Py_RunMain + 993
11  Python                        	       0x1079757c4 Py_BytesMain + 42
12  dyld                          	       0x11135d51e start + 462


Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x6261737365737361  rbx: 0x0000000107482030  rcx: 0xa1bdc985c185b082  rdx: 0x6261737365737361
  rdi: 0x00007fc40a009698  rsi: 0x0000000000000000  rbp: 0x00007ff7b8bac1c0  rsp: 0x00007ff7b8bac100
   r8: 0x0000000107dc3540   r9: 0xffffffff00000000  r10: 0x0000000000000400  r11: 0x0000000000000206
  r12: 0x0000000000000002  r13: 0x00007fc40a0096b0  r14: 0x0000000000000003  r15: 0x0000000000000002
  rip: 0x0000000107976785  rfl: 0x0000000000010293  cr2: 0x000000010794f3ec
  
Logical CPU:     4
Error Code:      0x00000000 
Trap Number:     13

Thread 0 instruction stream:
  00 00 41 8d 47 01 4c 63-f0 83 f8 03 4c 89 bd 68  ..A.G.Lc....L..h
  ff ff ff 0f 8d 39 07 00-00 4b 8d 04 76 ff 84 c3  .....9...K..v...
  94 02 00 00 45 85 ff 0f-89 25 07 00 00 4d 63 e7  ....E....%...Mc.
  4b 8d 04 64 4c 8d ac c3-80 02 00 00 41 83 ff 02  K..dL.......A...
  4b 8d 04 76 48 8d 84 c3-80 02 00 00 49 0f 4d c5  K..vH.......I.M.
  48 89 45 98 49 8b 5d 00-49 39 dd 74 45 48 89 d8  H.E.I.].I9.tEH..
 [48]8b 48 10 48 8b 10 48-8b 70 08 83 e6 01 48 8d  H.H.H..H.p....H.	<==
  4c 8e 02 48 89 48 08 48-89 d0 49 39 d5 75 e1 4c  L..H.H.H..I9.u.L
  8d 35 ee 0f 00 00 48 8d-7b 10 48 8b 43 18 4c 89  .5....H.{.H.C.L.
  f6 48 89 fa ff 90 b8 00-00 00 48 8b 1b 49 39 dd  .H........H..I9.
  75 e4 4c 89 65 b8 48 8d-45 a0 48 89 40 08 48 89  u.L.e.H.E.H.@.H.
  00 49 8b 5d 00 4d 89 ec-49 39 dd 74 79 4c 8d 7d  .I.].M..I9.tyL.}

Binary Images:
       0x1077b9000 -        0x107a74fff org.python.python (3.9.12, (c) 2001-2021 Python Software Foundation.) <c9129da7-ee5b-3a6f-8129-d7a5b32b7a9c> /usr/local/Cellar/python@3.9/3.9.12/Frameworks/Python.framework/Versions/3.9/Python
       0x111358000 -        0x1113c3fff dyld (*) <b70ce1ec-b902-3852-8268-05de00bfa8d5> /usr/lib/dyld

External Modification Summary:
  Calls made by other processes targeting this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by all processes on this machine:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0

VM Region Summary:
ReadOnly portion of Libraries: Total=160.4M resident=0K(0%) swapped_out_or_unallocated=160.4M(100%)
Writable regions: Total=580.1M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=580.1M(100%)

                                VIRTUAL   REGION 
REGION TYPE                        SIZE    COUNT (non-coalesced) 
===========                     =======  ======= 
Kernel Alloc Once                    8K        1 
MALLOC                           173.8M       23 
MALLOC guard page                   16K        4 
MALLOC_LARGE (reserved)            384K        1         reserved VM address space (unallocated)
MALLOC_NANO (reserved)           384.0M        1         reserved VM address space (unallocated)
ObjC additional data                15K        1 
STACK GUARD                          4K        1 
Stack                             16.0M        1 
VM_ALLOCATE                       5896K       25 
__DATA                             771K       53 
__DATA_CONST                      3542K       49 
__DATA_DIRTY                        79K       24 
__LINKEDIT                       135.0M       13 
__TEXT                            25.4M       58 
__UNICODE                          592K        1 
dyld private memory               1024K        1 
shared memory                       12K        2 
===========                     =======  ======= 
TOTAL                            746.3M      259 
TOTAL, minus reserved VM space   361.9M      259 



