• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2014 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <ctype.h>
18 #include <dirent.h>
19 #include <errno.h>
20 #include <fcntl.h>
21 #include <inttypes.h>
22 #include <linux/fs.h>
23 #include <pthread.h>
24 #include <stdarg.h>
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <sys/ioctl.h>
29 #include <sys/stat.h>
30 #include <sys/types.h>
31 #include <sys/wait.h>
32 #include <time.h>
33 #include <unistd.h>
34 
35 #include <functional>
36 #include <limits>
37 #include <memory>
38 #include <string>
39 #include <unordered_map>
40 #include <vector>
41 
42 #include <android-base/file.h>
43 #include <android-base/logging.h>
44 #include <android-base/parseint.h>
45 #include <android-base/stringprintf.h>
46 #include <android-base/strings.h>
47 #include <android-base/unique_fd.h>
48 #include <applypatch/applypatch.h>
49 #include <brotli/decode.h>
50 #include <fec/io.h>
51 #include <openssl/sha.h>
52 #include <verity/hash_tree_builder.h>
53 #include <ziparchive/zip_archive.h>
54 
55 #include "edify/expr.h"
56 #include "edify/updater_interface.h"
57 #include "otautil/dirutil.h"
58 #include "otautil/error_code.h"
59 #include "otautil/paths.h"
60 #include "otautil/print_sha1.h"
61 #include "otautil/rangeset.h"
62 #include "private/commands.h"
63 #include "updater/install.h"
64 
65 #ifdef __ANDROID__
66 #include <private/android_filesystem_config.h>
67 // Set this to 0 to interpret 'erase' transfers to mean do a BLKDISCARD ioctl (the normal behavior).
68 // Set to 1 to interpret erase to mean fill the region with zeroes.
69 #define DEBUG_ERASE  0
70 #else
71 #define DEBUG_ERASE 1
72 #define AID_SYSTEM -1
73 #endif  // __ANDROID__
74 
75 static constexpr size_t BLOCKSIZE = 4096;
76 static constexpr mode_t STASH_DIRECTORY_MODE = 0700;
77 static constexpr mode_t STASH_FILE_MODE = 0600;
78 static constexpr mode_t MARKER_DIRECTORY_MODE = 0700;
79 
80 static CauseCode failure_type = kNoCause;
81 static bool is_retry = false;
82 static std::unordered_map<std::string, RangeSet> stash_map;
83 
DeleteLastCommandFile()84 static void DeleteLastCommandFile() {
85   const std::string& last_command_file = Paths::Get().last_command_file();
86   if (unlink(last_command_file.c_str()) == -1 && errno != ENOENT) {
87     PLOG(ERROR) << "Failed to unlink: " << last_command_file;
88   }
89 }
90 
91 // Parse the last command index of the last update and save the result to |last_command_index|.
92 // Return true if we successfully read the index.
ParseLastCommandFile(size_t * last_command_index)93 static bool ParseLastCommandFile(size_t* last_command_index) {
94   const std::string& last_command_file = Paths::Get().last_command_file();
95   android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(last_command_file.c_str(), O_RDONLY)));
96   if (fd == -1) {
97     if (errno != ENOENT) {
98       PLOG(ERROR) << "Failed to open " << last_command_file;
99       return false;
100     }
101 
102     LOG(INFO) << last_command_file << " doesn't exist.";
103     return false;
104   }
105 
106   // Now that the last_command file exists, parse the last command index of previous update.
107   std::string content;
108   if (!android::base::ReadFdToString(fd.get(), &content)) {
109     LOG(ERROR) << "Failed to read: " << last_command_file;
110     return false;
111   }
112 
113   std::vector<std::string> lines = android::base::Split(android::base::Trim(content), "\n");
114   if (lines.size() != 2) {
115     LOG(ERROR) << "Unexpected line counts in last command file: " << content;
116     return false;
117   }
118 
119   if (!android::base::ParseUint(lines[0], last_command_index)) {
120     LOG(ERROR) << "Failed to parse integer in: " << lines[0];
121     return false;
122   }
123 
124   return true;
125 }
126 
FsyncDir(const std::string & dirname)127 static bool FsyncDir(const std::string& dirname) {
128   android::base::unique_fd dfd(TEMP_FAILURE_RETRY(open(dirname.c_str(), O_RDONLY | O_DIRECTORY)));
129   if (dfd == -1) {
130     failure_type = errno == EIO ? kEioFailure : kFileOpenFailure;
131     PLOG(ERROR) << "Failed to open " << dirname;
132     return false;
133   }
134   if (fsync(dfd) == -1) {
135     failure_type = errno == EIO ? kEioFailure : kFsyncFailure;
136     PLOG(ERROR) << "Failed to fsync " << dirname;
137     return false;
138   }
139   return true;
140 }
141 
142 // Update the last executed command index in the last_command_file.
UpdateLastCommandIndex(size_t command_index,const std::string & command_string)143 static bool UpdateLastCommandIndex(size_t command_index, const std::string& command_string) {
144   const std::string& last_command_file = Paths::Get().last_command_file();
145   std::string last_command_tmp = last_command_file + ".tmp";
146   std::string content = std::to_string(command_index) + "\n" + command_string;
147   android::base::unique_fd wfd(
148       TEMP_FAILURE_RETRY(open(last_command_tmp.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0660)));
149   if (wfd == -1 || !android::base::WriteStringToFd(content, wfd)) {
150     PLOG(ERROR) << "Failed to update last command";
151     return false;
152   }
153 
154   if (fsync(wfd) == -1) {
155     PLOG(ERROR) << "Failed to fsync " << last_command_tmp;
156     return false;
157   }
158 
159   if (chown(last_command_tmp.c_str(), AID_SYSTEM, AID_SYSTEM) == -1) {
160     PLOG(ERROR) << "Failed to change owner for " << last_command_tmp;
161     return false;
162   }
163 
164   if (rename(last_command_tmp.c_str(), last_command_file.c_str()) == -1) {
165     PLOG(ERROR) << "Failed to rename" << last_command_tmp;
166     return false;
167   }
168 
169   if (!FsyncDir(android::base::Dirname(last_command_file))) {
170     return false;
171   }
172 
173   return true;
174 }
175 
SetUpdatedMarker(const std::string & marker)176 bool SetUpdatedMarker(const std::string& marker) {
177   auto dirname = android::base::Dirname(marker);
178   auto res = mkdir(dirname.c_str(), MARKER_DIRECTORY_MODE);
179   if (res == -1 && errno != EEXIST) {
180     PLOG(ERROR) << "Failed to create directory for marker: " << dirname;
181     return false;
182   }
183 
184   if (!android::base::WriteStringToFile("", marker)) {
185     PLOG(ERROR) << "Failed to write to marker file " << marker;
186     return false;
187   }
188   if (!FsyncDir(dirname)) {
189     return false;
190   }
191   LOG(INFO) << "Wrote updated marker to " << marker;
192   return true;
193 }
194 
discard_blocks(int fd,off64_t offset,uint64_t size,bool force=false)195 static bool discard_blocks(int fd, off64_t offset, uint64_t size, bool force = false) {
196   // Don't discard blocks unless the update is a retry run or force == true
197   if (!is_retry && !force) {
198     return true;
199   }
200 
201   uint64_t args[2] = { static_cast<uint64_t>(offset), size };
202   if (ioctl(fd, BLKDISCARD, &args) == -1) {
203     // On devices that does not support BLKDISCARD, ignore the error.
204     if (errno == EOPNOTSUPP) {
205       return true;
206     }
207     PLOG(ERROR) << "BLKDISCARD ioctl failed";
208     return false;
209   }
210   return true;
211 }
212 
check_lseek(int fd,off64_t offset,int whence)213 static bool check_lseek(int fd, off64_t offset, int whence) {
214     off64_t rc = TEMP_FAILURE_RETRY(lseek64(fd, offset, whence));
215     if (rc == -1) {
216         failure_type = kLseekFailure;
217         PLOG(ERROR) << "lseek64 failed";
218         return false;
219     }
220     return true;
221 }
222 
allocate(size_t size,std::vector<uint8_t> * buffer)223 static void allocate(size_t size, std::vector<uint8_t>* buffer) {
224   // If the buffer's big enough, reuse it.
225   if (size <= buffer->size()) return;
226   buffer->resize(size);
227 }
228 
229 /**
230  * RangeSinkWriter reads data from the given FD, and writes them to the destination specified by the
231  * given RangeSet.
232  */
233 class RangeSinkWriter {
234  public:
RangeSinkWriter(int fd,const RangeSet & tgt)235   RangeSinkWriter(int fd, const RangeSet& tgt)
236       : fd_(fd),
237         tgt_(tgt),
238         next_range_(0),
239         current_range_left_(0),
240         bytes_written_(0) {
241     CHECK_NE(tgt.size(), static_cast<size_t>(0));
242   };
243 
Finished() const244   bool Finished() const {
245     return next_range_ == tgt_.size() && current_range_left_ == 0;
246   }
247 
AvailableSpace() const248   size_t AvailableSpace() const {
249     return tgt_.blocks() * BLOCKSIZE - bytes_written_;
250   }
251 
252   // Return number of bytes written; and 0 indicates a writing failure.
Write(const uint8_t * data,size_t size)253   size_t Write(const uint8_t* data, size_t size) {
254     if (Finished()) {
255       LOG(ERROR) << "range sink write overrun; can't write " << size << " bytes";
256       return 0;
257     }
258 
259     size_t written = 0;
260     while (size > 0) {
261       // Move to the next range as needed.
262       if (!SeekToOutputRange()) {
263         break;
264       }
265 
266       size_t write_now = size;
267       if (current_range_left_ < write_now) {
268         write_now = current_range_left_;
269       }
270 
271       if (!android::base::WriteFully(fd_, data, write_now)) {
272         failure_type = errno == EIO ? kEioFailure : kFwriteFailure;
273         PLOG(ERROR) << "Failed to write " << write_now << " bytes of data";
274         break;
275       }
276 
277       data += write_now;
278       size -= write_now;
279 
280       current_range_left_ -= write_now;
281       written += write_now;
282     }
283 
284     bytes_written_ += written;
285     return written;
286   }
287 
BytesWritten() const288   size_t BytesWritten() const {
289     return bytes_written_;
290   }
291 
292  private:
293   // Set up the output cursor, move to next range if needed.
SeekToOutputRange()294   bool SeekToOutputRange() {
295     // We haven't finished the current range yet.
296     if (current_range_left_ != 0) {
297       return true;
298     }
299     // We can't write any more; let the write function return how many bytes have been written
300     // so far.
301     if (next_range_ >= tgt_.size()) {
302       return false;
303     }
304 
305     const Range& range = tgt_[next_range_];
306     off64_t offset = static_cast<off64_t>(range.first) * BLOCKSIZE;
307     current_range_left_ = (range.second - range.first) * BLOCKSIZE;
308     next_range_++;
309 
310     if (!discard_blocks(fd_, offset, current_range_left_)) {
311       return false;
312     }
313     if (!check_lseek(fd_, offset, SEEK_SET)) {
314       return false;
315     }
316     return true;
317   }
318 
319   // The output file descriptor.
320   int fd_;
321   // The destination ranges for the data.
322   const RangeSet& tgt_;
323   // The next range that we should write to.
324   size_t next_range_;
325   // The number of bytes to write before moving to the next range.
326   size_t current_range_left_;
327   // Total bytes written by the writer.
328   size_t bytes_written_;
329 };
330 
331 /**
332  * All of the data for all the 'new' transfers is contained in one file in the update package,
333  * concatenated together in the order in which transfers.list will need it. We want to stream it out
334  * of the archive (it's compressed) without writing it to a temp file, but we can't write each
335  * section until it's that transfer's turn to go.
336  *
337  * To achieve this, we expand the new data from the archive in a background thread, and block that
338  * threads 'receive uncompressed data' function until the main thread has reached a point where we
339  * want some new data to be written. We signal the background thread with the destination for the
340  * data and block the main thread, waiting for the background thread to complete writing that
341  * section. Then it signals the main thread to wake up and goes back to blocking waiting for a
342  * transfer.
