1 /*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <ctype.h>
18 #include <dirent.h>
19 #include <errno.h>
20 #include <fcntl.h>
21 #include <inttypes.h>
22 #include <linux/fs.h>
23 #include <pthread.h>
24 #include <stdarg.h>
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <sys/ioctl.h>
29 #include <sys/stat.h>
30 #include <sys/types.h>
31 #include <sys/wait.h>
32 #include <time.h>
33 #include <unistd.h>
34
35 #include <functional>
36 #include <limits>
37 #include <memory>
38 #include <string>
39 #include <unordered_map>
40 #include <vector>
41
42 #include <android-base/file.h>
43 #include <android-base/logging.h>
44 #include <android-base/parseint.h>
45 #include <android-base/stringprintf.h>
46 #include <android-base/strings.h>
47 #include <android-base/unique_fd.h>
48 #include <applypatch/applypatch.h>
49 #include <brotli/decode.h>
50 #include <fec/io.h>
51 #include <openssl/sha.h>
52 #include <verity/hash_tree_builder.h>
53 #include <ziparchive/zip_archive.h>
54
55 #include "edify/expr.h"
56 #include "edify/updater_interface.h"
57 #include "otautil/dirutil.h"
58 #include "otautil/error_code.h"
59 #include "otautil/paths.h"
60 #include "otautil/print_sha1.h"
61 #include "otautil/rangeset.h"
62 #include "private/commands.h"
63 #include "updater/install.h"
64
65 #ifdef __ANDROID__
66 #include <private/android_filesystem_config.h>
67 // Set this to 0 to interpret 'erase' transfers to mean do a BLKDISCARD ioctl (the normal behavior).
68 // Set to 1 to interpret erase to mean fill the region with zeroes.
69 #define DEBUG_ERASE 0
70 #else
71 #define DEBUG_ERASE 1
72 #define AID_SYSTEM -1
73 #endif // __ANDROID__
74
75 static constexpr size_t BLOCKSIZE = 4096;
76 static constexpr mode_t STASH_DIRECTORY_MODE = 0700;
77 static constexpr mode_t STASH_FILE_MODE = 0600;
78 static constexpr mode_t MARKER_DIRECTORY_MODE = 0700;
79
80 static CauseCode failure_type = kNoCause;
81 static bool is_retry = false;
82 static std::unordered_map<std::string, RangeSet> stash_map;
83
DeleteLastCommandFile()84 static void DeleteLastCommandFile() {
85 const std::string& last_command_file = Paths::Get().last_command_file();
86 if (unlink(last_command_file.c_str()) == -1 && errno != ENOENT) {
87 PLOG(ERROR) << "Failed to unlink: " << last_command_file;
88 }
89 }
90
91 // Parse the last command index of the last update and save the result to |last_command_index|.
92 // Return true if we successfully read the index.
ParseLastCommandFile(size_t * last_command_index)93 static bool ParseLastCommandFile(size_t* last_command_index) {
94 const std::string& last_command_file = Paths::Get().last_command_file();
95 android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(last_command_file.c_str(), O_RDONLY)));
96 if (fd == -1) {
97 if (errno != ENOENT) {
98 PLOG(ERROR) << "Failed to open " << last_command_file;
99 return false;
100 }
101
102 LOG(INFO) << last_command_file << " doesn't exist.";
103 return false;
104 }
105
106 // Now that the last_command file exists, parse the last command index of previous update.
107 std::string content;
108 if (!android::base::ReadFdToString(fd.get(), &content)) {
109 LOG(ERROR) << "Failed to read: " << last_command_file;
110 return false;
111 }
112
113 std::vector<std::string> lines = android::base::Split(android::base::Trim(content), "\n");
114 if (lines.size() != 2) {
115 LOG(ERROR) << "Unexpected line counts in last command file: " << content;
116 return false;
117 }
118
119 if (!android::base::ParseUint(lines[0], last_command_index)) {
120 LOG(ERROR) << "Failed to parse integer in: " << lines[0];
121 return false;
122 }
123
124 return true;
125 }
126
FsyncDir(const std::string & dirname)127 static bool FsyncDir(const std::string& dirname) {
128 android::base::unique_fd dfd(TEMP_FAILURE_RETRY(open(dirname.c_str(), O_RDONLY | O_DIRECTORY)));
129 if (dfd == -1) {
130 failure_type = errno == EIO ? kEioFailure : kFileOpenFailure;
131 PLOG(ERROR) << "Failed to open " << dirname;
132 return false;
133 }
134 if (fsync(dfd) == -1) {
135 failure_type = errno == EIO ? kEioFailure : kFsyncFailure;
136 PLOG(ERROR) << "Failed to fsync " << dirname;
137 return false;
138 }
139 return true;
140 }
141
142 // Update the last executed command index in the last_command_file.
UpdateLastCommandIndex(size_t command_index,const std::string & command_string)143 static bool UpdateLastCommandIndex(size_t command_index, const std::string& command_string) {
144 const std::string& last_command_file = Paths::Get().last_command_file();
145 std::string last_command_tmp = last_command_file + ".tmp";
146 std::string content = std::to_string(command_index) + "\n" + command_string;
147 android::base::unique_fd wfd(
148 TEMP_FAILURE_RETRY(open(last_command_tmp.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0660)));
149 if (wfd == -1 || !android::base::WriteStringToFd(content, wfd)) {
150 PLOG(ERROR) << "Failed to update last command";
151 return false;
152 }
153
154 if (fsync(wfd) == -1) {
155 PLOG(ERROR) << "Failed to fsync " << last_command_tmp;
156 return false;
157 }
158
159 if (chown(last_command_tmp.c_str(), AID_SYSTEM, AID_SYSTEM) == -1) {
160 PLOG(ERROR) << "Failed to change owner for " << last_command_tmp;
161 return false;
162 }
163
164 if (rename(last_command_tmp.c_str(), last_command_file.c_str()) == -1) {
165 PLOG(ERROR) << "Failed to rename" << last_command_tmp;
166 return false;
167 }
168
169 if (!FsyncDir(android::base::Dirname(last_command_file))) {
170 return false;
171 }
172
173 return true;
174 }
175
SetUpdatedMarker(const std::string & marker)176 bool SetUpdatedMarker(const std::string& marker) {
177 auto dirname = android::base::Dirname(marker);
178 auto res = mkdir(dirname.c_str(), MARKER_DIRECTORY_MODE);
179 if (res == -1 && errno != EEXIST) {
180 PLOG(ERROR) << "Failed to create directory for marker: " << dirname;
181 return false;
182 }
183
184 if (!android::base::WriteStringToFile("", marker)) {
185 PLOG(ERROR) << "Failed to write to marker file " << marker;
186 return false;
187 }
188 if (!FsyncDir(dirname)) {
189 return false;
190 }
191 LOG(INFO) << "Wrote updated marker to " << marker;
192 return true;
193 }
194
discard_blocks(int fd,off64_t offset,uint64_t size,bool force=false)195 static bool discard_blocks(int fd, off64_t offset, uint64_t size, bool force = false) {
196 // Don't discard blocks unless the update is a retry run or force == true
197 if (!is_retry && !force) {
198 return true;
199 }
200
201 uint64_t args[2] = { static_cast<uint64_t>(offset), size };
202 if (ioctl(fd, BLKDISCARD, &args) == -1) {
203 // On devices that does not support BLKDISCARD, ignore the error.
204 if (errno == EOPNOTSUPP) {
205 return true;
206 }
207 PLOG(ERROR) << "BLKDISCARD ioctl failed";
208 return false;
209 }
210 return true;
211 }
212
check_lseek(int fd,off64_t offset,int whence)213 static bool check_lseek(int fd, off64_t offset, int whence) {
214 off64_t rc = TEMP_FAILURE_RETRY(lseek64(fd, offset, whence));
215 if (rc == -1) {
216 failure_type = kLseekFailure;
217 PLOG(ERROR) << "lseek64 failed";
218 return false;
219 }
220 return true;
221 }
222
allocate(size_t size,std::vector<uint8_t> * buffer)223 static void allocate(size_t size, std::vector<uint8_t>* buffer) {
224 // If the buffer's big enough, reuse it.
225 if (size <= buffer->size()) return;
226 buffer->resize(size);
227 }
228
229 /**
230 * RangeSinkWriter reads data from the given FD, and writes them to the destination specified by the
231 * given RangeSet.
232 */
233 class RangeSinkWriter {
234 public:
RangeSinkWriter(int fd,const RangeSet & tgt)235 RangeSinkWriter(int fd, const RangeSet& tgt)
236 : fd_(fd),
237 tgt_(tgt),
238 next_range_(0),
239 current_range_left_(0),
240 bytes_written_(0) {
241 CHECK_NE(tgt.size(), static_cast<size_t>(0));
242 };
243
Finished() const244 bool Finished() const {
245 return next_range_ == tgt_.size() && current_range_left_ == 0;
246 }
247
AvailableSpace() const248 size_t AvailableSpace() const {
249 return tgt_.blocks() * BLOCKSIZE - bytes_written_;
250 }
251
252 // Return number of bytes written; and 0 indicates a writing failure.
Write(const uint8_t * data,size_t size)253 size_t Write(const uint8_t* data, size_t size) {
254 if (Finished()) {
255 LOG(ERROR) << "range sink write overrun; can't write " << size << " bytes";
256 return 0;
257 }
258
259 size_t written = 0;
260 while (size > 0) {
261 // Move to the next range as needed.
262 if (!SeekToOutputRange()) {
263 break;
264 }
265
266 size_t write_now = size;
267 if (current_range_left_ < write_now) {
268 write_now = current_range_left_;
269 }
270
271 if (!android::base::WriteFully(fd_, data, write_now)) {
272 failure_type = errno == EIO ? kEioFailure : kFwriteFailure;
273 PLOG(ERROR) << "Failed to write " << write_now << " bytes of data";
274 break;
275 }
276
277 data += write_now;
278 size -= write_now;
279
280 current_range_left_ -= write_now;
281 written += write_now;
282 }
283
284 bytes_written_ += written;
285 return written;
286 }
287
BytesWritten() const288 size_t BytesWritten() const {
289 return bytes_written_;
290 }
291
292 private:
293 // Set up the output cursor, move to next range if needed.
SeekToOutputRange()294 bool SeekToOutputRange() {
295 // We haven't finished the current range yet.
296 if (current_range_left_ != 0) {
297 return true;
298 }
299 // We can't write any more; let the write function return how many bytes have been written
300 // so far.
301 if (next_range_ >= tgt_.size()) {
302 return false;
303 }
304
305 const Range& range = tgt_[next_range_];
306 off64_t offset = static_cast<off64_t>(range.first) * BLOCKSIZE;
307 current_range_left_ = (range.second - range.first) * BLOCKSIZE;
308 next_range_++;
309
310 if (!discard_blocks(fd_, offset, current_range_left_)) {
311 return false;
312 }
313 if (!check_lseek(fd_, offset, SEEK_SET)) {
314 return false;
315 }
316 return true;
317 }
318
319 // The output file descriptor.
320 int fd_;
321 // The destination ranges for the data.
322 const RangeSet& tgt_;
323 // The next range that we should write to.
324 size_t next_range_;
325 // The number of bytes to write before moving to the next range.
326 size_t current_range_left_;
327 // Total bytes written by the writer.
328 size_t bytes_written_;
329 };
330
331 /**
332 * All of the data for all the 'new' transfers is contained in one file in the update package,
333 * concatenated together in the order in which transfers.list will need it. We want to stream it out
334 * of the archive (it's compressed) without writing it to a temp file, but we can't write each
335 * section until it's that transfer's turn to go.
336 *
337 * To achieve this, we expand the new data from the archive in a background thread, and block that
338 * threads 'receive uncompressed data' function until the main thread has reached a point where we
339 * want some new data to be written. We signal the background thread with the destination for the
340 * data and block the main thread, waiting for the background thread to complete writing that
341 * section. Then it signals the main thread to wake up and goes back to blocking waiting for a
342 * transfer.