-----------
Full Report
-----------

{"app_name":"Python","timestamp":"2022-07-13 15:45:24.00 +0530","app_version":"3.9.12","slice_uuid":"04d90438-f1c2-3624-9931-dbecf8989ee4","build_version":"3.9.12","platform":1,"bundleID":"org.python.python","share_with_app_devs":1,"is_first_party":0,"bug_type":"309","os_version":"macOS 12.4 (21F79)","incident_id":"2DB42710-A91D-4518-AA34-7A22586154AB","name":"Python"}
{
  "uptime" : 16000,
  "procLaunch" : "2022-07-13 15:45:24.3640 +0530",
  "procRole" : "Unspecified",
  "version" : 2,
  "userID" : 501,
  "deployVersion" : 210,
  "modelCode" : "MacBookPro16,2",
  "procStartAbsTime" : 16957191655990,
  "coalitionID" : 726,
  "osVersion" : {
    "train" : "macOS 12.4",
    "build" : "21F79",
    "releaseType" : "User"
  },
  "captureTime" : "2022-07-13 15:45:24.4525 +0530",
  "incident" : "2DB42710-A91D-4518-AA34-7A22586154AB",
  "bug_type" : "309",
  "pid" : 13660,
  "procExitAbsTime" : 16957279541644,
  "cpuType" : "X86-64",
  "procName" : "Python",
  "procPath" : "\/usr\/local\/Cellar\/python@3.9\/3.9.12\/Frameworks\/Python.framework\/Versions\/3.9\/Resources\/Python.app\/Contents\/MacOS\/Python",
  "bundleInfo" : {"CFBundleShortVersionString":"3.9.12","CFBundleVersion":"3.9.12","CFBundleIdentifier":"org.python.python"},
  "storeInfo" : {"deviceIdentifierForVendor":"41426303-7475-557B-B1A1-DF62F151AC4C","thirdParty":true},
  "parentProc" : "zsh",
  "parentPid" : 12922,
  "coalitionName" : "com.googlecode.iterm2",
  "crashReporterKey" : "CDD9CBE9-BEC3-A09F-0243-7CB482668B13",
  "responsiblePid" : 748,
  "responsibleProc" : "iTerm2",
  "wakeTime" : 1529,
  "bridgeVersion" : {"build":"19P5071","train":"6.5"},
  "sleepWakeUUID" : "F873FF55-8F77-43B0-9FFA-77CB2BE2243F",
  "sip" : "enabled",
  "vmRegionInfo" : "0 is not in any region.  Bytes before following region: 4415893504\n      REGION TYPE                    START - END         [ VSIZE] PRT\/MAX SHRMOD  REGION DETAIL\n      UNUSED SPACE AT START\n--->  \n      __TEXT                      107353000-107357000    [   16K] r-x\/r-x SM=COW  ...\/MacOS\/Python",
  "isCorpse" : 1,
  "exception" : {"codes":"0x000000000000000d, 0x0000000000000000","rawCodes":[13,0],"type":"EXC_BAD_ACCESS","signal":"SIGSEGV","subtype":"UNKNOWN_0xD at 0x0000000000000000"},
  "termination" : {"flags":0,"code":11,"namespace":"SIGNAL","indicator":"Segmentation fault: 11","byProc":"exc handler","byPid":13660},
  "vmregioninfo" : "0 is not in any region.  Bytes before following region: 4415893504\n      REGION TYPE                    START - END         [ VSIZE] PRT\/MAX SHRMOD  REGION DETAIL\n      UNUSED SPACE AT START\n--->  \n      __TEXT                      107353000-107357000    [   16K] r-x\/r-x SM=COW  ...\/MacOS\/Python",
  "extMods" : {"caller":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"system":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"targeted":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"warnings":0},
  "faultingThread" : 0,
  "threads" : [{"triggered":true,"id":172215,"instructionState":{"instructionStream":{"bytes":[0,0,65,141,71,1,76,99,240,131,248,3,76,137,189,104,255,255,255,15,141,57,7,0,0,75,141,4,118,255,132,195,148,2,0,0,69,133,255,15,137,37,7,0,0,77,99,231,75,141,4,100,76,141,172,195,128,2,0,0,65,131,255,2,75,141,4,118,72,141,132,195,128,2,0,0,73,15,77,197,72,137,69,152,73,139,93,0,73,57,221,116,69,72,137,216,72,139,72,16,72,139,16,72,139,112,8,131,230,1,72,141,76,142,2,72,137,72,8,72,137,208,73,57,213,117,225,76,141,53,238,15,0,0,72,141,123,16,72,139,67,24,76,137,246,72,137,250,255,144,184,0,0,0,72,139,27,73,57,221,117,228,76,137,101,184,72,141,69,160,72,137,64,8,72,137,0,73,139,93,0,77,137,236,73,57,221,116,121,76,141,125],"offset":96}},"threadState":{"r13":{"value":140479958128304},"rax":{"value":7089074227918369633},"rflags":{"value":66195},"cpu":{"value":4},"r14":{"value":3},"rsi":{"value":0},"r8":{"value":4426839360},"cr2":{"value":4422169580},"rdx":{"value":7089074227918369633},"r10":{"value":1024},"r9":{"value":18446744069414584320},"r15":{"value":2},"rbx":{"value":4417134640},"trap":{"value":13},"err":{"value":0},"r11":{"value":518},"rip":{"value":4422330245,"matchesCrashFrame":1