1 /* 2 * Copyright (C) 2009 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <errno.h> 18 #include <sys/stat.h> 19 #include <fcntl.h> 20 #include <stdio.h> 21 #include <unistd.h> 22 #include <string.h> 23 #include <strings.h> 24 #include "Retouch.h" 25 #include "applypatch/applypatch.h" 26 27 typedef struct { 28 int32_t mmap_addr; 29 char tag[4]; /* 'P', 'R', 'E', ' ' */ 30 } prelink_info_t __attribute__((packed)); 31 32 #define false 0 33 #define true 1 34 35 static int32_t offs_prev; 36 static uint32_t cont_prev; 37 38 static void init_compression_state(void) { 39 offs_prev = 0; 40 cont_prev = 0; 41 } 42 43 // For details on the encoding used for relocation lists, please 44 // refer to build/tools/retouch/retouch-prepare.c. The intent is to 45 // save space by removing most of the inherent redundancy. 46 47 static void decode_bytes(uint8_t *encoded_bytes, int encoded_size, 48 int32_t *dst_offset, uint32_t *dst_contents) { 49 if (encoded_size == 2) { 50 *dst_offset = offs_prev + (((encoded_bytes[0]&0x60)>>5)+1)*4; 51 52 // if the original was negative, we need to 1-pad before applying delta 53 int32_t tmp = (((encoded_bytes[0] & 0x0000001f) << 8) | 54 encoded_bytes[1]); 55 if (tmp & 0x1000) tmp = 0xffffe000 | tmp; 56 *dst_contents = cont_prev + tmp; 57 } else if (encoded_size == 3) { 58 *dst_offset = offs_prev + (((encoded_bytes[0]&0x30)>>4)+1)*4; 59 60 // if the original was negative, we need to 1-pad before applying delta 61 int32_t tmp = (((encoded_bytes[0] & 0x0000000f) << 16) | 62 (encoded_bytes[1] << 8) | 63 encoded_bytes[2]); 64 if (tmp & 0x80000) tmp = 0xfff00000 | tmp; 65 *dst_contents = cont_prev + tmp; 66 } else { 67 *dst_offset = 68 (encoded_bytes[0]<<24) | 69 (encoded_bytes[1]<<16) | 70 (encoded_bytes[2]<<8) | 71 encoded_bytes[3]; 72 if (*dst_offset == 0x3fffffff) *dst_offset = -1; 73 *dst_contents = 74 (encoded_bytes[4]<<24) | 75 (encoded_bytes[5]<<16) | 76 (encoded_bytes[6]<<8) | 77 encoded_bytes[7]; 78 } 79 } 80 81 static uint8_t *decode_in_memory(uint8_t *encoded_bytes, 82 int32_t *offset, uint32_t *contents) { 83 int input_size, charIx; 84 uint8_t input[8]; 85 86 input[0] = *(encoded_bytes++); 87 if (input[0] & 0x80) 88 input_size = 2; 89 else if (input[0] & 0x40) 90 input_size = 3; 91 else 92 input_size = 8; 93 94 // we already read one byte.. 95 charIx = 1; 96 while (charIx < input_size) { 97 input[charIx++] = *(encoded_bytes++); 98 } 99 100 // depends on the decoder state! 101 decode_bytes(input, input_size, offset, contents); 102 103 offs_prev = *offset; 104 cont_prev = *contents; 105 106 return encoded_bytes; 107 } 108 109 int retouch_mask_data(uint8_t *binary_object, 110 int32_t binary_size, 111 int32_t *desired_offset, 112 int32_t *retouch_offset) { 113 retouch_info_t *r_info; 114 prelink_info_t *p_info; 115 116 int32_t target_offset = 0; 117 if (desired_offset) target_offset = *desired_offset; 118 119 int32_t p_offs = binary_size-sizeof(prelink_info_t); // prelink_info_t 120 int32_t r_offs = p_offs-sizeof(retouch_info_t); // retouch_info_t 121 int32_t b_offs; // retouch data blob 122 123 // If not retouched, we say it was a match. This might get invoked on 124 // non-retouched binaries, so that's why we need to do this. 125 if (retouch_offset != NULL) *retouch_offset = target_offset; 126 if (r_offs < 0) return (desired_offset == NULL) ? 127 RETOUCH_DATA_NOTAPPLICABLE : RETOUCH_DATA_MATCHED; 128 p_info = (prelink_info_t *)(binary_object+p_offs); 129 r_info = (retouch_info_t *)(binary_object+r_offs); 130 if (strncmp(p_info->tag, "PRE ", 4) || 131 strncmp(r_info->tag, "RETOUCH ", 8)) 132 return (desired_offset == NULL) ? 133 RETOUCH_DATA_NOTAPPLICABLE : RETOUCH_DATA_MATCHED; 134 135 b_offs = r_offs-r_info->blob_size; 136 if (b_offs < 0) { 137 printf("negative binary offset: %d = %d - %d\n", 138 b_offs, r_offs, r_info->blob_size); 139 return RETOUCH_DATA_ERROR; 140 } 141 uint8_t *b_ptr = binary_object+b_offs; 142 143 // Retouched: let's go through the work then. 144 int32_t offset_candidate = target_offset; 145 bool offset_set = false, offset_mismatch = false; 146 init_compression_state(); 147 while (b_ptr < (uint8_t *)r_info) { 148 int32_t retouch_entry_offset; 149 uint32_t *retouch_entry; 150 uint32_t retouch_original_value; 151 152 b_ptr = decode_in_memory(b_ptr, 153 &retouch_entry_offset, 154 &retouch_original_value); 155 if (retouch_entry_offset < (-1) || 156 retouch_entry_offset >= b_offs) { 157 printf("bad retouch_entry_offset: %d", retouch_entry_offset); 158 return RETOUCH_DATA_ERROR; 159 } 160 161 // "-1" means this is the value in prelink_info_t, which also gets 162 // randomized. 