343 *
344 * NewThreadInfo is the struct used to pass information back and forth between the two threads. When
345 * the main thread wants some data written, it sets writer to the destination location and signals
346 * the condition. When the background thread is done writing, it clears writer and signals the
347 * condition again.
348 */
349 struct NewThreadInfo {
350 ZipArchiveHandle za;
351 ZipEntry64 entry{};
352 bool brotli_compressed;
353
354 std::unique_ptr<RangeSinkWriter> writer;
355 BrotliDecoderState* brotli_decoder_state;
356 bool receiver_available;
357
358 pthread_mutex_t mu;
359 pthread_cond_t cv;
360 };
361
receive_new_data(const uint8_t * data,size_t size,void * cookie)362 static bool receive_new_data(const uint8_t* data, size_t size, void* cookie) {
363 NewThreadInfo* nti = static_cast<NewThreadInfo*>(cookie);
364
365 while (size > 0) {
366 // Wait for nti->writer to be non-null, indicating some of this data is wanted.
367 pthread_mutex_lock(&nti->mu);
368 while (nti->writer == nullptr) {
369 // End the new data receiver if we encounter an error when performing block image update.
370 if (!nti->receiver_available) {
371 pthread_mutex_unlock(&nti->mu);
372 return false;
373 }
374 pthread_cond_wait(&nti->cv, &nti->mu);
375 }
376 pthread_mutex_unlock(&nti->mu);
377
378 // At this point nti->writer is set, and we own it. The main thread is waiting for it to
379 // disappear from nti.
380 size_t write_now = std::min(size, nti->writer->AvailableSpace());
381 if (nti->writer->Write(data, write_now) != write_now) {
382 LOG(ERROR) << "Failed to write " << write_now << " bytes.";
383 return false;
384 }
385
386 data += write_now;
387 size -= write_now;
388
389 if (nti->writer->Finished()) {
390 // We have written all the bytes desired by this writer.
391
392 pthread_mutex_lock(&nti->mu);
393 nti->writer = nullptr;
394 pthread_cond_broadcast(&nti->cv);
395 pthread_mutex_unlock(&nti->mu);
396 }
397 }
398
399 return true;
400 }
401
receive_brotli_new_data(const uint8_t * data,size_t size,void * cookie)402 static bool receive_brotli_new_data(const uint8_t* data, size_t size, void* cookie) {
403 NewThreadInfo* nti = static_cast<NewThreadInfo*>(cookie);
404
405 while (size > 0 || BrotliDecoderHasMoreOutput(nti->brotli_decoder_state)) {
406 // Wait for nti->writer to be non-null, indicating some of this data is wanted.
407 pthread_mutex_lock(&nti->mu);
408 while (nti->writer == nullptr) {
409 // End the receiver if we encounter an error when performing block image update.
410 if (!nti->receiver_available) {
411 pthread_mutex_unlock(&nti->mu);
412 return false;
413 }
414 pthread_cond_wait(&nti->cv, &nti->mu);
415 }
416 pthread_mutex_unlock(&nti->mu);
417
418 // At this point nti->writer is set, and we own it. The main thread is waiting for it to
419 // disappear from nti.
420
421 size_t buffer_size = std::min<size_t>(32768, nti->writer->AvailableSpace());
422 if (buffer_size == 0) {
423 LOG(ERROR) << "No space left in output range";
424 return false;
425 }
426 uint8_t buffer[buffer_size];
427 size_t available_in = size;
428 size_t available_out = buffer_size;
429 uint8_t* next_out = buffer;
430
431 // The brotli decoder will update |data|, |available_in|, |next_out| and |available_out|.
432 BrotliDecoderResult result = BrotliDecoderDecompressStream(
433 nti->brotli_decoder_state, &available_in, &data, &available_out, &next_out, nullptr);
434
435 if (result == BROTLI_DECODER_RESULT_ERROR) {
436 LOG(ERROR) << "Decompression failed with "
437 << BrotliDecoderErrorString(BrotliDecoderGetErrorCode(nti->brotli_decoder_state));
438 return false;
439 }
440
441 LOG(DEBUG) << "bytes to write: " << buffer_size - available_out << ", bytes consumed "
442 << size - available_in << ", decoder status " << result;
443
444 size_t write_now = buffer_size - available_out;
445 if (nti->writer->Write(buffer, write_now) != write_now) {
446 LOG(ERROR) << "Failed to write " << write_now << " bytes.";
447 return false;
448 }
449
450 // Update the remaining size. The input data ptr is already updated by brotli decoder function.
451 size = available_in;
452
453 if (nti->writer->Finished()) {
454 // We have written all the bytes desired by this writer.
455
456 pthread_mutex_lock(&nti->mu);
457 nti->writer = nullptr;
458 pthread_cond_broadcast(&nti->cv);
459 pthread_mutex_unlock(&nti->mu);
460 }
461 }
462
463 return true;
464 }
465
unzip_new_data(void * cookie)466 static void* unzip_new_data(void* cookie) {
467 NewThreadInfo* nti = static_cast<NewThreadInfo*>(cookie);
468 if (nti->brotli_compressed) {
469 ProcessZipEntryContents(nti->za, &nti->entry, receive_brotli_new_data, nti);
470 } else {
471 ProcessZipEntryContents(nti->za, &nti->entry, receive_new_data, nti);
472 }
473 pthread_mutex_lock(&nti->mu);
474 nti->receiver_available = false;
475 if (nti->writer != nullptr) {
476 pthread_cond_broadcast(&nti->cv);
477 }
478 pthread_mutex_unlock(&nti->mu);
479 return nullptr;
480 }
481
ReadBlocks(const RangeSet & src,std::vector<uint8_t> * buffer,int fd)482 static int ReadBlocks(const RangeSet& src, std::vector<uint8_t>* buffer, int fd) {
483 size_t p = 0;
484 for (const auto& [begin, end] : src) {
485 if (!check_lseek(fd, static_cast<off64_t>(begin) * BLOCKSIZE, SEEK_SET)) {
486 return -1;
487 }
488
489 size_t size = (end - begin) * BLOCKSIZE;
490 if (!android::base::ReadFully(fd, buffer->data() + p, size)) {
491 failure_type = errno == EIO ? kEioFailure : kFreadFailure;
492 PLOG(ERROR) << "Failed to read " << size << " bytes of data";
493 return -1;
494 }
495
496 p += size;
497 }
498
499 return 0;
500 }
501
WriteBlocks(const RangeSet & tgt,const std::vector<uint8_t> & buffer,int fd)502 static int WriteBlocks(const RangeSet& tgt, const std::vector<uint8_t>& buffer, int fd) {
503 size_t written = 0;
504 for (const auto& [begin, end] : tgt) {
505 off64_t offset = static_cast<off64_t>(begin) * BLOCKSIZE;
506 size_t size = (end - begin) * BLOCKSIZE;
507 if (!discard_blocks(fd, offset, size)) {
508 return -1;
509 }
510
511 if (!check_lseek(fd, offset, SEEK_SET)) {
512 return -1;
513 }
514
515 if (!android::base::WriteFully(fd, buffer.data() + written, size)) {
516 failure_type = errno == EIO ? kEioFailure : kFwriteFailure;
517 PLOG(ERROR) << "Failed to write " << size << " bytes of data";
518 return -1;
519 }
520
521 written += size;
522 }
523
524 return 0;
525 }
526
527 // Parameters for transfer list command functions
528 struct CommandParameters {
529 std::vector<std::string> tokens;
530 size_t cpos;
531 std::string cmdname;
532 std::string cmdline;
533 std::string freestash;
534 std::string stashbase;
535 bool canwrite;
536 int createdstash;
537 android::base::unique_fd fd;
538 bool foundwrites;
539 bool isunresumable;
540 int version;
541 size_t written;
542 size_t stashed;
543 NewThreadInfo nti;
544 pthread_t thread;
545 std::vector<uint8_t> buffer;
546 uint8_t* patch_start;
547 bool target_verified; // The target blocks have expected contents already.
548 };
549
550 // Print the hash in hex for corrupted source blocks (excluding the stashed blocks which is
551 // handled separately).
PrintHashForCorruptedSourceBlocks(const CommandParameters & params,const std::vector<uint8_t> & buffer)552 static void PrintHashForCorruptedSourceBlocks(const CommandParameters& params,
553 const std::vector<uint8_t>& buffer) {
554 LOG(INFO) << "unexpected contents of source blocks in cmd:\n" << params.cmdline;
555 CHECK(params.tokens[0] == "move" || params.tokens[0] == "bsdiff" ||
556 params.tokens[0] == "imgdiff");
557
558 size_t pos = 0;
559 // Command example:
560 // move <onehash> <tgt_range> <src_blk_count> <src_range> [<loc_range> <stashed_blocks>]
561 // bsdiff <offset> <len> <src_hash> <tgt_hash> <tgt_range> <src_blk_count> <src_range>
562 // [<loc_range> <stashed_blocks>]
563 if (params.tokens[0] == "move") {
564 // src_range for move starts at the 4th position.
565 if (params.tokens.size() < 5) {
566 LOG(ERROR) << "failed to parse source range in cmd:\n" << params.cmdline;
567 return;
568 }
569 pos = 4;
570 } else {
571 // src_range for diff starts at the 7th position.
572 if (params.tokens.size() < 8) {
573 LOG(ERROR) << "failed to parse source range in cmd:\n" << params.cmdline;
574 return;
575 }
576 pos = 7;
577 }
578
579 // Source blocks in stash only, no work to do.
580 if (params.tokens[pos] == "-") {
581 return;
582 }
583
584 RangeSet src = RangeSet::Parse(params.tokens[pos++]);
585 if (!src) {
586 LOG(ERROR) << "Failed to parse range in " << params.cmdline;
587 return;
588 }
589
590 RangeSet locs;
591 // If there's no stashed blocks, content in the buffer is consecutive and has the same
592 // order as the source blocks.
593 if (pos == params.tokens.size()) {
594 locs = RangeSet(std::vector<Range>{ Range{ 0, src.blocks() } });
595 } else {
596 // Otherwise, the next token is the offset of the source blocks in the target range.
597 // Example: for the tokens <4,63946,63947,63948,63979> <4,6,7,8,39> <stashed_blocks>;
598 // We want to print SHA-1 for the data in buffer[6], buffer[8], buffer[9] ... buffer[38];
599 // this corresponds to the 32 src blocks #63946, #63948, #63949 ... #63978.
600 locs = RangeSet::Parse(params.tokens[pos++]);
601 CHECK_EQ(src.blocks(), locs.blocks());
602 }
603
604 LOG(INFO) << "printing hash in hex for " << src.blocks() << " source blocks";
605 for (size_t i = 0; i < src.blocks(); i++) {
606 size_t block_num = src.GetBlockNumber(i);
607 size_t buffer_index = locs.GetBlockNumber(i);
608 CHECK_LE((buffer_index + 1) * BLOCKSIZE, buffer.size());
609
610 uint8_t digest[SHA_DIGEST_LENGTH];
611 SHA1(buffer.data() + buffer_index * BLOCKSIZE, BLOCKSIZE, digest);
612 std::string hexdigest = print_sha1(digest);
613 LOG(INFO) << " block number: " << block_num << ", SHA-1: " << hexdigest;
614 }
615 }
616
617 // If the calculated hash for the whole stash doesn't match the stash id, print the SHA-1
618 // in hex for each block.
PrintHashForCorruptedStashedBlocks(const std::string & id,const std::vector<uint8_t> & buffer,const RangeSet & src)619 static void PrintHashForCorruptedStashedBlocks(const std::string& id,
620 const std::vector<uint8_t>& buffer,
621 const RangeSet& src) {
622 LOG(INFO) << "printing hash in hex for stash_id: " << id;
623 CHECK_EQ(src.blocks() * BLOCKSIZE, buffer.size());
624
625 for (size_t i = 0; i < src.blocks(); i++) {
626 size_t block_num = src.GetBlockNumber(i);
627
628 uint8_t digest[SHA_DIGEST_LENGTH];
629 SHA1(buffer.data() + i * BLOCKSIZE, BLOCKSIZE, digest);
630 std::string hexdigest = print_sha1(digest);
631 LOG(INFO) << " block number: " << block_num << ", SHA-1: " << hexdigest;
632 }
633 }
634
635 // If the stash file doesn't exist, read the source blocks this stash contains and print the
636 // SHA-1 for these blocks.