343  *
344  * NewThreadInfo is the struct used to pass information back and forth between the two threads. When
345  * the main thread wants some data written, it sets writer to the destination location and signals
346  * the condition. When the background thread is done writing, it clears writer and signals the
347  * condition again.
348  */
349 struct NewThreadInfo {
350   ZipArchiveHandle za;
351   ZipEntry64 entry{};
352   bool brotli_compressed;
353 
354   std::unique_ptr<RangeSinkWriter> writer;
355   BrotliDecoderState* brotli_decoder_state;
356   bool receiver_available;
357 
358   pthread_mutex_t mu;
359   pthread_cond_t cv;
360 };
361 
receive_new_data(const uint8_t * data,size_t size,void * cookie)362 static bool receive_new_data(const uint8_t* data, size_t size, void* cookie) {
363   NewThreadInfo* nti = static_cast<NewThreadInfo*>(cookie);
364 
365   while (size > 0) {
366     // Wait for nti->writer to be non-null, indicating some of this data is wanted.
367     pthread_mutex_lock(&nti->mu);
368     while (nti->writer == nullptr) {
369       // End the new data receiver if we encounter an error when performing block image update.
370       if (!nti->receiver_available) {
371         pthread_mutex_unlock(&nti->mu);
372         return false;
373       }
374       pthread_cond_wait(&nti->cv, &nti->mu);
375     }
376     pthread_mutex_unlock(&nti->mu);
377 
378     // At this point nti->writer is set, and we own it. The main thread is waiting for it to
379     // disappear from nti.
380     size_t write_now = std::min(size, nti->writer->AvailableSpace());
381     if (nti->writer->Write(data, write_now) != write_now) {
382       LOG(ERROR) << "Failed to write " << write_now << " bytes.";
383       return false;
384     }
385 
386     data += write_now;
387     size -= write_now;
388 
389     if (nti->writer->Finished()) {
390       // We have written all the bytes desired by this writer.
391 
392       pthread_mutex_lock(&nti->mu);
393       nti->writer = nullptr;
394       pthread_cond_broadcast(&nti->cv);
395       pthread_mutex_unlock(&nti->mu);
396     }
397   }
398 
399   return true;
400 }
401 
receive_brotli_new_data(const uint8_t * data,size_t size,void * cookie)402 static bool receive_brotli_new_data(const uint8_t* data, size_t size, void* cookie) {
403   NewThreadInfo* nti = static_cast<NewThreadInfo*>(cookie);
404 
405   while (size > 0 || BrotliDecoderHasMoreOutput(nti->brotli_decoder_state)) {
406     // Wait for nti->writer to be non-null, indicating some of this data is wanted.
407     pthread_mutex_lock(&nti->mu);
408     while (nti->writer == nullptr) {
409       // End the receiver if we encounter an error when performing block image update.
410       if (!nti->receiver_available) {
411         pthread_mutex_unlock(&nti->mu);
412         return false;
413       }
414       pthread_cond_wait(&nti->cv, &nti->mu);
415     }
416     pthread_mutex_unlock(&nti->mu);
417 
418     // At this point nti->writer is set, and we own it. The main thread is waiting for it to
419     // disappear from nti.
420 
421     size_t buffer_size = std::min<size_t>(32768, nti->writer->AvailableSpace());
422     if (buffer_size == 0) {
423       LOG(ERROR) << "No space left in output range";
424       return false;
425     }
426     uint8_t buffer[buffer_size];
427     size_t available_in = size;
428     size_t available_out = buffer_size;
429     uint8_t* next_out = buffer;
430 
431     // The brotli decoder will update |data|, |available_in|, |next_out| and |available_out|.
432     BrotliDecoderResult result = BrotliDecoderDecompressStream(
433         nti->brotli_decoder_state, &available_in, &data, &available_out, &next_out, nullptr);
434 
435     if (result == BROTLI_DECODER_RESULT_ERROR) {
436       LOG(ERROR) << "Decompression failed with "
437                  << BrotliDecoderErrorString(BrotliDecoderGetErrorCode(nti->brotli_decoder_state));
438       return false;
439     }
440 
441     LOG(DEBUG) << "bytes to write: " << buffer_size - available_out << ", bytes consumed "
442                << size - available_in << ", decoder status " << result;
443 
444     size_t write_now = buffer_size - available_out;
445     if (nti->writer->Write(buffer, write_now) != write_now) {
446       LOG(ERROR) << "Failed to write " << write_now << " bytes.";
447       return false;
448     }
449 
450     // Update the remaining size. The input data ptr is already updated by brotli decoder function.
451     size = available_in;
452 
453     if (nti->writer->Finished()) {
454       // We have written all the bytes desired by this writer.
455 
456       pthread_mutex_lock(&nti->mu);
457       nti->writer = nullptr;
458       pthread_cond_broadcast(&nti->cv);
459       pthread_mutex_unlock(&nti->mu);
460     }
461   }
462 
463   return true;
464 }
465 
unzip_new_data(void * cookie)466 static void* unzip_new_data(void* cookie) {
467   NewThreadInfo* nti = static_cast<NewThreadInfo*>(cookie);
468   if (nti->brotli_compressed) {
469     ProcessZipEntryContents(nti->za, &nti->entry, receive_brotli_new_data, nti);
470   } else {
471     ProcessZipEntryContents(nti->za, &nti->entry, receive_new_data, nti);
472   }
473   pthread_mutex_lock(&nti->mu);
474   nti->receiver_available = false;
475   if (nti->writer != nullptr) {
476     pthread_cond_broadcast(&nti->cv);
477   }
478   pthread_mutex_unlock(&nti->mu);
479   return nullptr;
480 }
481 
ReadBlocks(const RangeSet & src,std::vector<uint8_t> * buffer,int fd)482 static int ReadBlocks(const RangeSet& src, std::vector<uint8_t>* buffer, int fd) {
483   size_t p = 0;
484   for (const auto& [begin, end] : src) {
485     if (!check_lseek(fd, static_cast<off64_t>(begin) * BLOCKSIZE, SEEK_SET)) {
486       return -1;
487     }
488 
489     size_t size = (end - begin) * BLOCKSIZE;
490     if (!android::base::ReadFully(fd, buffer->data() + p, size)) {
491       failure_type = errno == EIO ? kEioFailure : kFreadFailure;
492       PLOG(ERROR) << "Failed to read " << size << " bytes of data";
493       return -1;
494     }
495 
496     p += size;
497   }
498 
499   return 0;
500 }
501 
WriteBlocks(const RangeSet & tgt,const std::vector<uint8_t> & buffer,int fd)502 static int WriteBlocks(const RangeSet& tgt, const std::vector<uint8_t>& buffer, int fd) {
503   size_t written = 0;
504   for (const auto& [begin, end] : tgt) {
505     off64_t offset = static_cast<off64_t>(begin) * BLOCKSIZE;
506     size_t size = (end - begin) * BLOCKSIZE;
507     if (!discard_blocks(fd, offset, size)) {
508       return -1;
509     }
510 
511     if (!check_lseek(fd, offset, SEEK_SET)) {
512       return -1;
513     }
514 
515     if (!android::base::WriteFully(fd, buffer.data() + written, size)) {
516       failure_type = errno == EIO ? kEioFailure : kFwriteFailure;
517       PLOG(ERROR) << "Failed to write " << size << " bytes of data";
518       return -1;
519     }
520 
521     written += size;
522   }
523 
524   return 0;
525 }
526 
527 // Parameters for transfer list command functions
528 struct CommandParameters {
529     std::vector<std::string> tokens;
530     size_t cpos;
531     std::string cmdname;
532     std::string cmdline;
533     std::string freestash;
534     std::string stashbase;
535     bool canwrite;
536     int createdstash;
537     android::base::unique_fd fd;
538     bool foundwrites;
539     bool isunresumable;
540     int version;
541     size_t written;
542     size_t stashed;
543     NewThreadInfo nti;
544     pthread_t thread;
545     std::vector<uint8_t> buffer;
546     uint8_t* patch_start;
547     bool target_verified;  // The target blocks have expected contents already.
548 };
549 
550 // Print the hash in hex for corrupted source blocks (excluding the stashed blocks which is
551 // handled separately).
PrintHashForCorruptedSourceBlocks(const CommandParameters & params,const std::vector<uint8_t> & buffer)552 static void PrintHashForCorruptedSourceBlocks(const CommandParameters& params,
553                                               const std::vector<uint8_t>& buffer) {
554   LOG(INFO) << "unexpected contents of source blocks in cmd:\n" << params.cmdline;
555   CHECK(params.tokens[0] == "move" || params.tokens[0] == "bsdiff" ||
556         params.tokens[0] == "imgdiff");
557 
558   size_t pos = 0;
559   // Command example:
560   // move <onehash> <tgt_range> <src_blk_count> <src_range> [<loc_range> <stashed_blocks>]
561   // bsdiff <offset> <len> <src_hash> <tgt_hash> <tgt_range> <src_blk_count> <src_range>
562   //        [<loc_range> <stashed_blocks>]
563   if (params.tokens[0] == "move") {
564     // src_range for move starts at the 4th position.
565     if (params.tokens.size() < 5) {
566       LOG(ERROR) << "failed to parse source range in cmd:\n" << params.cmdline;
567       return;
568     }
569     pos = 4;
570   } else {
571     // src_range for diff starts at the 7th position.
572     if (params.tokens.size() < 8) {
573       LOG(ERROR) << "failed to parse source range in cmd:\n" << params.cmdline;
574       return;
575     }
576     pos = 7;
577   }
578 
579   // Source blocks in stash only, no work to do.
580   if (params.tokens[pos] == "-") {
581     return;
582   }
583 
584   RangeSet src = RangeSet::Parse(params.tokens[pos++]);
585   if (!src) {
586     LOG(ERROR) << "Failed to parse range in " << params.cmdline;
587     return;
588   }
589 
590   RangeSet locs;
591   // If there's no stashed blocks, content in the buffer is consecutive and has the same
592   // order as the source blocks.
593   if (pos == params.tokens.size()) {
594     locs = RangeSet(std::vector<Range>{ Range{ 0, src.blocks() } });
595   } else {
596     // Otherwise, the next token is the offset of the source blocks in the target range.
597     // Example: for the tokens <4,63946,63947,63948,63979> <4,6,7,8,39> <stashed_blocks>;
598     // We want to print SHA-1 for the data in buffer[6], buffer[8], buffer[9] ... buffer[38];
599     // this corresponds to the 32 src blocks #63946, #63948, #63949 ... #63978.
600     locs = RangeSet::Parse(params.tokens[pos++]);
601     CHECK_EQ(src.blocks(), locs.blocks());
602   }
603 
604   LOG(INFO) << "printing hash in hex for " << src.blocks() << " source blocks";
605   for (size_t i = 0; i < src.blocks(); i++) {
606     size_t block_num = src.GetBlockNumber(i);
607     size_t buffer_index = locs.GetBlockNumber(i);
608     CHECK_LE((buffer_index + 1) * BLOCKSIZE, buffer.size());
609 
610     uint8_t digest[SHA_DIGEST_LENGTH];
611     SHA1(buffer.data() + buffer_index * BLOCKSIZE, BLOCKSIZE, digest);
612     std::string hexdigest = print_sha1(digest);
613     LOG(INFO) << "  block number: " << block_num << ", SHA-1: " << hexdigest;
614   }
615 }
616 
617 // If the calculated hash for the whole stash doesn't match the stash id, print the SHA-1
618 // in hex for each block.
PrintHashForCorruptedStashedBlocks(const std::string & id,const std::vector<uint8_t> & buffer,const RangeSet & src)619 static void PrintHashForCorruptedStashedBlocks(const std::string& id,
620                                                const std::vector<uint8_t>& buffer,
621                                                const RangeSet& src) {
622   LOG(INFO) << "printing hash in hex for stash_id: " << id;
623   CHECK_EQ(src.blocks() * BLOCKSIZE, buffer.size());
624 
625   for (size_t i = 0; i < src.blocks(); i++) {
626     size_t block_num = src.GetBlockNumber(i);
627 
628     uint8_t digest[SHA_DIGEST_LENGTH];
629     SHA1(buffer.data() + i * BLOCKSIZE, BLOCKSIZE, digest);
630     std::string hexdigest = print_sha1(digest);
631     LOG(INFO) << "  block number: " << block_num << ", SHA-1: " << hexdigest;
632   }
633 }
634 
635 // If the stash file doesn't exist, read the source blocks this stash contains and print the
636 // SHA-1 for these blocks.
