Fix zygisk code unloading

This commit is contained in:
topjohnwu 2022-06-01 01:50:42 -07:00
parent d4fe8632ec
commit 8186f253e8
4 changed files with 54 additions and 51 deletions

View File

@ -563,13 +563,19 @@ int app_process_64 = -1;
if (access("/system/bin/app_process" #bit, F_OK) == 0) { \
app_process_##bit = xopen("/system/bin/app_process" #bit, O_RDONLY | O_CLOEXEC); \
string zbin = zygisk_bin + "/app_process" #bit; \
string dbin = zygisk_bin + "/magisk" #bit; \
string mbin = MAGISKTMP + "/magisk" #bit; \
int src = xopen(mbin.data(), O_RDONLY | O_CLOEXEC); \
int out = xopen(zbin.data(), O_CREAT | O_WRONLY | O_CLOEXEC, 0); \
xsendfile(out, src, nullptr, INT_MAX); \
close(src); \
close(out); \
out = xopen(dbin.data(), O_CREAT | O_WRONLY | O_CLOEXEC, 0); \
lseek(src, 0, SEEK_SET); \
xsendfile(out, src, nullptr, INT_MAX); \
close(out); \
close(src); \
clone_attr("/system/bin/app_process" #bit, zbin.data()); \
clone_attr("/system/bin/app_process" #bit, dbin.data()); \
bind_mount(zbin.data(), "/system/bin/app_process" #bit); \
}

View File

@ -1,6 +1,7 @@
#include <libgen.h>
#include <dlfcn.h>
#include <sys/prctl.h>
#include <sys/mount.h>
#include <android/log.h>
#include <android/dlext.h>
@ -52,78 +53,56 @@ static void zygisk_cleanup_wait() {
}
}
static void *unload_first_stage(void *) {
// Wait 10us to make sure 1st stage is done
timespec ts = { .tv_sec = 0, .tv_nsec = 10000L };
nanosleep(&ts, nullptr);
unmap_all(HIJACK_BIN);
xumount2(HIJACK_BIN, MNT_DETACH);
return nullptr;
}
static void second_stage_entry() {
zygisk_logging();
ZLOGD("inject 2nd stage\n");
char path[PATH_MAX];
MAGISKTMP = getenv(MAGISKTMP_ENV);
int fd = parse_int(getenv(MAGISKFD_ENV));
snprintf(path, sizeof(path), "/proc/self/fd/%d", fd);
xreadlink(path, path, PATH_MAX);
android_dlextinfo info {
.flags = ANDROID_DLEXT_USE_LIBRARY_FD,
.library_fd = fd,
};
self_handle = android_dlopen_ext(path, RTLD_LAZY, &info);
#if defined(__LP64__)
self_handle = dlopen("/system/bin/app_process", RTLD_NOLOAD);
#else
self_handle = dlopen("/system/bin/app_process32", RTLD_NOLOAD);
#endif
dlclose(self_handle);
close(fd);
unsetenv(MAGISKTMP_ENV);
unsetenv(MAGISKFD_ENV);
sanitize_environ();
hook_functions();
new_daemon_thread(&unload_first_stage, nullptr);
}
static void first_stage_entry() {
android_logging();
ZLOGD("inject 1st stage\n");
char path[PATH_MAX];
char buf[256];
char *ld = getenv("LD_PRELOAD");
if (char *c = strrchr(ld, ':')) {
*c = '\0';
strlcpy(path, c + 1, sizeof(path));
setenv("LD_PRELOAD", ld, 1); // Restore original LD_PRELOAD
} else {
unsetenv("LD_PRELOAD");
strlcpy(path, ld, sizeof(path));
}
// Force the linker to load the library on top of ourselves, so we do not
// need to unmap the 1st stage library that was loaded with LD_PRELOAD.
int fd = xopen(path, O_RDONLY | O_CLOEXEC);
// Use fd here instead of path to make sure inode is the same as 2nd stage
snprintf(buf, sizeof(buf), "%d", fd);
setenv(MAGISKFD_ENV, buf, 1);
struct stat s{};
xfstat(fd, &s);
android_dlextinfo info {
.flags = ANDROID_DLEXT_FORCE_LOAD | ANDROID_DLEXT_USE_LIBRARY_FD,
.library_fd = fd,
};
auto [addr, size] = find_map_range(path, s.st_ino);
if (addr && size) {
info.flags |= ANDROID_DLEXT_RESERVED_ADDRESS;
info.reserved_addr = addr;
// The existing address is guaranteed to fit, as 1st stage and 2nd stage
// are exactly the same ELF (same inode). However, the linker could over
// estimate the required size and refuse to dlopen. The estimated size
// is not accurate so size the size to unlimited.
info.reserved_size = -1;
}
// Load second stage
setenv(INJECT_ENV_2, "1", 1);
// Force dlopen ourselves to make ourselves dlclose-able.
// After this call, all global variables will be reset.
android_dlopen_ext(path, RTLD_LAZY, &info);
#if defined(__LP64__)
dlopen("/system/bin/app_process", RTLD_LAZY);
#else
dlopen("/system/bin/app_process32", RTLD_LAZY);
#endif
}
[[gnu::constructor]] [[maybe_unused]]
static void zygisk_init() {
android_logging();
if (getenv(INJECT_ENV_1)) {
unsetenv(INJECT_ENV_1);
first_stage_entry();
@ -301,8 +280,23 @@ static void setup_files(int client, const sock_cred *cred) {
}
}
// Hijack some binary in /system/bin to host 1st stage
const char *hbin;
string mbin;
int app_fd;
if (is_64_bit) {
hbin = HIJACK_BIN64;
mbin = MAGISKTMP + "/" ZYGISKBIN "/magisk64";
app_fd = app_process_64;
} else {
hbin = HIJACK_BIN32;
mbin = MAGISKTMP + "/" ZYGISKBIN "/magisk32";
app_fd = app_process_32;
}
xmount(mbin.data(), hbin, nullptr, MS_BIND, nullptr);
write_int(client, 0);
send_fd(client, is_64_bit ? app_process_64 : app_process_32);
send_fd(client, app_fd);
write_string(client, MAGISKTMP);
}