PrintHashForMissingStashedBlocks(const std::string & id,int fd)637 static void PrintHashForMissingStashedBlocks(const std::string& id, int fd) {
638 if (stash_map.find(id) == stash_map.end()) {
639 LOG(ERROR) << "No stash saved for id: " << id;
640 return;
641 }
642
643 LOG(INFO) << "print hash in hex for source blocks in missing stash: " << id;
644 const RangeSet& src = stash_map[id];
645 std::vector<uint8_t> buffer(src.blocks() * BLOCKSIZE);
646 if (ReadBlocks(src, &buffer, fd) == -1) {
647 LOG(ERROR) << "failed to read source blocks for stash: " << id;
648 return;
649 }
650 PrintHashForCorruptedStashedBlocks(id, buffer, src);
651 }
652
VerifyBlocks(const std::string & expected,const std::vector<uint8_t> & buffer,const size_t blocks,bool printerror)653 static int VerifyBlocks(const std::string& expected, const std::vector<uint8_t>& buffer,
654 const size_t blocks, bool printerror) {
655 uint8_t digest[SHA_DIGEST_LENGTH];
656 const uint8_t* data = buffer.data();
657
658 SHA1(data, blocks * BLOCKSIZE, digest);
659
660 std::string hexdigest = print_sha1(digest);
661
662 if (hexdigest != expected) {
663 if (printerror) {
664 LOG(ERROR) << "failed to verify blocks (expected " << expected << ", read " << hexdigest
665 << ")";
666 }
667 return -1;
668 }
669
670 return 0;
671 }
672
GetStashFileName(const std::string & base,const std::string & id,const std::string & postfix)673 static std::string GetStashFileName(const std::string& base, const std::string& id,
674 const std::string& postfix) {
675 if (base.empty()) {
676 return "";
677 }
678 std::string filename = Paths::Get().stash_directory_base() + "/" + base;
679 if (id.empty() && postfix.empty()) {
680 return filename;
681 }
682 return filename + "/" + id + postfix;
683 }
684
685 // Does a best effort enumeration of stash files. Ignores possible non-file items in the stash
686 // directory and continues despite of errors. Calls the 'callback' function for each file.
EnumerateStash(const std::string & dirname,const std::function<void (const std::string &)> & callback)687 static void EnumerateStash(const std::string& dirname,
688 const std::function<void(const std::string&)>& callback) {
689 if (dirname.empty()) return;
690
691 std::unique_ptr<DIR, decltype(&closedir)> directory(opendir(dirname.c_str()), closedir);
692
693 if (directory == nullptr) {
694 if (errno != ENOENT) {
695 PLOG(ERROR) << "opendir \"" << dirname << "\" failed";
696 }
697 return;
698 }
699
700 dirent* item;
701 while ((item = readdir(directory.get())) != nullptr) {
702 if (item->d_type != DT_REG) continue;
703 callback(dirname + "/" + item->d_name);
704 }
705 }
706
707 // Deletes the stash directory and all files in it. Assumes that it only
708 // contains files. There is nothing we can do about unlikely, but possible
709 // errors, so they are merely logged.
DeleteFile(const std::string & fn)710 static void DeleteFile(const std::string& fn) {
711 if (fn.empty()) return;
712
713 LOG(INFO) << "deleting " << fn;
714
715 if (unlink(fn.c_str()) == -1 && errno != ENOENT) {
716 PLOG(ERROR) << "unlink \"" << fn << "\" failed";
717 }
718 }
719
DeleteStash(const std::string & base)720 static void DeleteStash(const std::string& base) {
721 if (base.empty()) return;
722
723 LOG(INFO) << "deleting stash " << base;
724
725 std::string dirname = GetStashFileName(base, "", "");
726 EnumerateStash(dirname, DeleteFile);
727
728 if (rmdir(dirname.c_str()) == -1) {
729 if (errno != ENOENT && errno != ENOTDIR) {
730 PLOG(ERROR) << "rmdir \"" << dirname << "\" failed";
731 }
732 }
733 }
734
LoadStash(const CommandParameters & params,const std::string & id,bool verify,std::vector<uint8_t> * buffer,bool printnoent)735 static int LoadStash(const CommandParameters& params, const std::string& id, bool verify,
736 std::vector<uint8_t>* buffer, bool printnoent) {
737 // In verify mode, if source range_set was saved for the given hash, check contents in the source
738 // blocks first. If the check fails, search for the stashed files on /cache as usual.
739 if (!params.canwrite) {
740 if (stash_map.find(id) != stash_map.end()) {
741 const RangeSet& src = stash_map[id];
742 allocate(src.blocks() * BLOCKSIZE, buffer);
743
744 if (ReadBlocks(src, buffer, params.fd) == -1) {
745 LOG(ERROR) << "failed to read source blocks in stash map.";
746 return -1;
747 }
748 if (VerifyBlocks(id, *buffer, src.blocks(), true) != 0) {
749 LOG(ERROR) << "failed to verify loaded source blocks in stash map.";
750 if (!is_retry) {
751 PrintHashForCorruptedStashedBlocks(id, *buffer, src);
752 }
753 return -1;
754 }
755 return 0;
756 }
757 }
758
759 std::string fn = GetStashFileName(params.stashbase, id, "");
760
761 struct stat sb;
762 if (stat(fn.c_str(), &sb) == -1) {
763 if (errno != ENOENT || printnoent) {
764 PLOG(ERROR) << "stat \"" << fn << "\" failed";
765 PrintHashForMissingStashedBlocks(id, params.fd);
766 }
767 return -1;
768 }
769
770 LOG(INFO) << " loading " << fn;
771
772 if ((sb.st_size % BLOCKSIZE) != 0) {
773 LOG(ERROR) << fn << " size " << sb.st_size << " not multiple of block size " << BLOCKSIZE;
774 return -1;
775 }
776
777 android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(fn.c_str(), O_RDONLY)));
778 if (fd == -1) {
779 failure_type = errno == EIO ? kEioFailure : kFileOpenFailure;
780 PLOG(ERROR) << "open \"" << fn << "\" failed";
781 return -1;
782 }
783
784 allocate(sb.st_size, buffer);
785
786 if (!android::base::ReadFully(fd, buffer->data(), sb.st_size)) {
787 failure_type = errno == EIO ? kEioFailure : kFreadFailure;
788 PLOG(ERROR) << "Failed to read " << sb.st_size << " bytes of data";
789 return -1;
790 }
791
792 size_t blocks = sb.st_size / BLOCKSIZE;
793 if (verify && VerifyBlocks(id, *buffer, blocks, true) != 0) {
794 LOG(ERROR) << "unexpected contents in " << fn;
795 if (stash_map.find(id) == stash_map.end()) {
796 LOG(ERROR) << "failed to find source blocks number for stash " << id
797 << " when executing command: " << params.cmdname;
798 } else {
799 const RangeSet& src = stash_map[id];
800 PrintHashForCorruptedStashedBlocks(id, *buffer, src);
801 }
802 DeleteFile(fn);
803 return -1;
804 }
805
806 return 0;
807 }
808
WriteStash(const std::string & base,const std::string & id,int blocks,const std::vector<uint8_t> & buffer,bool checkspace,bool * exists)809 static int WriteStash(const std::string& base, const std::string& id, int blocks,
810 const std::vector<uint8_t>& buffer, bool checkspace, bool* exists) {
811 if (base.empty()) {
812 return -1;
813 }
814
815 if (checkspace && !CheckAndFreeSpaceOnCache(blocks * BLOCKSIZE)) {
816 LOG(ERROR) << "not enough space to write stash";
817 return -1;
818 }
819
820 std::string fn = GetStashFileName(base, id, ".partial");
821 std::string cn = GetStashFileName(base, id, "");
822
823 if (exists) {
824 struct stat sb;
825 int res = stat(cn.c_str(), &sb);
826
827 if (res == 0) {
828 // The file already exists and since the name is the hash of the contents,
829 // it's safe to assume the contents are identical (accidental hash collisions
830 // are unlikely)
831 LOG(INFO) << " skipping " << blocks << " existing blocks in " << cn;
832 *exists = true;
833 return 0;
834 }
835
836 *exists = false;
837 }
838
839 LOG(INFO) << " writing " << blocks << " blocks to " << cn;
840
841 android::base::unique_fd fd(
842 TEMP_FAILURE_RETRY(open(fn.c_str(), O_WRONLY | O_CREAT | O_TRUNC, STASH_FILE_MODE)));
843 if (fd == -1) {
844 failure_type = errno == EIO ? kEioFailure : kFileOpenFailure;
845 PLOG(ERROR) << "failed to create \"" << fn << "\"";
846 return -1;
847 }
848
849 if (fchown(fd, AID_SYSTEM, AID_SYSTEM) != 0) { // system user
850 PLOG(ERROR) << "failed to chown \"" << fn << "\"";
851 return -1;
852 }
853
854 if (!android::base::WriteFully(fd, buffer.data(), blocks * BLOCKSIZE)) {
855 failure_type = errno == EIO ? kEioFailure : kFwriteFailure;
856 PLOG(ERROR) << "Failed to write " << blocks * BLOCKSIZE << " bytes of data";
857 return -1;
858 }
859
860 if (fsync(fd) == -1) {
861 failure_type = errno == EIO ? kEioFailure : kFsyncFailure;
862 PLOG(ERROR) << "fsync \"" << fn << "\" failed";
863 return -1;
864 }
865
866 if (rename(fn.c_str(), cn.c_str()) == -1) {
867 PLOG(ERROR) << "rename(\"" << fn << "\", \"" << cn << "\") failed";
868 return -1;
869 }
870
871 std::string dname = GetStashFileName(base, "", "");
872 if (!FsyncDir(dname)) {
873 return -1;
874 }
875
876 return 0;
877 }
878
879 // Creates a directory for storing stash files and checks if the /cache partition
880 // hash enough space for the expected amount of blocks we need to store. Returns
881 // >0 if we created the directory, zero if it existed already, and <0 of failure.
CreateStash(State * state,size_t maxblocks,const std::string & base)882 static int CreateStash(State* state, size_t maxblocks, const std::string& base) {
883 std::string dirname = GetStashFileName(base, "", "");
884 struct stat sb;
885 int res = stat(dirname.c_str(), &sb);
886 if (res == -1 && errno != ENOENT) {
887 ErrorAbort(state, kStashCreationFailure, "stat \"%s\" failed: %s", dirname.c_str(),
888 strerror(errno));
889 return -1;
890 }
891
892 size_t max_stash_size = maxblocks * BLOCKSIZE;
893 if (res == -1) {
894 LOG(INFO) << "creating stash " << dirname;
895 res = mkdir_recursively(dirname, STASH_DIRECTORY_MODE, false, nullptr);
896
897 if (res != 0) {
898 ErrorAbort(state, kStashCreationFailure, "mkdir \"%s\" failed: %s", dirname.c_str(),
899 strerror(errno));
900 return -1;
901 }
902
903 if (chown(dirname.c_str(), AID_SYSTEM, AID_SYSTEM) != 0) { // system user
904 ErrorAbort(state, kStashCreationFailure, "chown \"%s\" failed: %s", dirname.c_str(),
905 strerror(errno));
906 return -1;
907 }
908
909 if (!CheckAndFreeSpaceOnCache(max_stash_size)) {
910 ErrorAbort(state, kStashCreationFailure, "not enough space for stash (%zu needed)",
911 max_stash_size);
912 return -1;
913 }
914
915 return 1; // Created directory
916 }
917
918 LOG(INFO) << "using existing stash " << dirname;
919
920 // If the directory already exists, calculate the space already allocated to stash files and check
921 // if there's enough for all required blocks. Delete any partially completed stash files first.