},"rbp":{"value":140701932896704},"rsp":{"value":140701932896512},"r12":{"value":2},"rcx":{"value":11654692987019309186},"flavor":"x86_THREAD_STATE","rdi":{"value":140479958128280}},"queue":"com.apple.main-thread","frames":[{"imageOffset":1824645,"symbol":"collect","symbolLocation":199,"imageIndex":0},{"imageOffset":1824092,"symbol":"collect_with_callback","symbolLocation":75,"imageIndex":0},{"imageOffset":1829319,"symbol":"PyGC_Collect","symbolLocation":107,"imageIndex":0},{"imageOffset":1663127,"symbol":"Py_FinalizeEx","symbolLocation":413,"imageIndex":0},{"imageOffset":1677317,"symbol":"Py_Exit","symbolLocation":13,"imageIndex":0},{"imageOffset":1692111,"symbol":"handle_system_exit","symbolLocation":35,"imageIndex":0},{"imageOffset":1690582,"symbol":"_PyErr_PrintEx","symbolLocation":42,"imageIndex":0},{"imageOffset":1688476,"symbol":"pyrun_simple_file","symbolLocation":455,"imageIndex":0},{"imageOffset":1687983,"symbol":"PyRun_SimpleFileExFlags","symbolLocation":67,"imageIndex":0},{"imageOffset":1817595,"symbol":"pymain_run_file","symbolLocation":326,"imageIndex":0},{"imageOffset":1815657,"symbol":"Py_RunMain","symbolLocation":993,"imageIndex":0},{"imageOffset":1820612,"symbol":"Py_BytesMain","symbolLocation":42,"imageIndex":0},{"imageOffset":21790,"symbol":"start","symbolLocation":462,"imageIndex":1}]}],
  "usedImages" : [
  {
    "source" : "P",
    "arch" : "x86_64",
    "base" : 4420505600,
    "CFBundleShortVersionString" : "3.9.12, (c) 2001-2021 Python Software Foundation.",
    "CFBundleIdentifier" : "org.python.python",
    "size" : 2867200,
    "uuid" : "c9129da7-ee5b-3a6f-8129-d7a5b32b7a9c",
    "path" : "\/usr\/local\/Cellar\/python@3.9\/3.9.12\/Frameworks\/Python.framework\/Versions\/3.9\/Python",
    "name" : "Python",
    "CFBundleVersion" : "3.9.12"
  },
  {
    "source" : "P",
    "arch" : "x86_64",
    "base" : 4583686144,
    "size" : 442368,
    "uuid" : "b70ce1ec-b902-3852-8268-05de00bfa8d5",
    "path" : "\/usr\/lib\/dyld",
    "name" : "dyld"
  }
],
  "sharedCache" : {
  "base" : 140703181619200,
  "size" : 15220686848,
  "uuid" : "398acfb4-57f6-31e0-bc82-e9959e5c92ce"
},
  "vmSummary" : "ReadOnly portion of Libraries: Total=160.4M resident=0K(0%) swapped_out_or_unallocated=160.4M(100%)\nWritable regions: Total=580.1M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=580.1M(100%)\n\n                                VIRTUAL   REGION \nREGION TYPE                        SIZE    COUNT (non-coalesced) \n===========                     =======  ======= \nKernel Alloc Once                    8K        1 \nMALLOC                           173.8M       23 \nMALLOC guard page                   16K        4 \nMALLOC_LARGE (reserved)            384K        1         reserved VM address space (unallocated)\nMALLOC_NANO (reserved)           384.0M        1         reserved VM address space (unallocated)\nObjC additional data                15K        1 \nSTACK GUARD                          4K        1 \nStack                             16.0M        1 \nVM_ALLOCATE                       5896K       25 \n__DATA                             771K       53 \n__DATA_CONST                      3542K       49 \n__DATA_DIRTY                        79K       24 \n__LINKEDIT                       135.0M       13 \n__TEXT                            25.4M       58 \n__UNICODE                          592K        1 \ndyld private memory               1024K        1 \nshared memory                       12K        2 \n===========                     =======  ======= \nTOTAL                            746.3M      259 \nTOTAL, minus reserved VM space   361.9M      259 \n",
  "legacyInfo" : {
  "threadTriggered" : {
    "queue" : "com.apple.main-thread"
  }
},
  "trialInfo" : {
  "rollouts" : [
    {
      "rolloutId" : "61301e3a61217b3110231469",
      "factorPackIds" : {
        "SIRI_FIND_MY_CONFIGURATION_FILES" : "6216ae152a40e71046e16225"
      },
      "deploymentId" : 240000016
    },
    {
      "rolloutId" : "6112e14f37f5d11121dcd519",
      "factorPackIds" : {
        "SIRI_TEXT_TO_SPEECH" : "62c4376c87beda2658c8f47d"
      },
      "deploymentId" : 240000176
    }
  ],
  "experiments" : [