163 if (retouch_entry_offset == -1) 164 retouch_entry = (uint32_t *)&(p_info->mmap_addr); 165 else 166 retouch_entry = (uint32_t *)(binary_object+retouch_entry_offset); 167 168 if (desired_offset) 169 *retouch_entry = retouch_original_value + target_offset; 170 171 // Infer the randomization shift, compare to previously inferred. 172 int32_t offset_of_this_entry = (int32_t)(*retouch_entry- 173 retouch_original_value); 174 if (!offset_set) { 175 offset_candidate = offset_of_this_entry; 176 offset_set = true; 177 } else { 178 if (offset_candidate != offset_of_this_entry) { 179 offset_mismatch = true; 180 printf("offset is mismatched: %d, this entry is %d," 181 " original 0x%x @ 0x%x", 182 offset_candidate, offset_of_this_entry, 183 retouch_original_value, retouch_entry_offset); 184 } 185 } 186 } 187 if (b_ptr > (uint8_t *)r_info) { 188 printf("b_ptr went too far: %p, while r_info is %p", 189 b_ptr, r_info); 190 return RETOUCH_DATA_ERROR; 191 } 192 193 if (offset_mismatch) return RETOUCH_DATA_MISMATCHED; 194 if (retouch_offset != NULL) *retouch_offset = offset_candidate; 195 return RETOUCH_DATA_MATCHED; 196 } 197 198 // On success, _override is set to the offset that was actually applied. 199 // This implies that once we randomize to an offset we stick with it. 200 // This in turn is necessary in order to guarantee recovery after crash. 201 bool retouch_one_library(const char *binary_name, 202 const char *binary_sha1, 203 int32_t retouch_offset, 204 int32_t *retouch_offset_override) { 205 bool success = true; 206 int result; 207 208 FileContents file; 209 file.data = NULL; 210 211 char binary_name_atomic[strlen(binary_name)+10]; 212 strcpy(binary_name_atomic, binary_name); 213 strcat(binary_name_atomic, ".atomic"); 214 215 // We need a path that exists for calling statfs() later. 216 // 217 // Assume that binary_name (eg "/system/app/Foo.apk") is located 218 // on the same filesystem as its top-level directory ("/system"). 219 char target_fs[strlen(binary_name)+1]; 220 char* slash = strchr(binary_name+1, '/'); 221 if (slash != NULL) { 222 int count = slash - binary_name; 223 strncpy(target_fs, binary_name, count); 224 target_fs[count] = '\0'; 225 } else { 226 strcpy(target_fs, binary_name); 227 } 228 229 result = LoadFileContents(binary_name, &file, RETOUCH_DONT_MASK); 230 231 if (result == 0) { 232 // Figure out the *apparent* offset to which this file has been 233 // retouched. If it looks good, we will skip processing (we might 234 // have crashed and during this recovery pass we don't want to 235 // overwrite a valuable saved file in /cache---which would happen 236 // if we blindly retouch everything again). NOTE: This implies 237 // that we might have to override the supplied retouch offset. We 238 // can do the override only once though: everything should match 239 // afterward. 240 241 int32_t inferred_offset; 242 int retouch_probe_result = retouch_mask_data(file.data, 243 file.size, 244 NULL, 245 &inferred_offset); 246 247 if (retouch_probe_result == RETOUCH_DATA_MATCHED) { 248 if ((retouch_offset == inferred_offset) || 249 ((retouch_offset != 0 && inferred_offset != 0) && 250 (retouch_offset_override != NULL))) { 251 // This file is OK already and we are allowed to override. 252 // Let's just return the offset override value. It is critical 253 // to skip regardless of override: a broken file might need 254 // recovery down the list and we should not mess up the saved 255 // copy by doing unnecessary retouching. 256 // 257 // NOTE: If retouching was already started with a different 258 // value, we will not be allowed to override. This happens 259 // if on the retouch list there is a patched binary (which is 260 // masked in apply_patch()) before there is a non-patched 261 // binary. 262 if (retouch_offset_override != NULL) 263 *retouch_offset_override = inferred_offset; 264 success = true; 265 goto out; 266 } else { 267 // Retouch to zero (mask the retouching), to make sure that 268 // the SHA-1 check will pass below. 