922 EnumerateStash(dirname, [](const std::string& fn) {
923 if (android::base::EndsWith(fn, ".partial")) {
924 DeleteFile(fn);
925 }
926 });
927
928 size_t existing = 0;
929 EnumerateStash(dirname, [&existing](const std::string& fn) {
930 if (fn.empty()) return;
931 struct stat sb;
932 if (stat(fn.c_str(), &sb) == -1) {
933 PLOG(ERROR) << "stat \"" << fn << "\" failed";
934 return;
935 }
936 existing += static_cast<size_t>(sb.st_size);
937 });
938
939 if (max_stash_size > existing) {
940 size_t needed = max_stash_size - existing;
941 if (!CheckAndFreeSpaceOnCache(needed)) {
942 ErrorAbort(state, kStashCreationFailure, "not enough space for stash (%zu more needed)",
943 needed);
944 return -1;
945 }
946 }
947
948 return 0; // Using existing directory
949 }
950
FreeStash(const std::string & base,const std::string & id)951 static int FreeStash(const std::string& base, const std::string& id) {
952 if (base.empty() || id.empty()) {
953 return -1;
954 }
955
956 DeleteFile(GetStashFileName(base, id, ""));
957
958 return 0;
959 }
960
961 // Source contains packed data, which we want to move to the locations given in locs in the dest
962 // buffer. source and dest may be the same buffer.
MoveRange(std::vector<uint8_t> & dest,const RangeSet & locs,const std::vector<uint8_t> & source)963 static void MoveRange(std::vector<uint8_t>& dest, const RangeSet& locs,
964 const std::vector<uint8_t>& source) {
965 const uint8_t* from = source.data();
966 uint8_t* to = dest.data();
967 size_t start = locs.blocks();
968 // Must do the movement backward.
969 for (auto it = locs.crbegin(); it != locs.crend(); it++) {
970 size_t blocks = it->second - it->first;
971 start -= blocks;
972 memmove(to + (it->first * BLOCKSIZE), from + (start * BLOCKSIZE), blocks * BLOCKSIZE);
973 }
974 }
975
976 /**
977 * We expect to parse the remainder of the parameter tokens as one of:
978 *
979 * <src_block_count> <src_range>
980 * (loads data from source image only)
981 *
982 * <src_block_count> - <[stash_id:stash_range] ...>
983 * (loads data from stashes only)
984 *
985 * <src_block_count> <src_range> <src_loc> <[stash_id:stash_range] ...>
986 * (loads data from both source image and stashes)
987 *
988 * On return, params.buffer is filled with the loaded source data (rearranged and combined with
989 * stashed data as necessary). buffer may be reallocated if needed to accommodate the source data.
990 * tgt is the target RangeSet for detecting overlaps. Any stashes required are loaded using
991 * LoadStash.
992 */
LoadSourceBlocks(CommandParameters & params,const RangeSet & tgt,size_t * src_blocks,bool * overlap)993 static int LoadSourceBlocks(CommandParameters& params, const RangeSet& tgt, size_t* src_blocks,
994 bool* overlap) {
995 CHECK(src_blocks != nullptr);
996 CHECK(overlap != nullptr);
997
998 // <src_block_count>
999 const std::string& token = params.tokens[params.cpos++];
1000 if (!android::base::ParseUint(token, src_blocks)) {
1001 LOG(ERROR) << "invalid src_block_count \"" << token << "\"";
1002 return -1;
1003 }
1004
1005 allocate(*src_blocks * BLOCKSIZE, ¶ms.buffer);
1006
1007 // "-" or <src_range> [<src_loc>]
1008 if (params.tokens[params.cpos] == "-") {
1009 // no source ranges, only stashes
1010 params.cpos++;
1011 } else {
1012 RangeSet src = RangeSet::Parse(params.tokens[params.cpos++]);
1013 CHECK(static_cast<bool>(src));
1014 *overlap = src.Overlaps(tgt);
1015
1016 if (ReadBlocks(src, ¶ms.buffer, params.fd) == -1) {
1017 return -1;
1018 }
1019
1020 if (params.cpos >= params.tokens.size()) {
1021 // no stashes, only source range
1022 return 0;
1023 }
1024
1025 RangeSet locs = RangeSet::Parse(params.tokens[params.cpos++]);
1026 CHECK(static_cast<bool>(locs));
1027 MoveRange(params.buffer, locs, params.buffer);
1028 }
1029
1030 // <[stash_id:stash_range]>
1031 while (params.cpos < params.tokens.size()) {
1032 // Each word is a an index into the stash table, a colon, and then a RangeSet describing where
1033 // in the source block that stashed data should go.
1034 std::vector<std::string> tokens = android::base::Split(params.tokens[params.cpos++], ":");
1035 if (tokens.size() != 2) {
1036 LOG(ERROR) << "invalid parameter";
1037 return -1;
1038 }
1039
1040 std::vector<uint8_t> stash;
1041 if (LoadStash(params, tokens[0], false, &stash, true) == -1) {
1042 // These source blocks will fail verification if used later, but we
1043 // will let the caller decide if this is a fatal failure
1044 LOG(ERROR) << "failed to load stash " << tokens[0];
1045 continue;
1046 }
1047
1048 RangeSet locs = RangeSet::Parse(tokens[1]);
1049 CHECK(static_cast<bool>(locs));
1050 MoveRange(params.buffer, locs, stash);
1051 }
1052
1053 return 0;
1054 }
1055
1056 /**
1057 * Do a source/target load for move/bsdiff/imgdiff in version 3.
1058 *
1059 * We expect to parse the remainder of the parameter tokens as one of:
1060 *
1061 * <tgt_range> <src_block_count> <src_range>
1062 * (loads data from source image only)
1063 *
1064 * <tgt_range> <src_block_count> - <[stash_id:stash_range] ...>
1065 * (loads data from stashes only)
1066 *
1067 * <tgt_range> <src_block_count> <src_range> <src_loc> <[stash_id:stash_range] ...>
1068 * (loads data from both source image and stashes)
1069 *
1070 * 'onehash' tells whether to expect separate source and targe block hashes, or if they are both the
1071 * same and only one hash should be expected. params.isunresumable will be set to true if block
1072 * verification fails in a way that the update cannot be resumed anymore.
1073 *
1074 * If the function is unable to load the necessary blocks or their contents don't match the hashes,
1075 * the return value is -1 and the command should be aborted.
1076 *
1077 * If the return value is 1, the command has already been completed according to the contents of the
1078 * target blocks, and should not be performed again.
1079 *
1080 * If the return value is 0, source blocks have expected content and the command can be performed.
1081 */
LoadSrcTgtVersion3(CommandParameters & params,RangeSet * tgt,size_t * src_blocks,bool onehash)1082 static int LoadSrcTgtVersion3(CommandParameters& params, RangeSet* tgt, size_t* src_blocks,
1083 bool onehash) {
1084 CHECK(src_blocks != nullptr);
1085
1086 if (params.cpos >= params.tokens.size()) {
1087 LOG(ERROR) << "missing source hash";
1088 return -1;
1089 }
1090
1091 std::string srchash = params.tokens[params.cpos++];
1092 std::string tgthash;
1093
1094 if (onehash) {
1095 tgthash = srchash;
1096 } else {
1097 if (params.cpos >= params.tokens.size()) {
1098 LOG(ERROR) << "missing target hash";
1099 return -1;
1100 }
1101 tgthash = params.tokens[params.cpos++];
1102 }
1103
1104 // At least it needs to provide three parameters: <tgt_range>, <src_block_count> and
1105 // "-"/<src_range>.
1106 if (params.cpos + 2 >= params.tokens.size()) {
1107 LOG(ERROR) << "invalid parameters";
1108 return -1;
1109 }
1110
1111 // <tgt_range>
1112 *tgt = RangeSet::Parse(params.tokens[params.cpos++]);
1113 CHECK(static_cast<bool>(*tgt));
1114
1115 std::vector<uint8_t> tgtbuffer(tgt->blocks() * BLOCKSIZE);
1116 if (ReadBlocks(*tgt, &tgtbuffer, params.fd) == -1) {
1117 return -1;
1118 }
1119
1120 // Return now if target blocks already have expected content.
1121 if (VerifyBlocks(tgthash, tgtbuffer, tgt->blocks(), false) == 0) {
1122 return 1;
1123 }
1124
1125 // Load source blocks.
1126 bool overlap = false;
1127 if (LoadSourceBlocks(params, *tgt, src_blocks, &overlap) == -1) {
1128 return -1;
1129 }
1130
1131 if (VerifyBlocks(srchash, params.buffer, *src_blocks, true) == 0) {
1132 // If source and target blocks overlap, stash the source blocks so we can resume from possible
1133 // write errors. In verify mode, we can skip stashing because the source blocks won't be
1134 // overwritten.
1135 if (overlap && params.canwrite) {
1136 LOG(INFO) << "stashing " << *src_blocks << " overlapping blocks to " << srchash;
1137
1138 bool stash_exists = false;
1139 if (WriteStash(params.stashbase, srchash, *src_blocks, params.buffer, true,
1140 &stash_exists) != 0) {
1141 LOG(ERROR) << "failed to stash overlapping source blocks";
1142 return -1;
1143 }
1144
1145 params.stashed += *src_blocks;
1146 // Can be deleted when the write has completed.
1147 if (!stash_exists) {
1148 params.freestash = srchash;
1149 }
1150 }
1151
1152 // Source blocks have expected content, command can proceed.
1153 return 0;
1154 }
1155
1156 if (overlap && LoadStash(params, srchash, true, ¶ms.buffer, true) == 0) {
1157 // Overlapping source blocks were previously stashed, command can proceed. We are recovering
1158 // from an interrupted command, so we don't know if the stash can safely be deleted after this
1159 // command.
1160 return 0;
1161 }
1162
1163 // Valid source data not available, update cannot be resumed.
1164 LOG(ERROR) << "partition has unexpected contents";
1165 PrintHashForCorruptedSourceBlocks(params, params.buffer);
1166
1167 params.isunresumable = true;
1168
1169 return -1;
1170 }
1171
PerformCommandMove(CommandParameters & params)1172 static int PerformCommandMove(CommandParameters& params) {
1173 size_t blocks = 0;
1174 RangeSet tgt;
1175 int status = LoadSrcTgtVersion3(params, &tgt, &blocks, true);
1176
1177 if (status == -1) {
1178 LOG(ERROR) << "failed to read blocks for move";
1179 return -1;
1180 }
1181
1182 if (status == 0) {
1183 params.foundwrites = true;
1184 } else {
1185 params.target_verified = true;
1186 if (params.foundwrites) {
1187 LOG(WARNING) << "warning: commands executed out of order [" << params.cmdname << "]";
1188 }
1189 }
1190
1191 if (params.canwrite) {
1192 if (status == 0) {
1193 LOG(INFO) << " moving " << blocks << " blocks";
1194
1195 if (WriteBlocks(tgt, params.buffer, params.fd) == -1) {
1196 return -1;
1197 }
1198 } else {
1199 LOG(INFO) << "skipping " << blocks << " already moved blocks";
1200 }
1201 }
1202
1203 if (!params.freestash.empty()) {
1204 FreeStash(params.stashbase, params.freestash);
1205 params.freestash.clear();
1206 }
1207
1208 params.written += tgt.blocks();
1209
1210 return 0;
1211 }
1212
PerformCommandStash(CommandParameters & params)1213 static int PerformCommandStash(CommandParameters& params) {
1214 // <stash_id> <src_range>
1215 if (params.cpos + 1 >= params.tokens.size()) {
1216 LOG(ERROR) << "missing id and/or src range fields in stash command";
1217 return -1;
1218 }
1219
1220 const std::string& id = params.tokens[params.cpos++];
1221 if (LoadStash(params, id, true, ¶ms.buffer, false) == 0) {
1222 // Stash file already exists and has expected contents. Do not read from source again, as the
1223 // source may have been already overwritten during a previous attempt.