PrintHashForMissingStashedBlocks(const std::string & id,int fd)637 static void PrintHashForMissingStashedBlocks(const std::string& id, int fd) {
638   if (stash_map.find(id) == stash_map.end()) {
639     LOG(ERROR) << "No stash saved for id: " << id;
640     return;
641   }
642 
643   LOG(INFO) << "print hash in hex for source blocks in missing stash: " << id;
644   const RangeSet& src = stash_map[id];
645   std::vector<uint8_t> buffer(src.blocks() * BLOCKSIZE);
646   if (ReadBlocks(src, &buffer, fd) == -1) {
647     LOG(ERROR) << "failed to read source blocks for stash: " << id;
648     return;
649   }
650   PrintHashForCorruptedStashedBlocks(id, buffer, src);
651 }
652 
VerifyBlocks(const std::string & expected,const std::vector<uint8_t> & buffer,const size_t blocks,bool printerror)653 static int VerifyBlocks(const std::string& expected, const std::vector<uint8_t>& buffer,
654                         const size_t blocks, bool printerror) {
655   uint8_t digest[SHA_DIGEST_LENGTH];
656   const uint8_t* data = buffer.data();
657 
658   SHA1(data, blocks * BLOCKSIZE, digest);
659 
660   std::string hexdigest = print_sha1(digest);
661 
662   if (hexdigest != expected) {
663     if (printerror) {
664       LOG(ERROR) << "failed to verify blocks (expected " << expected << ", read " << hexdigest
665                  << ")";
666     }
667     return -1;
668   }
669 
670   return 0;
671 }
672 
GetStashFileName(const std::string & base,const std::string & id,const std::string & postfix)673 static std::string GetStashFileName(const std::string& base, const std::string& id,
674                                     const std::string& postfix) {
675   if (base.empty()) {
676     return "";
677   }
678   std::string filename = Paths::Get().stash_directory_base() + "/" + base;
679   if (id.empty() && postfix.empty()) {
680     return filename;
681   }
682   return filename + "/" + id + postfix;
683 }
684 
685 // Does a best effort enumeration of stash files. Ignores possible non-file items in the stash
686 // directory and continues despite of errors. Calls the 'callback' function for each file.
EnumerateStash(const std::string & dirname,const std::function<void (const std::string &)> & callback)687 static void EnumerateStash(const std::string& dirname,
688                            const std::function<void(const std::string&)>& callback) {
689   if (dirname.empty()) return;
690 
691   std::unique_ptr<DIR, decltype(&closedir)> directory(opendir(dirname.c_str()), closedir);
692 
693   if (directory == nullptr) {
694     if (errno != ENOENT) {
695       PLOG(ERROR) << "opendir \"" << dirname << "\" failed";
696     }
697     return;
698   }
699 
700   dirent* item;
701   while ((item = readdir(directory.get())) != nullptr) {
702     if (item->d_type != DT_REG) continue;
703     callback(dirname + "/" + item->d_name);
704   }
705 }
706 
707 // Deletes the stash directory and all files in it. Assumes that it only
708 // contains files. There is nothing we can do about unlikely, but possible
709 // errors, so they are merely logged.
DeleteFile(const std::string & fn)710 static void DeleteFile(const std::string& fn) {
711   if (fn.empty()) return;
712 
713   LOG(INFO) << "deleting " << fn;
714 
715   if (unlink(fn.c_str()) == -1 && errno != ENOENT) {
716     PLOG(ERROR) << "unlink \"" << fn << "\" failed";
717   }
718 }
719 
DeleteStash(const std::string & base)720 static void DeleteStash(const std::string& base) {
721   if (base.empty()) return;
722 
723   LOG(INFO) << "deleting stash " << base;
724 
725   std::string dirname = GetStashFileName(base, "", "");
726   EnumerateStash(dirname, DeleteFile);
727 
728   if (rmdir(dirname.c_str()) == -1) {
729     if (errno != ENOENT && errno != ENOTDIR) {
730       PLOG(ERROR) << "rmdir \"" << dirname << "\" failed";
731     }
732   }
733 }
734 
LoadStash(const CommandParameters & params,const std::string & id,bool verify,std::vector<uint8_t> * buffer,bool printnoent)735 static int LoadStash(const CommandParameters& params, const std::string& id, bool verify,
736                      std::vector<uint8_t>* buffer, bool printnoent) {
737   // In verify mode, if source range_set was saved for the given hash, check contents in the source
738   // blocks first. If the check fails, search for the stashed files on /cache as usual.
739   if (!params.canwrite) {
740     if (stash_map.find(id) != stash_map.end()) {
741       const RangeSet& src = stash_map[id];
742       allocate(src.blocks() * BLOCKSIZE, buffer);
743 
744       if (ReadBlocks(src, buffer, params.fd) == -1) {
745         LOG(ERROR) << "failed to read source blocks in stash map.";
746         return -1;
747       }
748       if (VerifyBlocks(id, *buffer, src.blocks(), true) != 0) {
749         LOG(ERROR) << "failed to verify loaded source blocks in stash map.";
750         if (!is_retry) {
751           PrintHashForCorruptedStashedBlocks(id, *buffer, src);
752         }
753         return -1;
754       }
755       return 0;
756     }
757   }
758 
759   std::string fn = GetStashFileName(params.stashbase, id, "");
760 
761   struct stat sb;
762   if (stat(fn.c_str(), &sb) == -1) {
763     if (errno != ENOENT || printnoent) {
764       PLOG(ERROR) << "stat \"" << fn << "\" failed";
765       PrintHashForMissingStashedBlocks(id, params.fd);
766     }
767     return -1;
768   }
769 
770   LOG(INFO) << " loading " << fn;
771 
772   if ((sb.st_size % BLOCKSIZE) != 0) {
773     LOG(ERROR) << fn << " size " << sb.st_size << " not multiple of block size " << BLOCKSIZE;
774     return -1;
775   }
776 
777   android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(fn.c_str(), O_RDONLY)));
778   if (fd == -1) {
779     failure_type = errno == EIO ? kEioFailure : kFileOpenFailure;
780     PLOG(ERROR) << "open \"" << fn << "\" failed";
781     return -1;
782   }
783 
784   allocate(sb.st_size, buffer);
785 
786   if (!android::base::ReadFully(fd, buffer->data(), sb.st_size)) {
787     failure_type = errno == EIO ? kEioFailure : kFreadFailure;
788     PLOG(ERROR) << "Failed to read " << sb.st_size << " bytes of data";
789     return -1;
790   }
791 
792   size_t blocks = sb.st_size / BLOCKSIZE;
793   if (verify && VerifyBlocks(id, *buffer, blocks, true) != 0) {
794     LOG(ERROR) << "unexpected contents in " << fn;
795     if (stash_map.find(id) == stash_map.end()) {
796       LOG(ERROR) << "failed to find source blocks number for stash " << id
797                  << " when executing command: " << params.cmdname;
798     } else {
799       const RangeSet& src = stash_map[id];
800       PrintHashForCorruptedStashedBlocks(id, *buffer, src);
801     }
802     DeleteFile(fn);
803     return -1;
804   }
805 
806   return 0;
807 }
808 
WriteStash(const std::string & base,const std::string & id,int blocks,const std::vector<uint8_t> & buffer,bool checkspace,bool * exists)809 static int WriteStash(const std::string& base, const std::string& id, int blocks,
810                       const std::vector<uint8_t>& buffer, bool checkspace, bool* exists) {
811   if (base.empty()) {
812     return -1;
813   }
814 
815   if (checkspace && !CheckAndFreeSpaceOnCache(blocks * BLOCKSIZE)) {
816     LOG(ERROR) << "not enough space to write stash";
817     return -1;
818   }
819 
820   std::string fn = GetStashFileName(base, id, ".partial");
821   std::string cn = GetStashFileName(base, id, "");
822 
823   if (exists) {
824     struct stat sb;
825     int res = stat(cn.c_str(), &sb);
826 
827     if (res == 0) {
828       // The file already exists and since the name is the hash of the contents,
829       // it's safe to assume the contents are identical (accidental hash collisions
830       // are unlikely)
831       LOG(INFO) << " skipping " << blocks << " existing blocks in " << cn;
832       *exists = true;
833       return 0;
834     }
835 
836     *exists = false;
837   }
838 
839   LOG(INFO) << " writing " << blocks << " blocks to " << cn;
840 
841   android::base::unique_fd fd(
842       TEMP_FAILURE_RETRY(open(fn.c_str(), O_WRONLY | O_CREAT | O_TRUNC, STASH_FILE_MODE)));
843   if (fd == -1) {
844     failure_type = errno == EIO ? kEioFailure : kFileOpenFailure;
845     PLOG(ERROR) << "failed to create \"" << fn << "\"";
846     return -1;
847   }
848 
849   if (fchown(fd, AID_SYSTEM, AID_SYSTEM) != 0) {  // system user
850     PLOG(ERROR) << "failed to chown \"" << fn << "\"";
851     return -1;
852   }
853 
854   if (!android::base::WriteFully(fd, buffer.data(), blocks * BLOCKSIZE)) {
855     failure_type = errno == EIO ? kEioFailure : kFwriteFailure;
856     PLOG(ERROR) << "Failed to write " << blocks * BLOCKSIZE << " bytes of data";
857     return -1;
858   }
859 
860   if (fsync(fd) == -1) {
861     failure_type = errno == EIO ? kEioFailure : kFsyncFailure;
862     PLOG(ERROR) << "fsync \"" << fn << "\" failed";
863     return -1;
864   }
865 
866   if (rename(fn.c_str(), cn.c_str()) == -1) {
867     PLOG(ERROR) << "rename(\"" << fn << "\", \"" << cn << "\") failed";
868     return -1;
869   }
870 
871   std::string dname = GetStashFileName(base, "", "");
872   if (!FsyncDir(dname)) {
873     return -1;
874   }
875 
876   return 0;
877 }
878 
879 // Creates a directory for storing stash files and checks if the /cache partition
880 // hash enough space for the expected amount of blocks we need to store. Returns
881 // >0 if we created the directory, zero if it existed already, and <0 of failure.
CreateStash(State * state,size_t maxblocks,const std::string & base)882 static int CreateStash(State* state, size_t maxblocks, const std::string& base) {
883   std::string dirname = GetStashFileName(base, "", "");
884   struct stat sb;
885   int res = stat(dirname.c_str(), &sb);
886   if (res == -1 && errno != ENOENT) {
887     ErrorAbort(state, kStashCreationFailure, "stat \"%s\" failed: %s", dirname.c_str(),
888                strerror(errno));
889     return -1;
890   }
891 
892   size_t max_stash_size = maxblocks * BLOCKSIZE;
893   if (res == -1) {
894     LOG(INFO) << "creating stash " << dirname;
895     res = mkdir_recursively(dirname, STASH_DIRECTORY_MODE, false, nullptr);
896 
897     if (res != 0) {
898       ErrorAbort(state, kStashCreationFailure, "mkdir \"%s\" failed: %s", dirname.c_str(),
899                  strerror(errno));
900       return -1;
901     }
902 
903     if (chown(dirname.c_str(), AID_SYSTEM, AID_SYSTEM) != 0) {  // system user
904       ErrorAbort(state, kStashCreationFailure, "chown \"%s\" failed: %s", dirname.c_str(),
905                  strerror(errno));
906       return -1;
907     }
908 
909     if (!CheckAndFreeSpaceOnCache(max_stash_size)) {
910       ErrorAbort(state, kStashCreationFailure, "not enough space for stash (%zu needed)",
911                  max_stash_size);
912       return -1;
913     }
914 
915     return 1;  // Created directory
916   }
917 
918   LOG(INFO) << "using existing stash " << dirname;
919 
920   // If the directory already exists, calculate the space already allocated to stash files and check
921   // if there's enough for all required blocks. Delete any partially completed stash files first.