View File

@ -78,14 +78,13 @@ int app_process_main(int argc, char *argv[]) {
break;
string tmp = read_string(socket);
xreadlink("/proc/self/exe", buf, sizeof(buf));
if (char *ld = getenv("LD_PRELOAD")) {
string env = ld;
env += ':';
env += buf;
env += HIJACK_BIN;
setenv("LD_PRELOAD", env.data(), 1);
} else {
setenv("LD_PRELOAD", buf, 1);
setenv("LD_PRELOAD", HIJACK_BIN, 1);
}
setenv(INJECT_ENV_1, "1", 1);
setenv(MAGISKTMP_ENV, tmp.data(), 1);

View File

@ -7,9 +7,11 @@
#define INJECT_ENV_1 "MAGISK_INJ_1"
#define INJECT_ENV_2 "MAGISK_INJ_2"
#define MAGISKFD_ENV "MAGISKFD"
#define MAGISKTMP_ENV "MAGISKTMP"
#define HIJACK_BIN64 "/system/bin/bootanimation"
#define HIJACK_BIN32 "/system/bin/screencap"
namespace ZygiskRequest {
enum : int {
SETUP,
@ -26,10 +28,12 @@ enum : int {
#define ZLOGD(...) LOGD("zygisk64: " __VA_ARGS__)
#define ZLOGE(...) LOGE("zygisk64: " __VA_ARGS__)
#define ZLOGI(...) LOGI("zygisk64: " __VA_ARGS__)
#define HIJACK_BIN HIJACK_BIN64
#else
#define ZLOGD(...) LOGD("zygisk32: " __VA_ARGS__)
#define ZLOGE(...) LOGE("zygisk32: " __VA_ARGS__)
#define ZLOGI(...) LOGI("zygisk32: " __VA_ARGS__)
#define HIJACK_BIN HIJACK_BIN32
#endif
// Find the memory address + size of the pages matching name + inode