1224 return 0;
1225 }
1226
1227 RangeSet src = RangeSet::Parse(params.tokens[params.cpos++]);
1228 CHECK(static_cast<bool>(src));
1229
1230 size_t blocks = src.blocks();
1231 allocate(blocks * BLOCKSIZE, ¶ms.buffer);
1232 if (ReadBlocks(src, ¶ms.buffer, params.fd) == -1) {
1233 return -1;
1234 }
1235 stash_map[id] = src;
1236
1237 if (VerifyBlocks(id, params.buffer, blocks, true) != 0) {
1238 // Source blocks have unexpected contents. If we actually need this data later, this is an
1239 // unrecoverable error. However, the command that uses the data may have already completed
1240 // previously, so the possible failure will occur during source block verification.
1241 LOG(ERROR) << "failed to load source blocks for stash " << id;
1242 return 0;
1243 }
1244
1245 // In verify mode, we don't need to stash any blocks.
1246 if (!params.canwrite) {
1247 return 0;
1248 }
1249
1250 LOG(INFO) << "stashing " << blocks << " blocks to " << id;
1251 int result = WriteStash(params.stashbase, id, blocks, params.buffer, false, nullptr);
1252 if (result == 0) {
1253 params.stashed += blocks;
1254 }
1255 return result;
1256 }
1257
PerformCommandFree(CommandParameters & params)1258 static int PerformCommandFree(CommandParameters& params) {
1259 // <stash_id>
1260 if (params.cpos >= params.tokens.size()) {
1261 LOG(ERROR) << "missing stash id in free command";
1262 return -1;
1263 }
1264
1265 const std::string& id = params.tokens[params.cpos++];
1266 stash_map.erase(id);
1267
1268 if (params.createdstash || params.canwrite) {
1269 return FreeStash(params.stashbase, id);
1270 }
1271
1272 return 0;
1273 }
1274
PerformCommandZero(CommandParameters & params)1275 static int PerformCommandZero(CommandParameters& params) {
1276 if (params.cpos >= params.tokens.size()) {
1277 LOG(ERROR) << "missing target blocks for zero";
1278 return -1;
1279 }
1280
1281 RangeSet tgt = RangeSet::Parse(params.tokens[params.cpos++]);
1282 CHECK(static_cast<bool>(tgt));
1283
1284 LOG(INFO) << " zeroing " << tgt.blocks() << " blocks";
1285
1286 allocate(BLOCKSIZE, ¶ms.buffer);
1287 memset(params.buffer.data(), 0, BLOCKSIZE);
1288
1289 if (params.canwrite) {
1290 for (const auto& [begin, end] : tgt) {
1291 off64_t offset = static_cast<off64_t>(begin) * BLOCKSIZE;
1292 size_t size = (end - begin) * BLOCKSIZE;
1293 if (!discard_blocks(params.fd, offset, size)) {
1294 return -1;
1295 }
1296
1297 if (!check_lseek(params.fd, offset, SEEK_SET)) {
1298 return -1;
1299 }
1300
1301 for (size_t j = begin; j < end; ++j) {
1302 if (!android::base::WriteFully(params.fd, params.buffer.data(), BLOCKSIZE)) {
1303 failure_type = errno == EIO ? kEioFailure : kFwriteFailure;
1304 PLOG(ERROR) << "Failed to write " << BLOCKSIZE << " bytes of data";
1305 return -1;
1306 }
1307 }
1308 }
1309 }
1310
1311 if (params.cmdname[0] == 'z') {
1312 // Update only for the zero command, as the erase command will call
1313 // this if DEBUG_ERASE is defined.
1314 params.written += tgt.blocks();
1315 }
1316
1317 return 0;
1318 }
1319
PerformCommandNew(CommandParameters & params)1320 static int PerformCommandNew(CommandParameters& params) {
1321 if (params.cpos >= params.tokens.size()) {
1322 LOG(ERROR) << "missing target blocks for new";
1323 return -1;
1324 }
1325
1326 RangeSet tgt = RangeSet::Parse(params.tokens[params.cpos++]);
1327 CHECK(static_cast<bool>(tgt));
1328
1329 if (params.canwrite) {
1330 LOG(INFO) << " writing " << tgt.blocks() << " blocks of new data";
1331
1332 pthread_mutex_lock(¶ms.nti.mu);
1333 params.nti.writer = std::make_unique<RangeSinkWriter>(params.fd, tgt);
1334 pthread_cond_broadcast(¶ms.nti.cv);
1335
1336 while (params.nti.writer != nullptr) {
1337 if (!params.nti.receiver_available) {
1338 LOG(ERROR) << "missing " << (tgt.blocks() * BLOCKSIZE - params.nti.writer->BytesWritten())
1339 << " bytes of new data";
1340 pthread_mutex_unlock(¶ms.nti.mu);
1341 return -1;
1342 }
1343 pthread_cond_wait(¶ms.nti.cv, ¶ms.nti.mu);
1344 }
1345
1346 pthread_mutex_unlock(¶ms.nti.mu);
1347 }
1348
1349 params.written += tgt.blocks();
1350
1351 return 0;
1352 }
1353
PerformCommandDiff(CommandParameters & params)1354 static int PerformCommandDiff(CommandParameters& params) {
1355 // <offset> <length>
1356 if (params.cpos + 1 >= params.tokens.size()) {
1357 LOG(ERROR) << "missing patch offset or length for " << params.cmdname;
1358 return -1;
1359 }
1360
1361 size_t offset;
1362 if (!android::base::ParseUint(params.tokens[params.cpos++], &offset)) {
1363 LOG(ERROR) << "invalid patch offset";
1364 return -1;
1365 }
1366
1367 size_t len;
1368 if (!android::base::ParseUint(params.tokens[params.cpos++], &len)) {
1369 LOG(ERROR) << "invalid patch len";
1370 return -1;
1371 }
1372
1373 RangeSet tgt;
1374 size_t blocks = 0;
1375 int status = LoadSrcTgtVersion3(params, &tgt, &blocks, false);
1376
1377 if (status == -1) {
1378 LOG(ERROR) << "failed to read blocks for diff";
1379 return -1;
1380 }
1381
1382 if (status == 0) {
1383 params.foundwrites = true;
1384 } else {
1385 params.target_verified = true;
1386 if (params.foundwrites) {
1387 LOG(WARNING) << "warning: commands executed out of order [" << params.cmdname << "]";
1388 }
1389 }
1390
1391 if (params.canwrite) {
1392 if (status == 0) {
1393 LOG(INFO) << "patching " << blocks << " blocks to " << tgt.blocks();
1394 Value patch_value(
1395 Value::Type::BLOB,
1396 std::string(reinterpret_cast<const char*>(params.patch_start + offset), len));
1397
1398 RangeSinkWriter writer(params.fd, tgt);
1399 if (params.cmdname[0] == 'i') { // imgdiff
1400 if (ApplyImagePatch(params.buffer.data(), blocks * BLOCKSIZE, patch_value,
1401 std::bind(&RangeSinkWriter::Write, &writer, std::placeholders::_1,
1402 std::placeholders::_2),
1403 nullptr) != 0) {
1404 LOG(ERROR) << "Failed to apply image patch.";
1405 failure_type = kPatchApplicationFailure;
1406 return -1;
1407 }
1408 } else {
1409 if (ApplyBSDiffPatch(params.buffer.data(), blocks * BLOCKSIZE, patch_value, 0,
1410 std::bind(&RangeSinkWriter::Write, &writer, std::placeholders::_1,
1411 std::placeholders::_2)) != 0) {
1412 LOG(ERROR) << "Failed to apply bsdiff patch.";
1413 failure_type = kPatchApplicationFailure;
1414 return -1;
1415 }
1416 }
1417
1418 // We expect the output of the patcher to fill the tgt ranges exactly.
1419 if (!writer.Finished()) {
1420 LOG(ERROR) << "Failed to fully write target blocks (range sink underrun): Missing "
1421 << writer.AvailableSpace() << " bytes";
1422 failure_type = kPatchApplicationFailure;
1423 return -1;
1424 }
1425 } else {
1426 LOG(INFO) << "skipping " << blocks << " blocks already patched to " << tgt.blocks() << " ["
1427 << params.cmdline << "]";
1428 }
1429 }
1430
1431 if (!params.freestash.empty()) {
1432 FreeStash(params.stashbase, params.freestash);
1433 params.freestash.clear();
1434 }
1435
1436 params.written += tgt.blocks();
1437
1438 return 0;
1439 }
1440
PerformCommandErase(CommandParameters & params)1441 static int PerformCommandErase(CommandParameters& params) {
1442 if (DEBUG_ERASE) {
1443 return PerformCommandZero(params);
1444 }
1445
1446 struct stat sb;
1447 if (fstat(params.fd, &sb) == -1) {
1448 PLOG(ERROR) << "failed to fstat device to erase";
1449 return -1;
1450 }
1451
1452 if (!S_ISBLK(sb.st_mode)) {
1453 LOG(ERROR) << "not a block device; skipping erase";
1454 return -1;
1455 }
1456
1457 if (params.cpos >= params.tokens.size()) {
1458 LOG(ERROR) << "missing target blocks for erase";
1459 return -1;
1460 }
1461
1462 RangeSet tgt = RangeSet::Parse(params.tokens[params.cpos++]);
1463 CHECK(static_cast<bool>(tgt));
1464
1465 if (params.canwrite) {
1466 LOG(INFO) << " erasing " << tgt.blocks() << " blocks";
1467
1468 for (const auto& [begin, end] : tgt) {
1469 off64_t offset = static_cast<off64_t>(begin) * BLOCKSIZE;
1470 size_t size = (end - begin) * BLOCKSIZE;
1471 if (!discard_blocks(params.fd, offset, size, true /* force */)) {
1472 return -1;
1473 }
1474 }
1475 }
1476
1477 return 0;
1478 }
1479
PerformCommandAbort(CommandParameters &)1480 static int PerformCommandAbort(CommandParameters&) {
1481 LOG(INFO) << "Aborting as instructed";
1482 return -1;
1483 }
1484
1485 // Computes the hash_tree bytes based on the parameters, checks if the root hash of the tree
1486 // matches the expected hash and writes the result to the specified range on the block_device.
1487 // Hash_tree computation arguments:
1488 // hash_tree_ranges
1489 // source_ranges
1490 // hash_algorithm
1491 // salt_hex
1492 // root_hash
PerformCommandComputeHashTree(CommandParameters & params)1493 static int PerformCommandComputeHashTree(CommandParameters& params) {
1494 if (params.cpos + 5 != params.tokens.size()) {
1495 LOG(ERROR) << "Invaild arguments count in hash computation " << params.cmdline;
1496 return -1;
1497 }
1498
1499 // Expects the hash_tree data to be contiguous.
1500 RangeSet hash_tree_ranges = RangeSet::Parse(params.tokens[params.cpos++]);
1501 if (!hash_tree_ranges || hash_tree_ranges.size() != 1) {
1502 LOG(ERROR) << "Invalid hash tree ranges in " << params.cmdline;
1503 return -1;
1504 }
1505
1506 RangeSet source_ranges = RangeSet::Parse(params.tokens[params.cpos++]);
1507 if (!source_ranges) {
1508 LOG(ERROR) << "Invalid source ranges in " << params.cmdline;
1509 return -1;
1510 }
1511
1512 auto hash_function = HashTreeBuilder::HashFunction(params.tokens[params.cpos++]);
1513 if (hash_function == nullptr) {
1514 LOG(ERROR) << "Invalid hash algorithm in " << params.cmdline;
1515 return -1;
1516 }
1517
1518 std::vector<unsigned char> salt;
1519 std::string salt_hex = params.tokens[params.cpos++];
1520 if (salt_hex.empty() || !HashTreeBuilder::ParseBytesArrayFromString(salt_hex, &salt)) {
1521 LOG(ERROR) << "Failed to parse salt in " << params.cmdline;
1522 return -1;
1523 }
1524
1525 std::string expected_root_hash = params.tokens[params.cpos++];
1526 if (expected_root_hash.empty()) {
1527 LOG(ERROR) << "Invalid root hash in " << params.cmdline;
1528 return -1;
1529 }
1530
1531 // Starts the hash_tree computation.