922   EnumerateStash(dirname, [](const std::string& fn) {
923     if (android::base::EndsWith(fn, ".partial")) {
924       DeleteFile(fn);
925     }
926   });
927 
928   size_t existing = 0;
929   EnumerateStash(dirname, [&existing](const std::string& fn) {
930     if (fn.empty()) return;
931     struct stat sb;
932     if (stat(fn.c_str(), &sb) == -1) {
933       PLOG(ERROR) << "stat \"" << fn << "\" failed";
934       return;
935     }
936     existing += static_cast<size_t>(sb.st_size);
937   });
938 
939   if (max_stash_size > existing) {
940     size_t needed = max_stash_size - existing;
941     if (!CheckAndFreeSpaceOnCache(needed)) {
942       ErrorAbort(state, kStashCreationFailure, "not enough space for stash (%zu more needed)",
943                  needed);
944       return -1;
945     }
946   }
947 
948   return 0;  // Using existing directory
949 }
950 
FreeStash(const std::string & base,const std::string & id)951 static int FreeStash(const std::string& base, const std::string& id) {
952   if (base.empty() || id.empty()) {
953     return -1;
954   }
955 
956   DeleteFile(GetStashFileName(base, id, ""));
957 
958   return 0;
959 }
960 
961 // Source contains packed data, which we want to move to the locations given in locs in the dest
962 // buffer. source and dest may be the same buffer.
MoveRange(std::vector<uint8_t> & dest,const RangeSet & locs,const std::vector<uint8_t> & source)963 static void MoveRange(std::vector<uint8_t>& dest, const RangeSet& locs,
964                       const std::vector<uint8_t>& source) {
965   const uint8_t* from = source.data();
966   uint8_t* to = dest.data();
967   size_t start = locs.blocks();
968   // Must do the movement backward.
969   for (auto it = locs.crbegin(); it != locs.crend(); it++) {
970     size_t blocks = it->second - it->first;
971     start -= blocks;
972     memmove(to + (it->first * BLOCKSIZE), from + (start * BLOCKSIZE), blocks * BLOCKSIZE);
973   }
974 }
975 
976 /**
977  * We expect to parse the remainder of the parameter tokens as one of:
978  *
979  *    <src_block_count> <src_range>
980  *        (loads data from source image only)
981  *
982  *    <src_block_count> - <[stash_id:stash_range] ...>
983  *        (loads data from stashes only)
984  *
985  *    <src_block_count> <src_range> <src_loc> <[stash_id:stash_range] ...>
986  *        (loads data from both source image and stashes)
987  *
988  * On return, params.buffer is filled with the loaded source data (rearranged and combined with
989  * stashed data as necessary). buffer may be reallocated if needed to accommodate the source data.
990  * tgt is the target RangeSet for detecting overlaps. Any stashes required are loaded using
991  * LoadStash.
992  */
LoadSourceBlocks(CommandParameters & params,const RangeSet & tgt,size_t * src_blocks,bool * overlap)993 static int LoadSourceBlocks(CommandParameters& params, const RangeSet& tgt, size_t* src_blocks,
994                             bool* overlap) {
995   CHECK(src_blocks != nullptr);
996   CHECK(overlap != nullptr);
997 
998   // <src_block_count>
999   const std::string& token = params.tokens[params.cpos++];
1000   if (!android::base::ParseUint(token, src_blocks)) {
1001     LOG(ERROR) << "invalid src_block_count \"" << token << "\"";
1002     return -1;
1003   }
1004 
1005   allocate(*src_blocks * BLOCKSIZE, &params.buffer);
1006 
1007   // "-" or <src_range> [<src_loc>]
1008   if (params.tokens[params.cpos] == "-") {
1009     // no source ranges, only stashes
1010     params.cpos++;
1011   } else {
1012     RangeSet src = RangeSet::Parse(params.tokens[params.cpos++]);
1013     CHECK(static_cast<bool>(src));
1014     *overlap = src.Overlaps(tgt);
1015 
1016     if (ReadBlocks(src, &params.buffer, params.fd) == -1) {
1017       return -1;
1018     }
1019 
1020     if (params.cpos >= params.tokens.size()) {
1021       // no stashes, only source range
1022       return 0;
1023     }
1024 
1025     RangeSet locs = RangeSet::Parse(params.tokens[params.cpos++]);
1026     CHECK(static_cast<bool>(locs));
1027     MoveRange(params.buffer, locs, params.buffer);
1028   }
1029 
1030   // <[stash_id:stash_range]>
1031   while (params.cpos < params.tokens.size()) {
1032     // Each word is a an index into the stash table, a colon, and then a RangeSet describing where
1033     // in the source block that stashed data should go.
1034     std::vector<std::string> tokens = android::base::Split(params.tokens[params.cpos++], ":");
1035     if (tokens.size() != 2) {
1036       LOG(ERROR) << "invalid parameter";
1037       return -1;
1038     }
1039 
1040     std::vector<uint8_t> stash;
1041     if (LoadStash(params, tokens[0], false, &stash, true) == -1) {
1042       // These source blocks will fail verification if used later, but we
1043       // will let the caller decide if this is a fatal failure
1044       LOG(ERROR) << "failed to load stash " << tokens[0];
1045       continue;
1046     }
1047 
1048     RangeSet locs = RangeSet::Parse(tokens[1]);
1049     CHECK(static_cast<bool>(locs));
1050     MoveRange(params.buffer, locs, stash);
1051   }
1052 
1053   return 0;
1054 }
1055 
1056 /**
1057  * Do a source/target load for move/bsdiff/imgdiff in version 3.
1058  *
1059  * We expect to parse the remainder of the parameter tokens as one of:
1060  *
1061  *    <tgt_range> <src_block_count> <src_range>
1062  *        (loads data from source image only)
1063  *
1064  *    <tgt_range> <src_block_count> - <[stash_id:stash_range] ...>
1065  *        (loads data from stashes only)
1066  *
1067  *    <tgt_range> <src_block_count> <src_range> <src_loc> <[stash_id:stash_range] ...>
1068  *        (loads data from both source image and stashes)
1069  *
1070  * 'onehash' tells whether to expect separate source and targe block hashes, or if they are both the
1071  * same and only one hash should be expected. params.isunresumable will be set to true if block
1072  * verification fails in a way that the update cannot be resumed anymore.
1073  *
1074  * If the function is unable to load the necessary blocks or their contents don't match the hashes,
1075  * the return value is -1 and the command should be aborted.
1076  *
1077  * If the return value is 1, the command has already been completed according to the contents of the
1078  * target blocks, and should not be performed again.
1079  *
1080  * If the return value is 0, source blocks have expected content and the command can be performed.
1081  */
LoadSrcTgtVersion3(CommandParameters & params,RangeSet * tgt,size_t * src_blocks,bool onehash)1082 static int LoadSrcTgtVersion3(CommandParameters& params, RangeSet* tgt, size_t* src_blocks,
1083                               bool onehash) {
1084   CHECK(src_blocks != nullptr);
1085 
1086   if (params.cpos >= params.tokens.size()) {
1087     LOG(ERROR) << "missing source hash";
1088     return -1;
1089   }
1090 
1091   std::string srchash = params.tokens[params.cpos++];
1092   std::string tgthash;
1093 
1094   if (onehash) {
1095     tgthash = srchash;
1096   } else {
1097     if (params.cpos >= params.tokens.size()) {
1098       LOG(ERROR) << "missing target hash";
1099       return -1;
1100     }
1101     tgthash = params.tokens[params.cpos++];
1102   }
1103 
1104   // At least it needs to provide three parameters: <tgt_range>, <src_block_count> and
1105   // "-"/<src_range>.
1106   if (params.cpos + 2 >= params.tokens.size()) {
1107     LOG(ERROR) << "invalid parameters";
1108     return -1;
1109   }
1110 
1111   // <tgt_range>
1112   *tgt = RangeSet::Parse(params.tokens[params.cpos++]);
1113   CHECK(static_cast<bool>(*tgt));
1114 
1115   std::vector<uint8_t> tgtbuffer(tgt->blocks() * BLOCKSIZE);
1116   if (ReadBlocks(*tgt, &tgtbuffer, params.fd) == -1) {
1117     return -1;
1118   }
1119 
1120   // Return now if target blocks already have expected content.
1121   if (VerifyBlocks(tgthash, tgtbuffer, tgt->blocks(), false) == 0) {
1122     return 1;
1123   }
1124 
1125   // Load source blocks.
1126   bool overlap = false;
1127   if (LoadSourceBlocks(params, *tgt, src_blocks, &overlap) == -1) {
1128     return -1;
1129   }
1130 
1131   if (VerifyBlocks(srchash, params.buffer, *src_blocks, true) == 0) {
1132     // If source and target blocks overlap, stash the source blocks so we can resume from possible
1133     // write errors. In verify mode, we can skip stashing because the source blocks won't be
1134     // overwritten.
1135     if (overlap && params.canwrite) {
1136       LOG(INFO) << "stashing " << *src_blocks << " overlapping blocks to " << srchash;
1137 
1138       bool stash_exists = false;
1139       if (WriteStash(params.stashbase, srchash, *src_blocks, params.buffer, true,
1140                      &stash_exists) != 0) {
1141         LOG(ERROR) << "failed to stash overlapping source blocks";
1142         return -1;
1143       }
1144 
1145       params.stashed += *src_blocks;
1146       // Can be deleted when the write has completed.
1147       if (!stash_exists) {
1148         params.freestash = srchash;
1149       }
1150     }
1151 
1152     // Source blocks have expected content, command can proceed.
1153     return 0;
1154   }
1155 
1156   if (overlap && LoadStash(params, srchash, true, &params.buffer, true) == 0) {
1157     // Overlapping source blocks were previously stashed, command can proceed. We are recovering
1158     // from an interrupted command, so we don't know if the stash can safely be deleted after this
1159     // command.
1160     return 0;
1161   }
1162 
1163   // Valid source data not available, update cannot be resumed.
1164   LOG(ERROR) << "partition has unexpected contents";
1165   PrintHashForCorruptedSourceBlocks(params, params.buffer);
1166 
1167   params.isunresumable = true;
1168 
1169   return -1;
1170 }
1171 
PerformCommandMove(CommandParameters & params)1172 static int PerformCommandMove(CommandParameters& params) {
1173   size_t blocks = 0;
1174   RangeSet tgt;
1175   int status = LoadSrcTgtVersion3(params, &tgt, &blocks, true);
1176 
1177   if (status == -1) {
1178     LOG(ERROR) << "failed to read blocks for move";
1179     return -1;
1180   }
1181 
1182   if (status == 0) {
1183     params.foundwrites = true;
1184   } else {
1185     params.target_verified = true;
1186     if (params.foundwrites) {
1187       LOG(WARNING) << "warning: commands executed out of order [" << params.cmdname << "]";
1188     }
1189   }
1190 
1191   if (params.canwrite) {
1192     if (status == 0) {
1193       LOG(INFO) << "  moving " << blocks << " blocks";
1194 
1195       if (WriteBlocks(tgt, params.buffer, params.fd) == -1) {
1196         return -1;
1197       }
1198     } else {
1199       LOG(INFO) << "skipping " << blocks << " already moved blocks";
1200     }
1201   }
1202 
1203   if (!params.freestash.empty()) {
1204     FreeStash(params.stashbase, params.freestash);
1205     params.freestash.clear();
1206   }
1207 
1208   params.written += tgt.blocks();
1209 
1210   return 0;
1211 }
1212 
PerformCommandStash(CommandParameters & params)1213 static int PerformCommandStash(CommandParameters& params) {
1214   // <stash_id> <src_range>
1215   if (params.cpos + 1 >= params.tokens.size()) {
1216     LOG(ERROR) << "missing id and/or src range fields in stash command";
1217     return -1;
1218   }
1219 
1220   const std::string& id = params.tokens[params.cpos++];
1221   if (LoadStash(params, id, true, &params.buffer, false) == 0) {
1222     // Stash file already exists and has expected contents. Do not read from source again, as the
1223     // source may have been already overwritten during a previous attempt.
