diff --git a/native/jni/magiskboot/bootimg.cpp b/native/jni/magiskboot/bootimg.cpp index aab801ee8..1f3f438ac 100644 --- a/native/jni/magiskboot/bootimg.cpp +++ b/native/jni/magiskboot/bootimg.cpp @@ -198,27 +198,31 @@ boot_img::~boot_img() { } static int find_dtb_offset(uint8_t *buf, unsigned sz) { - for (int off = 0; off + sizeof(fdt_header) < sz; ++off) { - auto fdt_hdr = reinterpret_cast(buf + off); - if (fdt32_to_cpu(fdt_hdr->magic) != FDT_MAGIC) - continue; + uint8_t * const end = buf + sz; + + for (uint8_t *curr = buf; curr < end; curr += sizeof(fdt_header)) { + curr = static_cast(memmem(curr, end - curr, DTB_MAGIC, sizeof(fdt32_t))); + if (curr == nullptr) + return -1; + + auto fdt_hdr = reinterpret_cast(curr); // Check that fdt_header.totalsize does not overflow kernel image size uint32_t totalsize = fdt32_to_cpu(fdt_hdr->totalsize); - if (totalsize + off > sz) + if (curr + totalsize > end) continue; // Check that fdt_header.off_dt_struct does not overflow kernel image size uint32_t off_dt_struct = fdt32_to_cpu(fdt_hdr->off_dt_struct); - if (off_dt_struct + off > sz) + if (curr + off_dt_struct > end) continue; // Check that fdt_node_header.tag of first node is FDT_BEGIN_NODE - auto fdt_node_hdr = reinterpret_cast(buf + off + off_dt_struct); + auto fdt_node_hdr = reinterpret_cast(curr + off_dt_struct); if (fdt32_to_cpu(fdt_node_hdr->tag) != FDT_BEGIN_NODE) continue; - return off; + return curr - buf; } return -1; } diff --git a/native/jni/magiskboot/dtb.cpp b/native/jni/magiskboot/dtb.cpp index 885eed9e4..59811dffb 100644 --- a/native/jni/magiskboot/dtb.cpp +++ b/native/jni/magiskboot/dtb.cpp @@ -103,22 +103,23 @@ static void dtb_print(const char *file, bool fstab) { mmap_ro(file, dtb, size); // Loop through all the dtbs int dtb_num = 0; - for (int i = 0; i < size; ++i) { - if (memcmp(dtb + i, FDT_MAGIC_STR, 4) == 0) { - auto fdt = dtb + i; - if (fstab) { - int node = find_fstab(fdt); - if (node >= 0) { - fprintf(stderr, "Found fstab in dtb.%04d\n", dtb_num); - print_node(fdt, node); - } - } else { - fprintf(stderr, "Printing dtb.%04d\n", dtb_num); - print_node(fdt); + uint8_t * const end = dtb + size; + for (uint8_t *fdt = dtb; fdt < end;) { + fdt = static_cast(memmem(fdt, end - fdt, FDT_MAGIC_STR, sizeof(fdt32_t))); + if (fdt == nullptr) + break; + if (fstab) { + int node = find_fstab(fdt); + if (node >= 0) { + fprintf(stderr, "Found fstab in dtb.%04d\n", dtb_num); + print_node(fdt, node); } - ++dtb_num; - i += fdt_totalsize(fdt) - 1; + } else { + fprintf(stderr, "Printing dtb.%04d\n", dtb_num); + print_node(fdt); } + ++dtb_num; + fdt += fdt_totalsize(fdt); } fprintf(stderr, "\n"); munmap(dtb, size); @@ -136,21 +137,22 @@ static bool dtb_patch(const char *file) { mmap_rw(file, dtb, size); bool patched = false; - for (int i = 0; i < size; ++i) { - if (memcmp(dtb + i, FDT_MAGIC_STR, 4) == 0) { - auto fdt = dtb + i; - if (int fstab = find_fstab(fdt); fstab >= 0) { - int node; - fdt_for_each_subnode(node, fdt, fstab) { - if (!keep_verity) { - int len; - char *value = (char *) fdt_getprop(fdt, node, "fsmgr_flags", &len); - patched |= patch_verity(value, len) != len; - } + uint8_t * const end = dtb + size; + for (uint8_t *fdt = dtb; fdt < end;) { + fdt = static_cast(memmem(fdt, end - fdt, FDT_MAGIC_STR, sizeof(fdt32_t))); + if (fdt == nullptr) + break; + if (int fstab = find_fstab(fdt); fstab >= 0) { + int node; + fdt_for_each_subnode(node, fdt, fstab) { + if (!keep_verity) { + int len; + char *value = (char *) fdt_getprop(fdt, node, "fsmgr_flags", &len); + patched |= patch_verity(value, len) != len; } } - i += fdt_totalsize(fdt) - 1; } + fdt += fdt_totalsize(fdt); } munmap(dtb, size); @@ -312,18 +314,20 @@ static bool blob_patch(uint8_t *dtb, size_t dtb_sz, const char *out) { vector fdt_list; vector padding_list; - for (int i = 0; i < dtb_sz; ++i) { - if (memcmp(dtb + i, FDT_MAGIC_STR, 4) == 0) { - auto len = fdt_totalsize(dtb + i); - auto fdt = static_cast(xmalloc(len + MAX_FDT_GROWTH)); - memcpy(fdt, dtb + i, len); - fdt_pack(fdt); - uint32_t padding = len - fdt_totalsize(fdt); - padding_list.push_back(padding); - fdt_open_into(fdt, fdt, len + MAX_FDT_GROWTH); - fdt_list.push_back(fdt); - i += len - 1; - } + uint8_t * const end = dtb + dtb_sz; + for (uint8_t *curr = dtb; curr < end;) { + curr = static_cast(memmem(curr, end - curr, FDT_MAGIC_STR, sizeof(fdt32_t))); + if (curr == nullptr) + break; + auto len = fdt_totalsize(curr); + auto fdt = static_cast(xmalloc(len + MAX_FDT_GROWTH)); + memcpy(fdt, curr, len); + fdt_pack(fdt); + uint32_t padding = len - fdt_totalsize(fdt); + padding_list.push_back(padding); + fdt_open_into(fdt, fdt, len + MAX_FDT_GROWTH); + fdt_list.push_back(fdt); + curr += len; } bool modified = false; diff --git a/native/jni/magiskboot/hexpatch.cpp b/native/jni/magiskboot/hexpatch.cpp index bfd243881..15dc8b097 100644 --- a/native/jni/magiskboot/hexpatch.cpp +++ b/native/jni/magiskboot/hexpatch.cpp @@ -1,43 +1,44 @@ -#include -#include -#include #include #include #include "magiskboot.hpp" -static void hex2byte(uint8_t *hex, uint8_t *str) { +using namespace std; + +static void hex2byte(const char *hex, uint8_t *buf) { char high, low; - for (int i = 0, length = strlen((char *) hex); i < length; i += 2) { + for (int i = 0, length = strlen(hex); i < length; i += 2) { high = toupper(hex[i]) - '0'; low = toupper(hex[i + 1]) - '0'; - str[i / 2] = ((high > 9 ? high - 7 : high) << 4) + (low > 9 ? low - 7 : low); + buf[i / 2] = ((high > 9 ? high - 7 : high) << 4) + (low > 9 ? low - 7 : low); } } int hexpatch(const char *image, const char *from, const char *to) { - int patternsize = strlen(from) / 2, patchsize = strlen(to) / 2; int patched = 1; - size_t filesize; - uint8_t *file, *pattern, *patch; - mmap_rw(image, file, filesize); - pattern = (uint8_t *) xmalloc(patternsize); - patch = (uint8_t *) xmalloc(patchsize); - hex2byte((uint8_t *) from, pattern); - hex2byte((uint8_t *) to, patch); - for (size_t i = 0; filesize > 0 && i < filesize - patternsize; ++i) { - if (memcmp(file + i, pattern, patternsize) == 0) { - fprintf(stderr, "Patch @ %08X [%s]->[%s]\n", (unsigned) i, from, to); - memset(file + i, 0, patternsize); - memcpy(file + i, patch, patchsize); - i += patternsize - 1; - patched = 0; - } + + uint8_t *buf; + size_t sz; + mmap_rw(image, buf, sz); + run_finally f([=]{ munmap(buf, sz); }); + + vector pattern(strlen(from) / 2); + vector patch(strlen(to) / 2); + + hex2byte(from, pattern.data()); + hex2byte(to, patch.data()); + + uint8_t * const end = buf + sz; + for (uint8_t *curr = buf; curr < end; curr += pattern.size()) { + curr = static_cast(memmem(curr, end - curr, pattern.data(), pattern.size())); + if (curr == nullptr) + return patched; + fprintf(stderr, "Patch @ %08X [%s] -> [%s]\n", curr - buf, from, to); + memset(curr, 0, pattern.size()); + memcpy(curr, patch.data(), patch.size()); + patched = 0; } - munmap(file, filesize); - free(pattern); - free(patch); return patched; }