1532 HashTreeBuilder builder(BLOCKSIZE, hash_function);
1533 if (!builder.Initialize(static_cast<int64_t>(source_ranges.blocks()) * BLOCKSIZE, salt)) {
1534 LOG(ERROR) << "Failed to initialize hash tree computation, source " << source_ranges.ToString()
1535 << ", salt " << salt_hex;
1536 return -1;
1537 }
1538
1539 // Iterates through every block in the source_ranges and updates the hash tree structure
1540 // accordingly.
1541 for (const auto& [begin, end] : source_ranges) {
1542 uint8_t buffer[BLOCKSIZE];
1543 if (!check_lseek(params.fd, static_cast<off64_t>(begin) * BLOCKSIZE, SEEK_SET)) {
1544 PLOG(ERROR) << "Failed to seek to block: " << begin;
1545 return -1;
1546 }
1547
1548 for (size_t i = begin; i < end; i++) {
1549 if (!android::base::ReadFully(params.fd, buffer, BLOCKSIZE)) {
1550 failure_type = errno == EIO ? kEioFailure : kFreadFailure;
1551 LOG(ERROR) << "Failed to read data in " << begin << ":" << end;
1552 return -1;
1553 }
1554
1555 if (!builder.Update(reinterpret_cast<unsigned char*>(buffer), BLOCKSIZE)) {
1556 LOG(ERROR) << "Failed to update hash tree builder";
1557 return -1;
1558 }
1559 }
1560 }
1561
1562 if (!builder.BuildHashTree()) {
1563 LOG(ERROR) << "Failed to build hash tree";
1564 return -1;
1565 }
1566
1567 std::string root_hash_hex = HashTreeBuilder::BytesArrayToString(builder.root_hash());
1568 if (root_hash_hex != expected_root_hash) {
1569 LOG(ERROR) << "Root hash of the verity hash tree doesn't match the expected value. Expected: "
1570 << expected_root_hash << ", actual: " << root_hash_hex;
1571 return -1;
1572 }
1573
1574 uint64_t write_offset = static_cast<uint64_t>(hash_tree_ranges.GetBlockNumber(0)) * BLOCKSIZE;
1575 if (params.canwrite && !builder.WriteHashTreeToFd(params.fd, write_offset)) {
1576 LOG(ERROR) << "Failed to write hash tree to output";
1577 return -1;
1578 }
1579
1580 // TODO(xunchang) validates the written bytes
1581
1582 return 0;
1583 }
1584
1585 using CommandFunction = std::function<int(CommandParameters&)>;
1586
1587 using CommandMap = std::unordered_map<Command::Type, CommandFunction>;
1588
Sha1DevicePath(const std::string & path,uint8_t digest[SHA_DIGEST_LENGTH])1589 static bool Sha1DevicePath(const std::string& path, uint8_t digest[SHA_DIGEST_LENGTH]) {
1590 auto device_name = android::base::Basename(path);
1591 auto dm_target_name_path = "/sys/block/" + device_name + "/dm/name";
1592
1593 struct stat sb;
1594 if (stat(dm_target_name_path.c_str(), &sb) == 0) {
1595 // This is a device mapper target. Use partition name as part of the hash instead. Do not
1596 // include extents as part of the hash, because the size of a partition may be shrunk after
1597 // the patches are applied.
1598 std::string dm_target_name;
1599 if (!android::base::ReadFileToString(dm_target_name_path, &dm_target_name)) {
1600 PLOG(ERROR) << "Cannot read " << dm_target_name_path;
1601 return false;
1602 }
1603 SHA1(reinterpret_cast<const uint8_t*>(dm_target_name.data()), dm_target_name.size(), digest);
1604 return true;
1605 }
1606
1607 if (errno != ENOENT) {
1608 // This is a device mapper target, but its name cannot be retrieved.
1609 PLOG(ERROR) << "Cannot get dm target name for " << path;
1610 return false;
1611 }
1612
1613 // This doesn't appear to be a device mapper target, but if its name starts with dm-, something
1614 // else might have gone wrong.
1615 if (android::base::StartsWith(device_name, "dm-")) {
1616 LOG(WARNING) << "Device " << path << " starts with dm- but is not mapped by device-mapper.";
1617 }
1618
1619 // Stash directory should be different for each partition to avoid conflicts when updating
1620 // multiple partitions at the same time, so we use the hash of the block device name as the base
1621 // directory.
1622 SHA1(reinterpret_cast<const uint8_t*>(path.data()), path.size(), digest);
1623 return true;
1624 }
1625
PerformBlockImageUpdate(const char * name,State * state,const std::vector<std::unique_ptr<Expr>> & argv,const CommandMap & command_map,bool dryrun)1626 static Value* PerformBlockImageUpdate(const char* name, State* state,
1627 const std::vector<std::unique_ptr<Expr>>& argv,
1628 const CommandMap& command_map, bool dryrun) {
1629 CommandParameters params{};
1630 stash_map.clear();
1631 params.canwrite = !dryrun;
1632
1633 LOG(INFO) << "performing " << (dryrun ? "verification" : "update");
1634 if (state->is_retry) {
1635 is_retry = true;
1636 LOG(INFO) << "This update is a retry.";
1637 }
1638 if (argv.size() != 4) {
1639 ErrorAbort(state, kArgsParsingFailure, "block_image_update expects 4 arguments, got %zu",
1640 argv.size());
1641 return StringValue("");
1642 }
1643
1644 std::vector<std::unique_ptr<Value>> args;
1645 if (!ReadValueArgs(state, argv, &args)) {
1646 return nullptr;
1647 }
1648
1649 // args:
1650 // - block device (or file) to modify in-place
1651 // - transfer list (blob)
1652 // - new data stream (filename within package.zip)
1653 // - patch stream (filename within package.zip, must be uncompressed)
1654 const std::unique_ptr<Value>& blockdev_filename = args[0];
1655 const std::unique_ptr<Value>& transfer_list_value = args[1];
1656 const std::unique_ptr<Value>& new_data_fn = args[2];
1657 const std::unique_ptr<Value>& patch_data_fn = args[3];
1658
1659 if (blockdev_filename->type != Value::Type::STRING) {
1660 ErrorAbort(state, kArgsParsingFailure, "blockdev_filename argument to %s must be string", name);
1661 return StringValue("");
1662 }
1663 if (transfer_list_value->type != Value::Type::BLOB) {
1664 ErrorAbort(state, kArgsParsingFailure, "transfer_list argument to %s must be blob", name);
1665 return StringValue("");
1666 }
1667 if (new_data_fn->type != Value::Type::STRING) {
1668 ErrorAbort(state, kArgsParsingFailure, "new_data_fn argument to %s must be string", name);
1669 return StringValue("");
1670 }
1671 if (patch_data_fn->type != Value::Type::STRING) {
1672 ErrorAbort(state, kArgsParsingFailure, "patch_data_fn argument to %s must be string", name);
1673 return StringValue("");
1674 }
1675
1676 auto updater = state->updater;
1677 auto block_device_path = updater->FindBlockDeviceName(blockdev_filename->data);
1678 if (block_device_path.empty()) {
1679 LOG(ERROR) << "Block device path for " << blockdev_filename->data << " not found. " << name
1680 << " failed.";
1681 return StringValue("");
1682 }
1683
1684 ZipArchiveHandle za = updater->GetPackageHandle();
1685 if (za == nullptr) {
1686 return StringValue("");
1687 }
1688
1689 std::string_view path_data(patch_data_fn->data);
1690 ZipEntry64 patch_entry;
1691 if (FindEntry(za, path_data, &patch_entry) != 0) {
1692 LOG(ERROR) << name << "(): no file \"" << patch_data_fn->data << "\" in package";
1693 return StringValue("");
1694 }
1695 params.patch_start = updater->GetMappedPackageAddress() + patch_entry.offset;
1696
1697 std::string_view new_data(new_data_fn->data);
1698 ZipEntry64 new_entry;
1699 if (FindEntry(za, new_data, &new_entry) != 0) {
1700 LOG(ERROR) << name << "(): no file \"" << new_data_fn->data << "\" in package";
1701 return StringValue("");
1702 }
1703
1704 params.fd.reset(TEMP_FAILURE_RETRY(open(block_device_path.c_str(), O_RDWR)));
1705 if (params.fd == -1) {
1706 failure_type = errno == EIO ? kEioFailure : kFileOpenFailure;
1707 PLOG(ERROR) << "open \"" << block_device_path << "\" failed";
1708 return StringValue("");
1709 }
1710
1711 uint8_t digest[SHA_DIGEST_LENGTH];
1712 if (!Sha1DevicePath(block_device_path, digest)) {
1713 return StringValue("");
1714 }
1715 params.stashbase = print_sha1(digest);
1716
1717 // Possibly do return early on retry, by checking the marker. If the update on this partition has
1718 // been finished (but interrupted at a later point), there could be leftover on /cache that would
1719 // fail the no-op retry.
1720 std::string updated_marker = GetStashFileName(params.stashbase + ".UPDATED", "", "");
1721 if (is_retry) {
1722 struct stat sb;
1723 int result = stat(updated_marker.c_str(), &sb);
1724 if (result == 0) {
1725 LOG(INFO) << "Skipping already updated partition " << block_device_path << " based on marker";
1726 return StringValue("t");
1727 }
1728 } else {
1729 // Delete the obsolete marker if any.
1730 std::string err;
1731 if (!android::base::RemoveFileIfExists(updated_marker, &err)) {
1732 LOG(ERROR) << "Failed to remove partition updated marker " << updated_marker << ": " << err;
1733 return StringValue("");
1734 }
1735 }
1736
1737 static constexpr size_t kTransferListHeaderLines = 4;
1738 std::vector<std::string> lines = android::base::Split(transfer_list_value->data, "\n");
1739 if (lines.size() < kTransferListHeaderLines) {
1740 ErrorAbort(state, kArgsParsingFailure, "too few lines in the transfer list [%zu]",
1741 lines.size());
1742 return StringValue("");
1743 }
1744
1745 // First line in transfer list is the version number.
1746 if (!android::base::ParseInt(lines[0], ¶ms.version, 3, 4)) {
1747 LOG(ERROR) << "unexpected transfer list version [" << lines[0] << "]";
1748 return StringValue("");
1749 }
1750
1751 LOG(INFO) << "blockimg version is " << params.version;
1752
1753 // Second line in transfer list is the total number of blocks we expect to write.
1754 size_t total_blocks;
1755 if (!android::base::ParseUint(lines[1], &total_blocks)) {
1756 ErrorAbort(state, kArgsParsingFailure, "unexpected block count [%s]", lines[1].c_str());
1757 return StringValue("");
1758 }
1759
1760 if (total_blocks == 0) {
1761 return StringValue("t");
1762 }
1763
1764 // Third line is how many stash entries are needed simultaneously.
1765 LOG(INFO) << "maximum stash entries " << lines[2];
1766
1767 // Fourth line is the maximum number of blocks that will be stashed simultaneously
1768 size_t stash_max_blocks;
1769 if (!android::base::ParseUint(lines[3], &stash_max_blocks)) {
1770 ErrorAbort(state, kArgsParsingFailure, "unexpected maximum stash blocks [%s]",
1771 lines[3].c_str());
1772 return StringValue("");
1773 }
1774
1775 int res = CreateStash(state, stash_max_blocks, params.stashbase);
1776 if (res == -1) {
1777 return StringValue("");
1778 }
1779 params.createdstash = res;
1780
1781 // Set up the new data writer.
1782 if (params.canwrite) {
1783 params.nti.za = za;
1784 params.nti.entry = new_entry;
1785 params.nti.brotli_compressed = android::base::EndsWith(new_data_fn->data, ".br");
1786 if (params.nti.brotli_compressed) {
1787 // Initialize brotli decoder state.