1224     return 0;
1225   }
1226 
1227   RangeSet src = RangeSet::Parse(params.tokens[params.cpos++]);
1228   CHECK(static_cast<bool>(src));
1229 
1230   size_t blocks = src.blocks();
1231   allocate(blocks * BLOCKSIZE, &params.buffer);
1232   if (ReadBlocks(src, &params.buffer, params.fd) == -1) {
1233     return -1;
1234   }
1235   stash_map[id] = src;
1236 
1237   if (VerifyBlocks(id, params.buffer, blocks, true) != 0) {
1238     // Source blocks have unexpected contents. If we actually need this data later, this is an
1239     // unrecoverable error. However, the command that uses the data may have already completed
1240     // previously, so the possible failure will occur during source block verification.
1241     LOG(ERROR) << "failed to load source blocks for stash " << id;
1242     return 0;
1243   }
1244 
1245   // In verify mode, we don't need to stash any blocks.
1246   if (!params.canwrite) {
1247     return 0;
1248   }
1249 
1250   LOG(INFO) << "stashing " << blocks << " blocks to " << id;
1251   int result = WriteStash(params.stashbase, id, blocks, params.buffer, false, nullptr);
1252   if (result == 0) {
1253     params.stashed += blocks;
1254   }
1255   return result;
1256 }
1257 
PerformCommandFree(CommandParameters & params)1258 static int PerformCommandFree(CommandParameters& params) {
1259   // <stash_id>
1260   if (params.cpos >= params.tokens.size()) {
1261     LOG(ERROR) << "missing stash id in free command";
1262     return -1;
1263   }
1264 
1265   const std::string& id = params.tokens[params.cpos++];
1266   stash_map.erase(id);
1267 
1268   if (params.createdstash || params.canwrite) {
1269     return FreeStash(params.stashbase, id);
1270   }
1271 
1272   return 0;
1273 }
1274 
PerformCommandZero(CommandParameters & params)1275 static int PerformCommandZero(CommandParameters& params) {
1276   if (params.cpos >= params.tokens.size()) {
1277     LOG(ERROR) << "missing target blocks for zero";
1278     return -1;
1279   }
1280 
1281   RangeSet tgt = RangeSet::Parse(params.tokens[params.cpos++]);
1282   CHECK(static_cast<bool>(tgt));
1283 
1284   LOG(INFO) << "  zeroing " << tgt.blocks() << " blocks";
1285 
1286   allocate(BLOCKSIZE, &params.buffer);
1287   memset(params.buffer.data(), 0, BLOCKSIZE);
1288 
1289   if (params.canwrite) {
1290     for (const auto& [begin, end] : tgt) {
1291       off64_t offset = static_cast<off64_t>(begin) * BLOCKSIZE;
1292       size_t size = (end - begin) * BLOCKSIZE;
1293       if (!discard_blocks(params.fd, offset, size)) {
1294         return -1;
1295       }
1296 
1297       if (!check_lseek(params.fd, offset, SEEK_SET)) {
1298         return -1;
1299       }
1300 
1301       for (size_t j = begin; j < end; ++j) {
1302         if (!android::base::WriteFully(params.fd, params.buffer.data(), BLOCKSIZE)) {
1303           failure_type = errno == EIO ? kEioFailure : kFwriteFailure;
1304           PLOG(ERROR) << "Failed to write " << BLOCKSIZE << " bytes of data";
1305           return -1;
1306         }
1307       }
1308     }
1309   }
1310 
1311   if (params.cmdname[0] == 'z') {
1312     // Update only for the zero command, as the erase command will call
1313     // this if DEBUG_ERASE is defined.
1314     params.written += tgt.blocks();
1315   }
1316 
1317   return 0;
1318 }
1319 
PerformCommandNew(CommandParameters & params)1320 static int PerformCommandNew(CommandParameters& params) {
1321   if (params.cpos >= params.tokens.size()) {
1322     LOG(ERROR) << "missing target blocks for new";
1323     return -1;
1324   }
1325 
1326   RangeSet tgt = RangeSet::Parse(params.tokens[params.cpos++]);
1327   CHECK(static_cast<bool>(tgt));
1328 
1329   if (params.canwrite) {
1330     LOG(INFO) << " writing " << tgt.blocks() << " blocks of new data";
1331 
1332     pthread_mutex_lock(&params.nti.mu);
1333     params.nti.writer = std::make_unique<RangeSinkWriter>(params.fd, tgt);
1334     pthread_cond_broadcast(&params.nti.cv);
1335 
1336     while (params.nti.writer != nullptr) {
1337       if (!params.nti.receiver_available) {
1338         LOG(ERROR) << "missing " << (tgt.blocks() * BLOCKSIZE - params.nti.writer->BytesWritten())
1339                    << " bytes of new data";
1340         pthread_mutex_unlock(&params.nti.mu);
1341         return -1;
1342       }
1343       pthread_cond_wait(&params.nti.cv, &params.nti.mu);
1344     }
1345 
1346     pthread_mutex_unlock(&params.nti.mu);
1347   }
1348 
1349   params.written += tgt.blocks();
1350 
1351   return 0;
1352 }
1353 
PerformCommandDiff(CommandParameters & params)1354 static int PerformCommandDiff(CommandParameters& params) {
1355   // <offset> <length>
1356   if (params.cpos + 1 >= params.tokens.size()) {
1357     LOG(ERROR) << "missing patch offset or length for " << params.cmdname;
1358     return -1;
1359   }
1360 
1361   size_t offset;
1362   if (!android::base::ParseUint(params.tokens[params.cpos++], &offset)) {
1363     LOG(ERROR) << "invalid patch offset";
1364     return -1;
1365   }
1366 
1367   size_t len;
1368   if (!android::base::ParseUint(params.tokens[params.cpos++], &len)) {
1369     LOG(ERROR) << "invalid patch len";
1370     return -1;
1371   }
1372 
1373   RangeSet tgt;
1374   size_t blocks = 0;
1375   int status = LoadSrcTgtVersion3(params, &tgt, &blocks, false);
1376 
1377   if (status == -1) {
1378     LOG(ERROR) << "failed to read blocks for diff";
1379     return -1;
1380   }
1381 
1382   if (status == 0) {
1383     params.foundwrites = true;
1384   } else {
1385     params.target_verified = true;
1386     if (params.foundwrites) {
1387       LOG(WARNING) << "warning: commands executed out of order [" << params.cmdname << "]";
1388     }
1389   }
1390 
1391   if (params.canwrite) {
1392     if (status == 0) {
1393       LOG(INFO) << "patching " << blocks << " blocks to " << tgt.blocks();
1394       Value patch_value(
1395           Value::Type::BLOB,
1396           std::string(reinterpret_cast<const char*>(params.patch_start + offset), len));
1397 
1398       RangeSinkWriter writer(params.fd, tgt);
1399       if (params.cmdname[0] == 'i') {  // imgdiff
1400         if (ApplyImagePatch(params.buffer.data(), blocks * BLOCKSIZE, patch_value,
1401                             std::bind(&RangeSinkWriter::Write, &writer, std::placeholders::_1,
1402                                       std::placeholders::_2),
1403                             nullptr) != 0) {
1404           LOG(ERROR) << "Failed to apply image patch.";
1405           failure_type = kPatchApplicationFailure;
1406           return -1;
1407         }
1408       } else {
1409         if (ApplyBSDiffPatch(params.buffer.data(), blocks * BLOCKSIZE, patch_value, 0,
1410                              std::bind(&RangeSinkWriter::Write, &writer, std::placeholders::_1,
1411                                        std::placeholders::_2)) != 0) {
1412           LOG(ERROR) << "Failed to apply bsdiff patch.";
1413           failure_type = kPatchApplicationFailure;
1414           return -1;
1415         }
1416       }
1417 
1418       // We expect the output of the patcher to fill the tgt ranges exactly.
1419       if (!writer.Finished()) {
1420         LOG(ERROR) << "Failed to fully write target blocks (range sink underrun): Missing "
1421                    << writer.AvailableSpace() << " bytes";
1422         failure_type = kPatchApplicationFailure;
1423         return -1;
1424       }
1425     } else {
1426       LOG(INFO) << "skipping " << blocks << " blocks already patched to " << tgt.blocks() << " ["
1427                 << params.cmdline << "]";
1428     }
1429   }
1430 
1431   if (!params.freestash.empty()) {
1432     FreeStash(params.stashbase, params.freestash);
1433     params.freestash.clear();
1434   }
1435 
1436   params.written += tgt.blocks();
1437 
1438   return 0;
1439 }
1440 
PerformCommandErase(CommandParameters & params)1441 static int PerformCommandErase(CommandParameters& params) {
1442   if (DEBUG_ERASE) {
1443     return PerformCommandZero(params);
1444   }
1445 
1446   struct stat sb;
1447   if (fstat(params.fd, &sb) == -1) {
1448     PLOG(ERROR) << "failed to fstat device to erase";
1449     return -1;
1450   }
1451 
1452   if (!S_ISBLK(sb.st_mode)) {
1453     LOG(ERROR) << "not a block device; skipping erase";
1454     return -1;
1455   }
1456 
1457   if (params.cpos >= params.tokens.size()) {
1458     LOG(ERROR) << "missing target blocks for erase";
1459     return -1;
1460   }
1461 
1462   RangeSet tgt = RangeSet::Parse(params.tokens[params.cpos++]);
1463   CHECK(static_cast<bool>(tgt));
1464 
1465   if (params.canwrite) {
1466     LOG(INFO) << " erasing " << tgt.blocks() << " blocks";
1467 
1468     for (const auto& [begin, end] : tgt) {
1469       off64_t offset = static_cast<off64_t>(begin) * BLOCKSIZE;
1470       size_t size = (end - begin) * BLOCKSIZE;
1471       if (!discard_blocks(params.fd, offset, size, true /* force */)) {
1472         return -1;
1473       }
1474     }
1475   }
1476 
1477   return 0;
1478 }
1479 
PerformCommandAbort(CommandParameters &)1480 static int PerformCommandAbort(CommandParameters&) {
1481   LOG(INFO) << "Aborting as instructed";
1482   return -1;
1483 }
1484 
1485 // Computes the hash_tree bytes based on the parameters, checks if the root hash of the tree
1486 // matches the expected hash and writes the result to the specified range on the block_device.
1487 // Hash_tree computation arguments:
1488 //   hash_tree_ranges
1489 //   source_ranges
1490 //   hash_algorithm
1491 //   salt_hex
1492 //   root_hash
PerformCommandComputeHashTree(CommandParameters & params)1493 static int PerformCommandComputeHashTree(CommandParameters& params) {
1494   if (params.cpos + 5 != params.tokens.size()) {
1495     LOG(ERROR) << "Invaild arguments count in hash computation " << params.cmdline;
1496     return -1;
1497   }
1498 
1499   // Expects the hash_tree data to be contiguous.
1500   RangeSet hash_tree_ranges = RangeSet::Parse(params.tokens[params.cpos++]);
1501   if (!hash_tree_ranges || hash_tree_ranges.size() != 1) {
1502     LOG(ERROR) << "Invalid hash tree ranges in " << params.cmdline;
1503     return -1;
1504   }
1505 
1506   RangeSet source_ranges = RangeSet::Parse(params.tokens[params.cpos++]);
1507   if (!source_ranges) {
1508     LOG(ERROR) << "Invalid source ranges in " << params.cmdline;
1509     return -1;
1510   }
1511 
1512   auto hash_function = HashTreeBuilder::HashFunction(params.tokens[params.cpos++]);
1513   if (hash_function == nullptr) {
1514     LOG(ERROR) << "Invalid hash algorithm in " << params.cmdline;
1515     return -1;
1516   }
1517 
1518   std::vector<unsigned char> salt;
1519   std::string salt_hex = params.tokens[params.cpos++];
1520   if (salt_hex.empty() || !HashTreeBuilder::ParseBytesArrayFromString(salt_hex, &salt)) {
1521     LOG(ERROR) << "Failed to parse salt in " << params.cmdline;
1522     return -1;
1523   }
1524 
1525   std::string expected_root_hash = params.tokens[params.cpos++];
1526   if (expected_root_hash.empty()) {
1527     LOG(ERROR) << "Invalid root hash in " << params.cmdline;
1528     return -1;
1529   }
1530 
1531   // Starts the hash_tree computation.