  ]
}
}

Model: MacBookPro16,2, BootROM 1731.120.10.0.0 (iBridge: 19.16.15071.0.0,0), 4 processors, Quad-Core Intel Core i5, 2 GHz, 16 GB, SMC 
Graphics: Intel Iris Plus Graphics, Intel Iris Plus Graphics, Built-In
Display: Color LCD, 2560 x 1600 Retina, Main, MirrorOff, Online
Memory Module: BANK 0/ChannelA-DIMM0, 8 GB, LPDDR4X, 3733 MHz, Samsung, K4UBE3D4AA-MGCL
Memory Module: BANK 2/ChannelB-DIMM0, 8 GB, LPDDR4X, 3733 MHz, Samsung, K4UBE3D4AA-MGCL
AirPort: spairport_wireless_card_type_wifi (0x14E4, 0x7BF), wl0: Jul 12 2021 18:02:56 version 9.30.464.0.32.5.76 FWID 01-c081cfed
Bluetooth: Version (null), 0 services, 0 devices, 0 incoming serial ports
Network Service: Wi-Fi, AirPort, en0
USB Device: USB31Bus
USB Device: USB31Bus
USB Device: T2Bus
USB Device: Touch Bar Backlight
USB Device: Touch Bar Display
USB Device: Apple Internal Keyboard / Trackpad
USB Device: Headset
USB Device: Ambient Light Sensor
USB Device: FaceTime HD Camera (Built-in)
USB Device: Apple T2 Controller
Thunderbolt Bus: MacBook Pro, Apple Inc., 86.0
Thunderbolt Bus: MacBook Pro, Apple Inc., 86.0