1788 params.nti.brotli_decoder_state = BrotliDecoderCreateInstance(nullptr, nullptr, nullptr);
1789 }
1790 params.nti.receiver_available = true;
1791
1792 pthread_mutex_init(¶ms.nti.mu, nullptr);
1793 pthread_cond_init(¶ms.nti.cv, nullptr);
1794 pthread_attr_t attr;
1795 pthread_attr_init(&attr);
1796 pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE);
1797
1798 int error = pthread_create(¶ms.thread, &attr, unzip_new_data, ¶ms.nti);
1799 if (error != 0) {
1800 LOG(ERROR) << "pthread_create failed: " << strerror(error);
1801 return StringValue("");
1802 }
1803 }
1804
1805 // When performing an update, save the index and cmdline of the current command into the
1806 // last_command_file.
1807 // Upon resuming an update, read the saved index first; then
1808 // 1. In verification mode, check if the 'move' or 'diff' commands before the saved index has
1809 // the expected target blocks already. If not, these commands cannot be skipped and we need
1810 // to attempt to execute them again. Therefore, we will delete the last_command_file so that
1811 // the update will resume from the start of the transfer list.
1812 // 2. In update mode, skip all commands before the saved index. Therefore, we can avoid deleting
1813 // stashes with duplicate id unintentionally (b/69858743); and also speed up the update.
1814 // If an update succeeds or is unresumable, delete the last_command_file.
1815 bool skip_executed_command = true;
1816 size_t saved_last_command_index;
1817 if (!ParseLastCommandFile(&saved_last_command_index)) {
1818 DeleteLastCommandFile();
1819 // We failed to parse the last command. Disallow skipping executed commands.
1820 skip_executed_command = false;
1821 }
1822
1823 int rc = -1;
1824
1825 // Subsequent lines are all individual transfer commands
1826 for (size_t i = kTransferListHeaderLines; i < lines.size(); i++) {
1827 const std::string& line = lines[i];
1828 if (line.empty()) continue;
1829
1830 size_t cmdindex = i - kTransferListHeaderLines;
1831 params.tokens = android::base::Split(line, " ");
1832 params.cpos = 0;
1833 params.cmdname = params.tokens[params.cpos++];
1834 params.cmdline = line;
1835 params.target_verified = false;
1836
1837 Command::Type cmd_type = Command::ParseType(params.cmdname);
1838 if (cmd_type == Command::Type::LAST) {
1839 LOG(ERROR) << "unexpected command [" << params.cmdname << "]";
1840 goto pbiudone;
1841 }
1842
1843 const CommandFunction& performer = command_map.at(cmd_type);
1844
1845 // Skip the command if we explicitly set the corresponding function pointer to nullptr, e.g.
1846 // "erase" during block_image_verify.
1847 if (performer == nullptr) {
1848 LOG(DEBUG) << "skip executing command [" << line << "]";
1849 continue;
1850 }
1851
1852 // Skip all commands before the saved last command index when resuming an update, except for
1853 // "new" command. Because new commands read in the data sequentially.
1854 if (params.canwrite && skip_executed_command && cmdindex <= saved_last_command_index &&
1855 cmd_type != Command::Type::NEW) {
1856 LOG(INFO) << "Skipping already executed command: " << cmdindex
1857 << ", last executed command for previous update: " << saved_last_command_index;
1858 continue;
1859 }
1860
1861 if (performer(params) == -1) {
1862 LOG(ERROR) << "failed to execute command [" << line << "]";
1863 if (cmd_type == Command::Type::COMPUTE_HASH_TREE && failure_type == kNoCause) {
1864 failure_type = kHashTreeComputationFailure;
1865 }
1866 goto pbiudone;
1867 }
1868
1869 // In verify mode, check if the commands before the saved last_command_index have been executed
1870 // correctly. If some target blocks have unexpected contents, delete the last command file so
1871 // that we will resume the update from the first command in the transfer list.
1872 if (!params.canwrite && skip_executed_command && cmdindex <= saved_last_command_index) {
1873 // TODO(xunchang) check that the cmdline of the saved index is correct.
1874 if ((cmd_type == Command::Type::MOVE || cmd_type == Command::Type::BSDIFF ||
1875 cmd_type == Command::Type::IMGDIFF) &&
1876 !params.target_verified) {
1877 LOG(WARNING) << "Previously executed command " << saved_last_command_index << ": "
1878 << params.cmdline << " doesn't produce expected target blocks.";
1879 skip_executed_command = false;
1880 DeleteLastCommandFile();
1881 }
1882 }
1883
1884 if (params.canwrite) {
1885 if (fsync(params.fd) == -1) {
1886 failure_type = errno == EIO ? kEioFailure : kFsyncFailure;
1887 PLOG(ERROR) << "fsync failed";
1888 goto pbiudone;
1889 }
1890
1891 if (!UpdateLastCommandIndex(cmdindex, params.cmdline)) {
1892 LOG(WARNING) << "Failed to update the last command file.";
1893 }
1894
1895 updater->WriteToCommandPipe(
1896 android::base::StringPrintf("set_progress %.4f",
1897 static_cast<double>(params.written) / total_blocks),
1898 true);
1899 }
1900 }
1901
1902 rc = 0;
1903
1904 pbiudone:
1905 if (params.canwrite) {
1906 pthread_mutex_lock(¶ms.nti.mu);
1907 if (params.nti.receiver_available) {
1908 LOG(WARNING) << "new data receiver is still available after executing all commands.";
1909 }
1910 params.nti.receiver_available = false;
1911 pthread_cond_broadcast(¶ms.nti.cv);
1912 pthread_mutex_unlock(¶ms.nti.mu);
1913 int ret = pthread_join(params.thread, nullptr);
1914 if (ret != 0) {
1915 LOG(WARNING) << "pthread join returned with " << strerror(ret);
1916 }
1917
1918 if (rc == 0) {
1919 LOG(INFO) << "wrote " << params.written << " blocks; expected " << total_blocks;
1920 LOG(INFO) << "stashed " << params.stashed << " blocks";
1921 LOG(INFO) << "max alloc needed was " << params.buffer.size();
1922
1923 const char* partition = strrchr(block_device_path.c_str(), '/');
1924 if (partition != nullptr && *(partition + 1) != 0) {
1925 updater->WriteToCommandPipe(
1926 android::base::StringPrintf("log bytes_written_%s: %" PRIu64, partition + 1,
1927 static_cast<uint64_t>(params.written) * BLOCKSIZE));
1928 updater->WriteToCommandPipe(
1929 android::base::StringPrintf("log bytes_stashed_%s: %" PRIu64, partition + 1,
1930 static_cast<uint64_t>(params.stashed) * BLOCKSIZE),
1931 true);
1932 }
1933 // Delete stash only after successfully completing the update, as it may contain blocks needed
1934 // to complete the update later.
1935 DeleteStash(params.stashbase);
1936 DeleteLastCommandFile();
1937
1938 // Create a marker on /cache partition, which allows skipping the update on this partition on
1939 // retry. The marker will be removed once booting into normal boot, or before starting next
1940 // fresh install.
1941 if (!SetUpdatedMarker(updated_marker)) {
1942 LOG(WARNING) << "Failed to set updated marker; continuing";
1943 }
1944 }
1945
1946 pthread_mutex_destroy(¶ms.nti.mu);
1947 pthread_cond_destroy(¶ms.nti.cv);
1948 } else if (rc == 0) {
1949 LOG(INFO) << "verified partition contents; update may be resumed";
1950 }
1951
1952 if (fsync(params.fd) == -1) {
1953 failure_type = errno == EIO ? kEioFailure : kFsyncFailure;
1954 PLOG(ERROR) << "fsync failed";
1955 }
1956 // params.fd will be automatically closed because it's a unique_fd.
1957
1958 if (params.nti.brotli_decoder_state != nullptr) {
1959 BrotliDecoderDestroyInstance(params.nti.brotli_decoder_state);
1960 }
1961
1962 // Delete the last command file if the update cannot be resumed.
1963 if (params.isunresumable) {
1964 DeleteLastCommandFile();
1965 }
1966
1967 // Only delete the stash if the update cannot be resumed, or it's a verification run and we
1968 // created the stash.
1969 if (params.isunresumable || (!params.canwrite && params.createdstash)) {
1970 DeleteStash(params.stashbase);
1971 }
1972
1973 if (failure_type != kNoCause && state->cause_code == kNoCause) {
1974 state->cause_code = failure_type;
1975 }
1976
1977 return StringValue(rc == 0 ? "t" : "");
1978 }
1979
1980 /**
1981 * The transfer list is a text file containing commands to transfer data from one place to another
1982 * on the target partition. We parse it and execute the commands in order:
1983 *
1984 * zero [rangeset]
1985 * - Fill the indicated blocks with zeros.
1986 *
1987 * new [rangeset]
1988 * - Fill the blocks with data read from the new_data file.
1989 *
1990 * erase [rangeset]
1991 * - Mark the given blocks as empty.
1992 *
1993 * move <...>
1994 * bsdiff <patchstart> <patchlen> <...>
1995 * imgdiff <patchstart> <patchlen> <...>
1996 * - Read the source blocks, apply a patch (or not in the case of move), write result to target
1997 * blocks. bsdiff or imgdiff specifies the type of patch; move means no patch at all.
1998 *
1999 * See the comments in LoadSrcTgtVersion3() for a description of the <...> format.
2000 *
2001 * stash <stash_id> <src_range>
2002 * - Load the given source range and stash the data in the given slot of the stash table.
2003 *
2004 * free <stash_id>
2005 * - Free the given stash data.
2006 *
2007 * The creator of the transfer list will guarantee that no block is read (ie, used as the source for
2008 * a patch or move) after it has been written.
2009 *
2010 * The creator will guarantee that a given stash is loaded (with a stash command) before it's used
2011 * in a move/bsdiff/imgdiff command.
2012 *
2013 * Within one command the source and target ranges may overlap so in general we need to read the
2014 * entire source into memory before writing anything to the target blocks.
2015 *
2016 * All the patch data is concatenated into one patch_data file in the update package. It must be
2017 * stored uncompressed because we memory-map it in directly from the archive. (Since patches are
2018 * already compressed, we lose very little by not compressing their concatenation.)
2019 *
2020 * Commands that read data from the partition (i.e. move/bsdiff/imgdiff/stash) have one or more
2021 * additional hashes before the range parameters, which are used to check if the command has already
2022 * been completed and verify the integrity of the source data.
2023 */
BlockImageVerifyFn(const char * name,State * state,const std::vector<std::unique_ptr<Expr>> & argv)2024 Value* BlockImageVerifyFn(const char* name, State* state,
2025 const std::vector<std::unique_ptr<Expr>>& argv) {
2026 // Commands which are not allowed are set to nullptr to skip them completely.
2027 const CommandMap command_map{
2028 // clang-format off
2029 { Command::Type::ABORT, PerformCommandAbort },
2030 { Command::Type::BSDIFF, PerformCommandDiff },
2031 { Command::Type::COMPUTE_HASH_TREE, nullptr },
2032 { Command::Type::ERASE, nullptr },
2033 { Command::Type::FREE, PerformCommandFree },
2034 { Command::Type::IMGDIFF, PerformCommandDiff },
2035 { Command::Type::MOVE, PerformCommandMove },
2036 { Command::Type::NEW, nullptr },
2037 { Command::Type::STASH, PerformCommandStash },
2038 { Command::Type::ZERO, nullptr },
2039 // clang-format on
2040 };
2041 CHECK_EQ(static_cast<size_t>(Command::Type::LAST), command_map.size());
2042
2043 // Perform a dry run without writing to test if an update can proceed.