1532   HashTreeBuilder builder(BLOCKSIZE, hash_function);
1533   if (!builder.Initialize(static_cast<int64_t>(source_ranges.blocks()) * BLOCKSIZE, salt)) {
1534     LOG(ERROR) << "Failed to initialize hash tree computation, source " << source_ranges.ToString()
1535                << ", salt " << salt_hex;
1536     return -1;
1537   }
1538 
1539   // Iterates through every block in the source_ranges and updates the hash tree structure
1540   // accordingly.
1541   for (const auto& [begin, end] : source_ranges) {
1542     uint8_t buffer[BLOCKSIZE];
1543     if (!check_lseek(params.fd, static_cast<off64_t>(begin) * BLOCKSIZE, SEEK_SET)) {
1544       PLOG(ERROR) << "Failed to seek to block: " << begin;
1545       return -1;
1546     }
1547 
1548     for (size_t i = begin; i < end; i++) {
1549       if (!android::base::ReadFully(params.fd, buffer, BLOCKSIZE)) {
1550         failure_type = errno == EIO ? kEioFailure : kFreadFailure;
1551         LOG(ERROR) << "Failed to read data in " << begin << ":" << end;
1552         return -1;
1553       }
1554 
1555       if (!builder.Update(reinterpret_cast<unsigned char*>(buffer), BLOCKSIZE)) {
1556         LOG(ERROR) << "Failed to update hash tree builder";
1557         return -1;
1558       }
1559     }
1560   }
1561 
1562   if (!builder.BuildHashTree()) {
1563     LOG(ERROR) << "Failed to build hash tree";
1564     return -1;
1565   }
1566 
1567   std::string root_hash_hex = HashTreeBuilder::BytesArrayToString(builder.root_hash());
1568   if (root_hash_hex != expected_root_hash) {
1569     LOG(ERROR) << "Root hash of the verity hash tree doesn't match the expected value. Expected: "
1570                << expected_root_hash << ", actual: " << root_hash_hex;
1571     return -1;
1572   }
1573 
1574   uint64_t write_offset = static_cast<uint64_t>(hash_tree_ranges.GetBlockNumber(0)) * BLOCKSIZE;
1575   if (params.canwrite && !builder.WriteHashTreeToFd(params.fd, write_offset)) {
1576     LOG(ERROR) << "Failed to write hash tree to output";
1577     return -1;
1578   }
1579 
1580   // TODO(xunchang) validates the written bytes
1581 
1582   return 0;
1583 }
1584 
1585 using CommandFunction = std::function<int(CommandParameters&)>;
1586 
1587 using CommandMap = std::unordered_map<Command::Type, CommandFunction>;
1588 
Sha1DevicePath(const std::string & path,uint8_t digest[SHA_DIGEST_LENGTH])1589 static bool Sha1DevicePath(const std::string& path, uint8_t digest[SHA_DIGEST_LENGTH]) {
1590   auto device_name = android::base::Basename(path);
1591   auto dm_target_name_path = "/sys/block/" + device_name + "/dm/name";
1592 
1593   struct stat sb;
1594   if (stat(dm_target_name_path.c_str(), &sb) == 0) {
1595     // This is a device mapper target. Use partition name as part of the hash instead. Do not
1596     // include extents as part of the hash, because the size of a partition may be shrunk after
1597     // the patches are applied.
1598     std::string dm_target_name;
1599     if (!android::base::ReadFileToString(dm_target_name_path, &dm_target_name)) {
1600       PLOG(ERROR) << "Cannot read " << dm_target_name_path;
1601       return false;
1602     }
1603     SHA1(reinterpret_cast<const uint8_t*>(dm_target_name.data()), dm_target_name.size(), digest);
1604     return true;
1605   }
1606 
1607   if (errno != ENOENT) {
1608     // This is a device mapper target, but its name cannot be retrieved.
1609     PLOG(ERROR) << "Cannot get dm target name for " << path;
1610     return false;
1611   }
1612 
1613   // This doesn't appear to be a device mapper target, but if its name starts with dm-, something
1614   // else might have gone wrong.
1615   if (android::base::StartsWith(device_name, "dm-")) {
1616     LOG(WARNING) << "Device " << path << " starts with dm- but is not mapped by device-mapper.";
1617   }
1618 
1619   // Stash directory should be different for each partition to avoid conflicts when updating
1620   // multiple partitions at the same time, so we use the hash of the block device name as the base
1621   // directory.
1622   SHA1(reinterpret_cast<const uint8_t*>(path.data()), path.size(), digest);
1623   return true;
1624 }
1625 
PerformBlockImageUpdate(const char * name,State * state,const std::vector<std::unique_ptr<Expr>> & argv,const CommandMap & command_map,bool dryrun)1626 static Value* PerformBlockImageUpdate(const char* name, State* state,
1627                                       const std::vector<std::unique_ptr<Expr>>& argv,
1628                                       const CommandMap& command_map, bool dryrun) {
1629   CommandParameters params{};
1630   stash_map.clear();
1631   params.canwrite = !dryrun;
1632 
1633   LOG(INFO) << "performing " << (dryrun ? "verification" : "update");
1634   if (state->is_retry) {
1635     is_retry = true;
1636     LOG(INFO) << "This update is a retry.";
1637   }
1638   if (argv.size() != 4) {
1639     ErrorAbort(state, kArgsParsingFailure, "block_image_update expects 4 arguments, got %zu",
1640                argv.size());
1641     return StringValue("");
1642   }
1643 
1644   std::vector<std::unique_ptr<Value>> args;
1645   if (!ReadValueArgs(state, argv, &args)) {
1646     return nullptr;
1647   }
1648 
1649   // args:
1650   //   - block device (or file) to modify in-place
1651   //   - transfer list (blob)
1652   //   - new data stream (filename within package.zip)
1653   //   - patch stream (filename within package.zip, must be uncompressed)
1654   const std::unique_ptr<Value>& blockdev_filename = args[0];
1655   const std::unique_ptr<Value>& transfer_list_value = args[1];
1656   const std::unique_ptr<Value>& new_data_fn = args[2];
1657   const std::unique_ptr<Value>& patch_data_fn = args[3];
1658 
1659   if (blockdev_filename->type != Value::Type::STRING) {
1660     ErrorAbort(state, kArgsParsingFailure, "blockdev_filename argument to %s must be string", name);
1661     return StringValue("");
1662   }
1663   if (transfer_list_value->type != Value::Type::BLOB) {
1664     ErrorAbort(state, kArgsParsingFailure, "transfer_list argument to %s must be blob", name);
1665     return StringValue("");
1666   }
1667   if (new_data_fn->type != Value::Type::STRING) {
1668     ErrorAbort(state, kArgsParsingFailure, "new_data_fn argument to %s must be string", name);
1669     return StringValue("");
1670   }
1671   if (patch_data_fn->type != Value::Type::STRING) {
1672     ErrorAbort(state, kArgsParsingFailure, "patch_data_fn argument to %s must be string", name);
1673     return StringValue("");
1674   }
1675 
1676   auto updater = state->updater;
1677   auto block_device_path = updater->FindBlockDeviceName(blockdev_filename->data);
1678   if (block_device_path.empty()) {
1679     LOG(ERROR) << "Block device path for " << blockdev_filename->data << " not found. " << name
1680                << " failed.";
1681     return StringValue("");
1682   }
1683 
1684   ZipArchiveHandle za = updater->GetPackageHandle();
1685   if (za == nullptr) {
1686     return StringValue("");
1687   }
1688 
1689   std::string_view path_data(patch_data_fn->data);
1690   ZipEntry64 patch_entry;
1691   if (FindEntry(za, path_data, &patch_entry) != 0) {
1692     LOG(ERROR) << name << "(): no file \"" << patch_data_fn->data << "\" in package";
1693     return StringValue("");
1694   }
1695   params.patch_start = updater->GetMappedPackageAddress() + patch_entry.offset;
1696 
1697   std::string_view new_data(new_data_fn->data);
1698   ZipEntry64 new_entry;
1699   if (FindEntry(za, new_data, &new_entry) != 0) {
1700     LOG(ERROR) << name << "(): no file \"" << new_data_fn->data << "\" in package";
1701     return StringValue("");
1702   }
1703 
1704   params.fd.reset(TEMP_FAILURE_RETRY(open(block_device_path.c_str(), O_RDWR)));
1705   if (params.fd == -1) {
1706     failure_type = errno == EIO ? kEioFailure : kFileOpenFailure;
1707     PLOG(ERROR) << "open \"" << block_device_path << "\" failed";
1708     return StringValue("");
1709   }
1710 
1711   uint8_t digest[SHA_DIGEST_LENGTH];
1712   if (!Sha1DevicePath(block_device_path, digest)) {
1713     return StringValue("");
1714   }
1715   params.stashbase = print_sha1(digest);
1716 
1717   // Possibly do return early on retry, by checking the marker. If the update on this partition has
1718   // been finished (but interrupted at a later point), there could be leftover on /cache that would
1719   // fail the no-op retry.
1720   std::string updated_marker = GetStashFileName(params.stashbase + ".UPDATED", "", "");
1721   if (is_retry) {
1722     struct stat sb;
1723     int result = stat(updated_marker.c_str(), &sb);
1724     if (result == 0) {
1725       LOG(INFO) << "Skipping already updated partition " << block_device_path << " based on marker";
1726       return StringValue("t");
1727     }
1728   } else {
1729     // Delete the obsolete marker if any.
1730     std::string err;
1731     if (!android::base::RemoveFileIfExists(updated_marker, &err)) {
1732       LOG(ERROR) << "Failed to remove partition updated marker " << updated_marker << ": " << err;
1733       return StringValue("");
1734     }
1735   }
1736 
1737   static constexpr size_t kTransferListHeaderLines = 4;
1738   std::vector<std::string> lines = android::base::Split(transfer_list_value->data, "\n");
1739   if (lines.size() < kTransferListHeaderLines) {
1740     ErrorAbort(state, kArgsParsingFailure, "too few lines in the transfer list [%zu]",
1741                lines.size());
1742     return StringValue("");
1743   }
1744 
1745   // First line in transfer list is the version number.
1746   if (!android::base::ParseInt(lines[0], &params.version, 3, 4)) {
1747     LOG(ERROR) << "unexpected transfer list version [" << lines[0] << "]";
1748     return StringValue("");
1749   }
1750 
1751   LOG(INFO) << "blockimg version is " << params.version;
1752 
1753   // Second line in transfer list is the total number of blocks we expect to write.
1754   size_t total_blocks;
1755   if (!android::base::ParseUint(lines[1], &total_blocks)) {
1756     ErrorAbort(state, kArgsParsingFailure, "unexpected block count [%s]", lines[1].c_str());
1757     return StringValue("");
1758   }
1759 
1760   if (total_blocks == 0) {
1761     return StringValue("t");
1762   }
1763 
1764   // Third line is how many stash entries are needed simultaneously.
1765   LOG(INFO) << "maximum stash entries " << lines[2];
1766 
1767   // Fourth line is the maximum number of blocks that will be stashed simultaneously
1768   size_t stash_max_blocks;
1769   if (!android::base::ParseUint(lines[3], &stash_max_blocks)) {
1770     ErrorAbort(state, kArgsParsingFailure, "unexpected maximum stash blocks [%s]",
1771                lines[3].c_str());
1772     return StringValue("");
1773   }
1774 
1775   int res = CreateStash(state, stash_max_blocks, params.stashbase);
1776   if (res == -1) {
1777     return StringValue("");
1778   }
1779   params.createdstash = res;
1780 
1781   // Set up the new data writer.
1782   if (params.canwrite) {
1783     params.nti.za = za;
1784     params.nti.entry = new_entry;
1785     params.nti.brotli_compressed = android::base::EndsWith(new_data_fn->data, ".br");
1786     if (params.nti.brotli_compressed) {
1787       // Initialize brotli decoder state.