269 int32_t zero = 0; 270 retouch_mask_data(file.data, file.size, &zero, NULL); 271 SHA(file.data, file.size, file.sha1); 272 } 273 } 274 275 if (retouch_probe_result == RETOUCH_DATA_NOTAPPLICABLE) { 276 // In the case of not retouchable, fake it. We do not want 277 // to do the normal processing and overwrite the backup file: 278 // we might be recovering! 279 // 280 // We return a zero override, which tells the caller that we 281 // simply skipped the file. 282 if (retouch_offset_override != NULL) 283 *retouch_offset_override = 0; 284 success = true; 285 goto out; 286 } 287 288 // If we get here, either there was a mismatch in the offset, or 289 // the file has not been processed yet. Continue with normal 290 // processing. 291 } 292 293 if (result != 0 || FindMatchingPatch(file.sha1, &binary_sha1, 1) < 0) { 294 free(file.data); 295 printf("Attempting to recover source from '%s' ...\n", 296 CACHE_TEMP_SOURCE); 297 result = LoadFileContents(CACHE_TEMP_SOURCE, &file, RETOUCH_DO_MASK); 298 if (result != 0 || FindMatchingPatch(file.sha1, &binary_sha1, 1) < 0) { 299 printf(" failed.\n"); 300 success = false; 301 goto out; 302 } 303 printf(" succeeded.\n"); 304 } 305 306 // Retouch in-memory before worrying about backing up the original. 307 // 308 // Recovery steps will be oblivious to the actual retouch offset used, 309 // so might as well write out the already-retouched copy. Then, in the 310 // usual case, we will just swap the file locally, with no more writes 311 // needed. In the no-free-space case, we will then write the same to the 312 // original location. 313 314 result = retouch_mask_data(file.data, file.size, &retouch_offset, NULL); 315 if (result != RETOUCH_DATA_MATCHED) { 316 success = false; 317 goto out; 318 } 319 if (retouch_offset_override != NULL) 320 *retouch_offset_override = retouch_offset; 321 322 // How much free space do we need? 323 bool enough_space = false; 324 size_t free_space = FreeSpaceForFile(target_fs); 325 // 50% margin when estimating the space needed. 326 enough_space = (free_space > (file.size * 3 / 2)); 327 328 // The experts say we have to allow for a retry of the 329 // whole process to avoid filesystem weirdness. 330 int retry = 1; 331 bool made_copy = false; 332 do { 333 // First figure out where to store a copy of the original. 334 // Ideally leave the original itself intact until the 335 // atomic swap. If no room on the same partition, fall back 336 // to the cache partition and remove the original. 337 338 if (!enough_space) { 339 printf("Target is %ldB; free space is %ldB: not enough.\n", 340 (long)file.size, (long)free_space); 341 342 retry = 0; 343 if (MakeFreeSpaceOnCache(file.size) < 0) { 344 printf("Not enough free space on '/cache'.\n"); 345 success = false; 346 goto out; 347 } 348 if (SaveFileContents(CACHE_TEMP_SOURCE, file) < 0) { 349 printf("Failed to back up source file.\n"); 350 success = false; 351 goto out; 352 } 353 made_copy = true; 354 unlink(binary_name); 355 356 size_t free_space = FreeSpaceForFile(target_fs); 357 printf("(now %ld bytes free for target)\n", (long)free_space); 358 } 359 360 result = SaveFileContents(binary_name_atomic, file); 361 if (result != 0) { 362 // Maybe the filesystem was optimistic: retry. 363 enough_space = false; 364 unlink(binary_name_atomic); 365 printf("Saving the retouched contents failed; retrying.\n"); 366 continue; 367 } 368 369 // Succeeded; no need to retry. 370 break; 371 } while (retry-- > 0); 372 373 // Give the .atomic file the same owner, group, and mode of the 374 // original source file. 375 if (chmod(binary_name_atomic, file.st.st_mode) != 0) { 376 printf("chmod of \"%s\" failed: %s\n", 377 binary_name_atomic, strerror(errno)); 378 success = false; 379 goto out; 380 } 381 if (chown(binary_name_atomic, file.st.st_uid, file.st.st_gid) != 0) { 382 printf("chown of \"%s\" failed: %s\n", 383 binary_name_atomic, 384 strerror(errno)); 385 success = false; 386 goto out; 387 } 388 389 // Finally, rename the .atomic file to replace the target file. 390 if (rename(binary_name_atomic, binary_name) != 0) { 391 printf("rename of .atomic to \"%s\" failed: %s\n", 392 binary_name, strerror(errno)); 393 success = false; 394 goto out; 395 } 396 397 // If this run created a copy, and we're here, we can delete it. 398 if (made_copy) unlink(CACHE_TEMP_SOURCE); 399 400 out: 401 // clean up 402 free(file.data); 403 unlink(binary_name_atomic); 404 405 return success; 406 } 407