2044 return PerformBlockImageUpdate(name, state, argv, command_map, true);
2045 }
2046
BlockImageUpdateFn(const char * name,State * state,const std::vector<std::unique_ptr<Expr>> & argv)2047 Value* BlockImageUpdateFn(const char* name, State* state,
2048 const std::vector<std::unique_ptr<Expr>>& argv) {
2049 const CommandMap command_map{
2050 // clang-format off
2051 { Command::Type::ABORT, PerformCommandAbort },
2052 { Command::Type::BSDIFF, PerformCommandDiff },
2053 { Command::Type::COMPUTE_HASH_TREE, PerformCommandComputeHashTree },
2054 { Command::Type::ERASE, PerformCommandErase },
2055 { Command::Type::FREE, PerformCommandFree },
2056 { Command::Type::IMGDIFF, PerformCommandDiff },
2057 { Command::Type::MOVE, PerformCommandMove },
2058 { Command::Type::NEW, PerformCommandNew },
2059 { Command::Type::STASH, PerformCommandStash },
2060 { Command::Type::ZERO, PerformCommandZero },
2061 // clang-format on
2062 };
2063 CHECK_EQ(static_cast<size_t>(Command::Type::LAST), command_map.size());
2064
2065 return PerformBlockImageUpdate(name, state, argv, command_map, false);
2066 }
2067
RangeSha1Fn(const char * name,State * state,const std::vector<std::unique_ptr<Expr>> & argv)2068 Value* RangeSha1Fn(const char* name, State* state, const std::vector<std::unique_ptr<Expr>>& argv) {
2069 if (argv.size() != 2) {
2070 ErrorAbort(state, kArgsParsingFailure, "range_sha1 expects 2 arguments, got %zu", argv.size());
2071 return StringValue("");
2072 }
2073
2074 std::vector<std::unique_ptr<Value>> args;
2075 if (!ReadValueArgs(state, argv, &args)) {
2076 return nullptr;
2077 }
2078
2079 const std::unique_ptr<Value>& blockdev_filename = args[0];
2080 const std::unique_ptr<Value>& ranges = args[1];
2081
2082 if (blockdev_filename->type != Value::Type::STRING) {
2083 ErrorAbort(state, kArgsParsingFailure, "blockdev_filename argument to %s must be string", name);
2084 return StringValue("");
2085 }
2086 if (ranges->type != Value::Type::STRING) {
2087 ErrorAbort(state, kArgsParsingFailure, "ranges argument to %s must be string", name);
2088 return StringValue("");
2089 }
2090
2091 auto block_device_path = state->updater->FindBlockDeviceName(blockdev_filename->data);
2092 if (block_device_path.empty()) {
2093 LOG(ERROR) << "Block device path for " << blockdev_filename->data << " not found. " << name
2094 << " failed.";
2095 return StringValue("");
2096 }
2097
2098 android::base::unique_fd fd(open(block_device_path.c_str(), O_RDWR));
2099 if (fd == -1) {
2100 CauseCode cause_code = errno == EIO ? kEioFailure : kFileOpenFailure;
2101 ErrorAbort(state, cause_code, "open \"%s\" failed: %s", block_device_path.c_str(),
2102 strerror(errno));
2103 return StringValue("");
2104 }
2105
2106 RangeSet rs = RangeSet::Parse(ranges->data);
2107 CHECK(static_cast<bool>(rs));
2108
2109 SHA_CTX ctx;
2110 SHA1_Init(&ctx);
2111
2112 std::vector<uint8_t> buffer(BLOCKSIZE);
2113 for (const auto& [begin, end] : rs) {
2114 if (!check_lseek(fd, static_cast<off64_t>(begin) * BLOCKSIZE, SEEK_SET)) {
2115 ErrorAbort(state, kLseekFailure, "failed to seek %s: %s", block_device_path.c_str(),
2116 strerror(errno));
2117 return StringValue("");
2118 }
2119
2120 for (size_t j = begin; j < end; ++j) {
2121 if (!android::base::ReadFully(fd, buffer.data(), BLOCKSIZE)) {
2122 CauseCode cause_code = errno == EIO ? kEioFailure : kFreadFailure;
2123 ErrorAbort(state, cause_code, "failed to read %s: %s", block_device_path.c_str(),
2124 strerror(errno));
2125 return StringValue("");
2126 }
2127
2128 SHA1_Update(&ctx, buffer.data(), BLOCKSIZE);
2129 }
2130 }
2131 uint8_t digest[SHA_DIGEST_LENGTH];
2132 SHA1_Final(digest, &ctx);
2133
2134 return StringValue(print_sha1(digest));
2135 }
2136
2137 // This function checks if a device has been remounted R/W prior to an incremental
2138 // OTA update. This is an common cause of update abortion. The function reads the
2139 // 1st block of each partition and check for mounting time/count. It return string "t"
2140 // if executes successfully and an empty string otherwise.
2141
CheckFirstBlockFn(const char * name,State * state,const std::vector<std::unique_ptr<Expr>> & argv)2142 Value* CheckFirstBlockFn(const char* name, State* state,
2143 const std::vector<std::unique_ptr<Expr>>& argv) {
2144 if (argv.size() != 1) {
2145 ErrorAbort(state, kArgsParsingFailure, "check_first_block expects 1 argument, got %zu",
2146 argv.size());
2147 return StringValue("");
2148 }
2149
2150 std::vector<std::unique_ptr<Value>> args;
2151 if (!ReadValueArgs(state, argv, &args)) {
2152 return nullptr;
2153 }
2154
2155 const std::unique_ptr<Value>& arg_filename = args[0];
2156
2157 if (arg_filename->type != Value::Type::STRING) {
2158 ErrorAbort(state, kArgsParsingFailure, "filename argument to %s must be string", name);
2159 return StringValue("");
2160 }
2161
2162 auto block_device_path = state->updater->FindBlockDeviceName(arg_filename->data);
2163 if (block_device_path.empty()) {
2164 LOG(ERROR) << "Block device path for " << arg_filename->data << " not found. " << name
2165 << " failed.";
2166 return StringValue("");
2167 }
2168
2169 android::base::unique_fd fd(open(block_device_path.c_str(), O_RDONLY));
2170 if (fd == -1) {
2171 CauseCode cause_code = errno == EIO ? kEioFailure : kFileOpenFailure;
2172 ErrorAbort(state, cause_code, "open \"%s\" failed: %s", block_device_path.c_str(),
2173 strerror(errno));
2174 return StringValue("");
2175 }
2176
2177 RangeSet blk0(std::vector<Range>{ Range{ 0, 1 } });
2178 std::vector<uint8_t> block0_buffer(BLOCKSIZE);
2179
2180 if (ReadBlocks(blk0, &block0_buffer, fd) == -1) {
2181 CauseCode cause_code = errno == EIO ? kEioFailure : kFreadFailure;
2182 ErrorAbort(state, cause_code, "failed to read %s: %s", block_device_path.c_str(),
2183 strerror(errno));
2184 return StringValue("");
2185 }
2186
2187 // https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout
2188 // Super block starts from block 0, offset 0x400
2189 // 0x2C: len32 Mount time
2190 // 0x30: len32 Write time
2191 // 0x34: len16 Number of mounts since the last fsck
2192 // 0x38: len16 Magic signature 0xEF53
2193
2194 time_t mount_time = *reinterpret_cast<uint32_t*>(&block0_buffer[0x400 + 0x2C]);
2195 uint16_t mount_count = *reinterpret_cast<uint16_t*>(&block0_buffer[0x400 + 0x34]);
2196
2197 if (mount_count > 0) {
2198 state->updater->UiPrint(
2199 android::base::StringPrintf("Device was remounted R/W %" PRIu16 " times", mount_count));
2200 state->updater->UiPrint(
2201 android::base::StringPrintf("Last remount happened on %s", ctime(&mount_time)));
2202 }
2203
2204 return StringValue("t");
2205 }
2206
BlockImageRecoverFn(const char * name,State * state,const std::vector<std::unique_ptr<Expr>> & argv)2207 Value* BlockImageRecoverFn(const char* name, State* state,
2208 const std::vector<std::unique_ptr<Expr>>& argv) {
2209 if (argv.size() != 2) {
2210 ErrorAbort(state, kArgsParsingFailure, "block_image_recover expects 2 arguments, got %zu",
2211 argv.size());
2212 return StringValue("");
2213 }
2214
2215 std::vector<std::unique_ptr<Value>> args;
2216 if (!ReadValueArgs(state, argv, &args)) {
2217 return nullptr;
2218 }
2219
2220 const std::unique_ptr<Value>& filename = args[0];
2221 const std::unique_ptr<Value>& ranges = args[1];
2222
2223 if (filename->type != Value::Type::STRING) {
2224 ErrorAbort(state, kArgsParsingFailure, "filename argument to %s must be string", name);
2225 return StringValue("");
2226 }
2227 if (ranges->type != Value::Type::STRING) {
2228 ErrorAbort(state, kArgsParsingFailure, "ranges argument to %s must be string", name);
2229 return StringValue("");
2230 }
2231 RangeSet rs = RangeSet::Parse(ranges->data);
2232 if (!rs) {
2233 ErrorAbort(state, kArgsParsingFailure, "failed to parse ranges: %s", ranges->data.c_str());
2234 return StringValue("");
2235 }
2236
2237 auto block_device_path = state->updater->FindBlockDeviceName(filename->data);
2238 if (block_device_path.empty()) {
2239 LOG(ERROR) << "Block device path for " << filename->data << " not found. " << name
2240 << " failed.";
2241 return StringValue("");
2242 }
2243
2244 // Output notice to log when recover is attempted
2245 LOG(INFO) << block_device_path << " image corrupted, attempting to recover...";
2246
2247 // When opened with O_RDWR, libfec rewrites corrupted blocks when they are read
2248 fec::io fh(block_device_path, O_RDWR);
2249
2250 if (!fh) {
2251 ErrorAbort(state, kLibfecFailure, "fec_open \"%s\" failed: %s", block_device_path.c_str(),
2252 strerror(errno));
2253 return StringValue("");
2254 }
2255
2256 if (!fh.has_ecc() || !fh.has_verity()) {
2257 ErrorAbort(state, kLibfecFailure, "unable to use metadata to correct errors");
2258 return StringValue("");
2259 }
2260
2261 fec_status status;
2262 if (!fh.get_status(status)) {
2263 ErrorAbort(state, kLibfecFailure, "failed to read FEC status");
2264 return StringValue("");
2265 }
2266
2267 uint8_t buffer[BLOCKSIZE];
2268 for (const auto& [begin, end] : rs) {
2269 for (size_t j = begin; j < end; ++j) {
2270 // Stay within the data area, libfec validates and corrects metadata
2271 if (status.data_size <= static_cast<uint64_t>(j) * BLOCKSIZE) {
2272 continue;
2273 }
2274
2275 if (fh.pread(buffer, BLOCKSIZE, static_cast<off64_t>(j) * BLOCKSIZE) != BLOCKSIZE) {
2276 ErrorAbort(state, kLibfecFailure, "failed to recover %s (block %zu): %s",
2277 block_device_path.c_str(), j, strerror(errno));
2278 return StringValue("");
2279 }
2280
2281 // If we want to be able to recover from a situation where rewriting a corrected
2282 // block doesn't guarantee the same data will be returned when re-read later, we
2283 // can save a copy of corrected blocks to /cache. Note:
2284 //
2285 // 1. Maximum space required from /cache is the same as the maximum number of
2286 // corrupted blocks we can correct. For RS(255, 253) and a 2 GiB partition,
2287 // this would be ~16 MiB, for example.
2288 //
2289 // 2. To find out if this block was corrupted, call fec_get_status after each
2290 // read and check if the errors field value has increased.
2291 }
2292 }
2293 LOG(INFO) << "..." << block_device_path << " image recovered successfully.";
2294 return StringValue("t");
2295 }
2296
RegisterBlockImageFunctions()2297 void RegisterBlockImageFunctions() {
2298 RegisterFunction("block_image_verify", BlockImageVerifyFn);
2299 RegisterFunction("block_image_update", BlockImageUpdateFn);
2300 RegisterFunction("block_image_recover", BlockImageRecoverFn);
2301 RegisterFunction("check_first_block", CheckFirstBlockFn);
2302 RegisterFunction("range_sha1", RangeSha1Fn);
2303 }
2304