1788       params.nti.brotli_decoder_state = BrotliDecoderCreateInstance(nullptr, nullptr, nullptr);
1789     }
1790     params.nti.receiver_available = true;
1791 
1792     pthread_mutex_init(&params.nti.mu, nullptr);
1793     pthread_cond_init(&params.nti.cv, nullptr);
1794     pthread_attr_t attr;
1795     pthread_attr_init(&attr);
1796     pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE);
1797 
1798     int error = pthread_create(&params.thread, &attr, unzip_new_data, &params.nti);
1799     if (error != 0) {
1800       LOG(ERROR) << "pthread_create failed: " << strerror(error);
1801       return StringValue("");
1802     }
1803   }
1804 
1805   // When performing an update, save the index and cmdline of the current command into the
1806   // last_command_file.
1807   // Upon resuming an update, read the saved index first; then
1808   //   1. In verification mode, check if the 'move' or 'diff' commands before the saved index has
1809   //      the expected target blocks already. If not, these commands cannot be skipped and we need
1810   //      to attempt to execute them again. Therefore, we will delete the last_command_file so that
1811   //      the update will resume from the start of the transfer list.
1812   //   2. In update mode, skip all commands before the saved index. Therefore, we can avoid deleting
1813   //      stashes with duplicate id unintentionally (b/69858743); and also speed up the update.
1814   // If an update succeeds or is unresumable, delete the last_command_file.
1815   bool skip_executed_command = true;
1816   size_t saved_last_command_index;
1817   if (!ParseLastCommandFile(&saved_last_command_index)) {
1818     DeleteLastCommandFile();
1819     // We failed to parse the last command. Disallow skipping executed commands.
1820     skip_executed_command = false;
1821   }
1822 
1823   int rc = -1;
1824 
1825   // Subsequent lines are all individual transfer commands
1826   for (size_t i = kTransferListHeaderLines; i < lines.size(); i++) {
1827     const std::string& line = lines[i];
1828     if (line.empty()) continue;
1829 
1830     size_t cmdindex = i - kTransferListHeaderLines;
1831     params.tokens = android::base::Split(line, " ");
1832     params.cpos = 0;
1833     params.cmdname = params.tokens[params.cpos++];
1834     params.cmdline = line;
1835     params.target_verified = false;
1836 
1837     Command::Type cmd_type = Command::ParseType(params.cmdname);
1838     if (cmd_type == Command::Type::LAST) {
1839       LOG(ERROR) << "unexpected command [" << params.cmdname << "]";
1840       goto pbiudone;
1841     }
1842 
1843     const CommandFunction& performer = command_map.at(cmd_type);
1844 
1845     // Skip the command if we explicitly set the corresponding function pointer to nullptr, e.g.
1846     // "erase" during block_image_verify.
1847     if (performer == nullptr) {
1848       LOG(DEBUG) << "skip executing command [" << line << "]";
1849       continue;
1850     }
1851 
1852     // Skip all commands before the saved last command index when resuming an update, except for
1853     // "new" command. Because new commands read in the data sequentially.
1854     if (params.canwrite && skip_executed_command && cmdindex <= saved_last_command_index &&
1855         cmd_type != Command::Type::NEW) {
1856       LOG(INFO) << "Skipping already executed command: " << cmdindex
1857                 << ", last executed command for previous update: " << saved_last_command_index;
1858       continue;
1859     }
1860 
1861     if (performer(params) == -1) {
1862       LOG(ERROR) << "failed to execute command [" << line << "]";
1863       if (cmd_type == Command::Type::COMPUTE_HASH_TREE && failure_type == kNoCause) {
1864         failure_type = kHashTreeComputationFailure;
1865       }
1866       goto pbiudone;
1867     }
1868 
1869     // In verify mode, check if the commands before the saved last_command_index have been executed
1870     // correctly. If some target blocks have unexpected contents, delete the last command file so
1871     // that we will resume the update from the first command in the transfer list.
1872     if (!params.canwrite && skip_executed_command && cmdindex <= saved_last_command_index) {
1873       // TODO(xunchang) check that the cmdline of the saved index is correct.
1874       if ((cmd_type == Command::Type::MOVE || cmd_type == Command::Type::BSDIFF ||
1875            cmd_type == Command::Type::IMGDIFF) &&
1876           !params.target_verified) {
1877         LOG(WARNING) << "Previously executed command " << saved_last_command_index << ": "
1878                      << params.cmdline << " doesn't produce expected target blocks.";
1879         skip_executed_command = false;
1880         DeleteLastCommandFile();
1881       }
1882     }
1883 
1884     if (params.canwrite) {
1885       if (fsync(params.fd) == -1) {
1886         failure_type = errno == EIO ? kEioFailure : kFsyncFailure;
1887         PLOG(ERROR) << "fsync failed";
1888         goto pbiudone;
1889       }
1890 
1891       if (!UpdateLastCommandIndex(cmdindex, params.cmdline)) {
1892         LOG(WARNING) << "Failed to update the last command file.";
1893       }
1894 
1895       updater->WriteToCommandPipe(
1896           android::base::StringPrintf("set_progress %.4f",
1897                                       static_cast<double>(params.written) / total_blocks),
1898           true);
1899     }
1900   }
1901 
1902   rc = 0;
1903 
1904 pbiudone:
1905   if (params.canwrite) {
1906     pthread_mutex_lock(&params.nti.mu);
1907     if (params.nti.receiver_available) {
1908       LOG(WARNING) << "new data receiver is still available after executing all commands.";
1909     }
1910     params.nti.receiver_available = false;
1911     pthread_cond_broadcast(&params.nti.cv);
1912     pthread_mutex_unlock(&params.nti.mu);
1913     int ret = pthread_join(params.thread, nullptr);
1914     if (ret != 0) {
1915       LOG(WARNING) << "pthread join returned with " << strerror(ret);
1916     }
1917 
1918     if (rc == 0) {
1919       LOG(INFO) << "wrote " << params.written << " blocks; expected " << total_blocks;
1920       LOG(INFO) << "stashed " << params.stashed << " blocks";
1921       LOG(INFO) << "max alloc needed was " << params.buffer.size();
1922 
1923       const char* partition = strrchr(block_device_path.c_str(), '/');
1924       if (partition != nullptr && *(partition + 1) != 0) {
1925         updater->WriteToCommandPipe(
1926             android::base::StringPrintf("log bytes_written_%s: %" PRIu64, partition + 1,
1927                                         static_cast<uint64_t>(params.written) * BLOCKSIZE));
1928         updater->WriteToCommandPipe(
1929             android::base::StringPrintf("log bytes_stashed_%s: %" PRIu64, partition + 1,
1930                                         static_cast<uint64_t>(params.stashed) * BLOCKSIZE),
1931             true);
1932       }
1933       // Delete stash only after successfully completing the update, as it may contain blocks needed
1934       // to complete the update later.
1935       DeleteStash(params.stashbase);
1936       DeleteLastCommandFile();
1937 
1938       // Create a marker on /cache partition, which allows skipping the update on this partition on
1939       // retry. The marker will be removed once booting into normal boot, or before starting next
1940       // fresh install.
1941       if (!SetUpdatedMarker(updated_marker)) {
1942         LOG(WARNING) << "Failed to set updated marker; continuing";
1943       }
1944     }
1945 
1946     pthread_mutex_destroy(&params.nti.mu);
1947     pthread_cond_destroy(&params.nti.cv);
1948   } else if (rc == 0) {
1949     LOG(INFO) << "verified partition contents; update may be resumed";
1950   }
1951 
1952   if (fsync(params.fd) == -1) {
1953     failure_type = errno == EIO ? kEioFailure : kFsyncFailure;
1954     PLOG(ERROR) << "fsync failed";
1955   }
1956   // params.fd will be automatically closed because it's a unique_fd.
1957 
1958   if (params.nti.brotli_decoder_state != nullptr) {
1959     BrotliDecoderDestroyInstance(params.nti.brotli_decoder_state);
1960   }
1961 
1962   // Delete the last command file if the update cannot be resumed.
1963   if (params.isunresumable) {
1964     DeleteLastCommandFile();
1965   }
1966 
1967   // Only delete the stash if the update cannot be resumed, or it's a verification run and we
1968   // created the stash.
1969   if (params.isunresumable || (!params.canwrite && params.createdstash)) {
1970     DeleteStash(params.stashbase);
1971   }
1972 
1973   if (failure_type != kNoCause && state->cause_code == kNoCause) {
1974     state->cause_code = failure_type;
1975   }
1976 
1977   return StringValue(rc == 0 ? "t" : "");
1978 }
1979 
1980 /**
1981  * The transfer list is a text file containing commands to transfer data from one place to another
1982  * on the target partition. We parse it and execute the commands in order:
1983  *
1984  *    zero [rangeset]
1985  *      - Fill the indicated blocks with zeros.
1986  *
1987  *    new [rangeset]
1988  *      - Fill the blocks with data read from the new_data file.
1989  *
1990  *    erase [rangeset]
1991  *      - Mark the given blocks as empty.
1992  *
1993  *    move <...>
1994  *    bsdiff <patchstart> <patchlen> <...>
1995  *    imgdiff <patchstart> <patchlen> <...>
1996  *      - Read the source blocks, apply a patch (or not in the case of move), write result to target
1997  *      blocks.  bsdiff or imgdiff specifies the type of patch; move means no patch at all.
1998  *
1999  *        See the comments in LoadSrcTgtVersion3() for a description of the <...> format.
2000  *
2001  *    stash <stash_id> <src_range>
2002  *      - Load the given source range and stash the data in the given slot of the stash table.
2003  *
2004  *    free <stash_id>
2005  *      - Free the given stash data.
2006  *
2007  * The creator of the transfer list will guarantee that no block is read (ie, used as the source for
2008  * a patch or move) after it has been written.
2009  *
2010  * The creator will guarantee that a given stash is loaded (with a stash command) before it's used
2011  * in a move/bsdiff/imgdiff command.
2012  *
2013  * Within one command the source and target ranges may overlap so in general we need to read the
2014  * entire source into memory before writing anything to the target blocks.
2015  *
2016  * All the patch data is concatenated into one patch_data file in the update package. It must be
2017  * stored uncompressed because we memory-map it in directly from the archive. (Since patches are
2018  * already compressed, we lose very little by not compressing their concatenation.)
2019  *
2020  * Commands that read data from the partition (i.e. move/bsdiff/imgdiff/stash) have one or more
2021  * additional hashes before the range parameters, which are used to check if the command has already
2022  * been completed and verify the integrity of the source data.
2023  */
BlockImageVerifyFn(const char * name,State * state,const std::vector<std::unique_ptr<Expr>> & argv)2024 Value* BlockImageVerifyFn(const char* name, State* state,
2025                           const std::vector<std::unique_ptr<Expr>>& argv) {
2026   // Commands which are not allowed are set to nullptr to skip them completely.
2027   const CommandMap command_map{
2028     // clang-format off
2029     { Command::Type::ABORT,             PerformCommandAbort },
2030     { Command::Type::BSDIFF,            PerformCommandDiff },
2031     { Command::Type::COMPUTE_HASH_TREE, nullptr },
2032     { Command::Type::ERASE,             nullptr },
2033     { Command::Type::FREE,              PerformCommandFree },
2034     { Command::Type::IMGDIFF,           PerformCommandDiff },
2035     { Command::Type::MOVE,              PerformCommandMove },
2036     { Command::Type::NEW,               nullptr },
2037     { Command::Type::STASH,             PerformCommandStash },
2038     { Command::Type::ZERO,              nullptr },
2039     // clang-format on
2040   };
2041   CHECK_EQ(static_cast<size_t>(Command::Type::LAST), command_map.size());
2042 
2043   // Perform a dry run without writing to test if an update can proceed.