[RaisinTen]

Although Postject v1.0.0-alpha.3 doesn't crash while adding multiple resources, I have a test case for which the resultant binary still crashes. I'm using the official release of Node.js v14.18.2 on my Intel macOS for this example:

cp $(command -v node) sea
postject sea NODE_JS_CODE <(shuf -n 100 /usr/share/dict/words | fmt -w 72)
postject sea NODE_JS_BOOTSTRAP <(shuf -n 100 /usr/share/dict/words | fmt -w 72)
./sea

Reason for crash keeps changing every time.

LLDB logs:

$ lldb -- ./sea
(lldb) target create "./sea"
Current executable set to '/Users/raisinten/Desktop/temp/project/trash/sea' (x86_64).
(lldb) run
Process 4459 launched: '/Users/raisinten/Desktop/temp/project/trash/sea' (x86_64)
Process 4459 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
    frame #0: 0x000000010002fb41 sea`_GLOBAL__sub_I_cares_wrap.cc + 1
Target 0: (sea) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
  * frame #0: 0x000000010002fb41 sea`_GLOBAL__sub_I_cares_wrap.cc + 1
(lldb) ^D

$ lldb -- ./sea
(lldb) target create "./sea"
Current executable set to '/Users/raisinten/Desktop/temp/project/trash/sea' (x86_64).
(lldb) run
Process 4174 launched: '/Users/raisinten/Desktop/temp/project/trash/sea' (x86_64)
Process 4174 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1)
    frame #0: 0x00000001000164eb sea`node::AsyncWrap::MakeCallback(v8::Local<v8::Function>, int, v8::Local<v8::Value>*) + 43
sea`node::AsyncWrap::MakeCallback:
->  0x1000164eb <+43>: movq   %rax, (%rdi)
    0x1000164ee <+46>: testq  %rdx, %rdx
    0x1000164f1 <+49>: je     0x100016579               ; <+185>
    0x1000164f7 <+55>: movq   %rdx, %r15
Target 0: (sea) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1)
  * frame #0: 0x00000001000164eb sea`node::AsyncWrap::MakeCallback(v8::Local<v8::Function>, int, v8::Local<v8::Value>*) + 43
    frame #1: 0x000000000000001b
    frame #2: 0x000000010002fb53 sea`_GLOBAL__sub_I_cares_wrap.cc + 19
    frame #3: 0x00000001043bb911 dyld`invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 129
    frame #4: 0x00000001043b2e26 dyld`invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 557
    frame #5: 0x0000000104381db3 dyld`dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 129
    frame #6: 0x00000001043b2bb7 dyld`dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 179
    frame #7: 0x00000001043bb342 dyld`dyld3::MachOAnalyzer::forEachInitializerPointerSection(Diagnostics&, void (unsigned int, unsigned int, unsigned char const*, bool&) block_pointer) const + 118
    frame #8: 0x00000001043bb5b4 dyld`dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 386
    frame #9: 0x0000000104394d82 dyld`dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 144
    frame #10: 0x0000000104394f0e dyld`dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 178
    frame #11: 0x0000000104394fb2 dyld`dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 108
    frame #12: 0x00000001043a8826 dyld`dyld4::APIs::runAllInitializersForMain() + 222
    frame #13: 0x000000010438638d dyld`dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 3443
    frame #14: 0x00000001043854e4 dyld`start + 388
(lldb) ^D

I'm guessing the binary gets corrupted?