2044   return PerformBlockImageUpdate(name, state, argv, command_map, true);
2045 }
2046 
BlockImageUpdateFn(const char * name,State * state,const std::vector<std::unique_ptr<Expr>> & argv)2047 Value* BlockImageUpdateFn(const char* name, State* state,
2048                           const std::vector<std::unique_ptr<Expr>>& argv) {
2049   const CommandMap command_map{
2050     // clang-format off
2051     { Command::Type::ABORT,             PerformCommandAbort },
2052     { Command::Type::BSDIFF,            PerformCommandDiff },
2053     { Command::Type::COMPUTE_HASH_TREE, PerformCommandComputeHashTree },
2054     { Command::Type::ERASE,             PerformCommandErase },
2055     { Command::Type::FREE,              PerformCommandFree },
2056     { Command::Type::IMGDIFF,           PerformCommandDiff },
2057     { Command::Type::MOVE,              PerformCommandMove },
2058     { Command::Type::NEW,               PerformCommandNew },
2059     { Command::Type::STASH,             PerformCommandStash },
2060     { Command::Type::ZERO,              PerformCommandZero },
2061     // clang-format on
2062   };
2063   CHECK_EQ(static_cast<size_t>(Command::Type::LAST), command_map.size());
2064 
2065   return PerformBlockImageUpdate(name, state, argv, command_map, false);
2066 }
2067 
RangeSha1Fn(const char * name,State * state,const std::vector<std::unique_ptr<Expr>> & argv)2068 Value* RangeSha1Fn(const char* name, State* state, const std::vector<std::unique_ptr<Expr>>& argv) {
2069   if (argv.size() != 2) {
2070     ErrorAbort(state, kArgsParsingFailure, "range_sha1 expects 2 arguments, got %zu", argv.size());
2071     return StringValue("");
2072   }
2073 
2074   std::vector<std::unique_ptr<Value>> args;
2075   if (!ReadValueArgs(state, argv, &args)) {
2076     return nullptr;
2077   }
2078 
2079   const std::unique_ptr<Value>& blockdev_filename = args[0];
2080   const std::unique_ptr<Value>& ranges = args[1];
2081 
2082   if (blockdev_filename->type != Value::Type::STRING) {
2083     ErrorAbort(state, kArgsParsingFailure, "blockdev_filename argument to %s must be string", name);
2084     return StringValue("");
2085   }
2086   if (ranges->type != Value::Type::STRING) {
2087     ErrorAbort(state, kArgsParsingFailure, "ranges argument to %s must be string", name);
2088     return StringValue("");
2089   }
2090 
2091   auto block_device_path = state->updater->FindBlockDeviceName(blockdev_filename->data);
2092   if (block_device_path.empty()) {
2093     LOG(ERROR) << "Block device path for " << blockdev_filename->data << " not found. " << name
2094                << " failed.";
2095     return StringValue("");
2096   }
2097 
2098   android::base::unique_fd fd(open(block_device_path.c_str(), O_RDWR));
2099   if (fd == -1) {
2100     CauseCode cause_code = errno == EIO ? kEioFailure : kFileOpenFailure;
2101     ErrorAbort(state, cause_code, "open \"%s\" failed: %s", block_device_path.c_str(),
2102                strerror(errno));
2103     return StringValue("");
2104   }
2105 
2106   RangeSet rs = RangeSet::Parse(ranges->data);
2107   CHECK(static_cast<bool>(rs));
2108 
2109   SHA_CTX ctx;
2110   SHA1_Init(&ctx);
2111 
2112   std::vector<uint8_t> buffer(BLOCKSIZE);
2113   for (const auto& [begin, end] : rs) {
2114     if (!check_lseek(fd, static_cast<off64_t>(begin) * BLOCKSIZE, SEEK_SET)) {
2115       ErrorAbort(state, kLseekFailure, "failed to seek %s: %s", block_device_path.c_str(),
2116                  strerror(errno));
2117       return StringValue("");
2118     }
2119 
2120     for (size_t j = begin; j < end; ++j) {
2121       if (!android::base::ReadFully(fd, buffer.data(), BLOCKSIZE)) {
2122         CauseCode cause_code = errno == EIO ? kEioFailure : kFreadFailure;
2123         ErrorAbort(state, cause_code, "failed to read %s: %s", block_device_path.c_str(),
2124                    strerror(errno));
2125         return StringValue("");
2126       }
2127 
2128       SHA1_Update(&ctx, buffer.data(), BLOCKSIZE);
2129     }
2130   }
2131   uint8_t digest[SHA_DIGEST_LENGTH];
2132   SHA1_Final(digest, &ctx);
2133 
2134   return StringValue(print_sha1(digest));
2135 }
2136 
2137 // This function checks if a device has been remounted R/W prior to an incremental
2138 // OTA update. This is an common cause of update abortion. The function reads the
2139 // 1st block of each partition and check for mounting time/count. It return string "t"
2140 // if executes successfully and an empty string otherwise.
2141 
CheckFirstBlockFn(const char * name,State * state,const std::vector<std::unique_ptr<Expr>> & argv)2142 Value* CheckFirstBlockFn(const char* name, State* state,
2143                          const std::vector<std::unique_ptr<Expr>>& argv) {
2144   if (argv.size() != 1) {
2145     ErrorAbort(state, kArgsParsingFailure, "check_first_block expects 1 argument, got %zu",
2146                argv.size());
2147     return StringValue("");
2148   }
2149 
2150   std::vector<std::unique_ptr<Value>> args;
2151   if (!ReadValueArgs(state, argv, &args)) {
2152     return nullptr;
2153   }
2154 
2155   const std::unique_ptr<Value>& arg_filename = args[0];
2156 
2157   if (arg_filename->type != Value::Type::STRING) {
2158     ErrorAbort(state, kArgsParsingFailure, "filename argument to %s must be string", name);
2159     return StringValue("");
2160   }
2161 
2162   auto block_device_path = state->updater->FindBlockDeviceName(arg_filename->data);
2163   if (block_device_path.empty()) {
2164     LOG(ERROR) << "Block device path for " << arg_filename->data << " not found. " << name
2165                << " failed.";
2166     return StringValue("");
2167   }
2168 
2169   android::base::unique_fd fd(open(block_device_path.c_str(), O_RDONLY));
2170   if (fd == -1) {
2171     CauseCode cause_code = errno == EIO ? kEioFailure : kFileOpenFailure;
2172     ErrorAbort(state, cause_code, "open \"%s\" failed: %s", block_device_path.c_str(),
2173                strerror(errno));
2174     return StringValue("");
2175   }
2176 
2177   RangeSet blk0(std::vector<Range>{ Range{ 0, 1 } });
2178   std::vector<uint8_t> block0_buffer(BLOCKSIZE);
2179 
2180   if (ReadBlocks(blk0, &block0_buffer, fd) == -1) {
2181     CauseCode cause_code = errno == EIO ? kEioFailure : kFreadFailure;
2182     ErrorAbort(state, cause_code, "failed to read %s: %s", block_device_path.c_str(),
2183                strerror(errno));
2184     return StringValue("");
2185   }
2186 
2187   // https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout
2188   // Super block starts from block 0, offset 0x400
2189   //   0x2C: len32 Mount time
2190   //   0x30: len32 Write time
2191   //   0x34: len16 Number of mounts since the last fsck
2192   //   0x38: len16 Magic signature 0xEF53
2193 
2194   time_t mount_time = *reinterpret_cast<uint32_t*>(&block0_buffer[0x400 + 0x2C]);
2195   uint16_t mount_count = *reinterpret_cast<uint16_t*>(&block0_buffer[0x400 + 0x34]);
2196 
2197   if (mount_count > 0) {
2198     state->updater->UiPrint(
2199         android::base::StringPrintf("Device was remounted R/W %" PRIu16 " times", mount_count));
2200     state->updater->UiPrint(
2201         android::base::StringPrintf("Last remount happened on %s", ctime(&mount_time)));
2202   }
2203 
2204   return StringValue("t");
2205 }
2206 
BlockImageRecoverFn(const char * name,State * state,const std::vector<std::unique_ptr<Expr>> & argv)2207 Value* BlockImageRecoverFn(const char* name, State* state,
2208                            const std::vector<std::unique_ptr<Expr>>& argv) {
2209   if (argv.size() != 2) {
2210     ErrorAbort(state, kArgsParsingFailure, "block_image_recover expects 2 arguments, got %zu",
2211                argv.size());
2212     return StringValue("");
2213   }
2214 
2215   std::vector<std::unique_ptr<Value>> args;
2216   if (!ReadValueArgs(state, argv, &args)) {
2217     return nullptr;
2218   }
2219 
2220   const std::unique_ptr<Value>& filename = args[0];
2221   const std::unique_ptr<Value>& ranges = args[1];
2222 
2223   if (filename->type != Value::Type::STRING) {
2224     ErrorAbort(state, kArgsParsingFailure, "filename argument to %s must be string", name);
2225     return StringValue("");
2226   }
2227   if (ranges->type != Value::Type::STRING) {
2228     ErrorAbort(state, kArgsParsingFailure, "ranges argument to %s must be string", name);
2229     return StringValue("");
2230   }
2231   RangeSet rs = RangeSet::Parse(ranges->data);
2232   if (!rs) {
2233     ErrorAbort(state, kArgsParsingFailure, "failed to parse ranges: %s", ranges->data.c_str());
2234     return StringValue("");
2235   }
2236 
2237   auto block_device_path = state->updater->FindBlockDeviceName(filename->data);
2238   if (block_device_path.empty()) {
2239     LOG(ERROR) << "Block device path for " << filename->data << " not found. " << name
2240                << " failed.";
2241     return StringValue("");
2242   }
2243 
2244   // Output notice to log when recover is attempted
2245   LOG(INFO) << block_device_path << " image corrupted, attempting to recover...";
2246 
2247   // When opened with O_RDWR, libfec rewrites corrupted blocks when they are read
2248   fec::io fh(block_device_path, O_RDWR);
2249 
2250   if (!fh) {
2251     ErrorAbort(state, kLibfecFailure, "fec_open \"%s\" failed: %s", block_device_path.c_str(),
2252                strerror(errno));
2253     return StringValue("");
2254   }
2255 
2256   if (!fh.has_ecc() || !fh.has_verity()) {
2257     ErrorAbort(state, kLibfecFailure, "unable to use metadata to correct errors");
2258     return StringValue("");
2259   }
2260 
2261   fec_status status;
2262   if (!fh.get_status(status)) {
2263     ErrorAbort(state, kLibfecFailure, "failed to read FEC status");
2264     return StringValue("");
2265   }
2266 
2267   uint8_t buffer[BLOCKSIZE];
2268   for (const auto& [begin, end] : rs) {
2269     for (size_t j = begin; j < end; ++j) {
2270       // Stay within the data area, libfec validates and corrects metadata
2271       if (status.data_size <= static_cast<uint64_t>(j) * BLOCKSIZE) {
2272         continue;
2273       }
2274 
2275       if (fh.pread(buffer, BLOCKSIZE, static_cast<off64_t>(j) * BLOCKSIZE) != BLOCKSIZE) {
2276         ErrorAbort(state, kLibfecFailure, "failed to recover %s (block %zu): %s",
2277                    block_device_path.c_str(), j, strerror(errno));
2278         return StringValue("");
2279       }
2280 
2281       // If we want to be able to recover from a situation where rewriting a corrected
2282       // block doesn't guarantee the same data will be returned when re-read later, we
2283       // can save a copy of corrected blocks to /cache. Note:
2284       //
2285       //  1. Maximum space required from /cache is the same as the maximum number of
2286       //     corrupted blocks we can correct. For RS(255, 253) and a 2 GiB partition,
2287       //     this would be ~16 MiB, for example.
2288       //
2289       //  2. To find out if this block was corrupted, call fec_get_status after each
2290       //     read and check if the errors field value has increased.
2291     }
2292   }
2293   LOG(INFO) << "..." << block_device_path << " image recovered successfully.";
2294   return StringValue("t");
2295 }
2296 
RegisterBlockImageFunctions()2297 void RegisterBlockImageFunctions() {
2298   RegisterFunction("block_image_verify", BlockImageVerifyFn);
2299   RegisterFunction("block_image_update", BlockImageUpdateFn);
2300   RegisterFunction("block_image_recover", BlockImageRecoverFn);
2301   RegisterFunction("check_first_block", CheckFirstBlockFn);
2302   RegisterFunction("range_sha1", RangeSha1Fn);
2303 }
2304