1 /*
2 * Copyright (C) 2009 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <errno.h>
18 #include <sys/stat.h>
19 #include <fcntl.h>
20 #include <stdio.h>
21 #include <unistd.h>
22 #include <string.h>
23 #include <strings.h>
24 #include "Retouch.h"
25 #include "applypatch/applypatch.h"
26
27 typedef struct {
28 int32_t mmap_addr;
29 char tag[4]; /* 'P', 'R', 'E', ' ' */
30 } prelink_info_t __attribute__((packed));
31
32 #define false 0
33 #define true 1
34
35 static int32_t offs_prev;
36 static uint32_t cont_prev;
37
init_compression_state(void)38 static void init_compression_state(void) {
39 offs_prev = 0;
40 cont_prev = 0;
41 }
42
43 // For details on the encoding used for relocation lists, please
44 // refer to build/tools/retouch/retouch-prepare.c. The intent is to
45 // save space by removing most of the inherent redundancy.
46
decode_bytes(uint8_t * encoded_bytes,int encoded_size,int32_t * dst_offset,uint32_t * dst_contents)47 static void decode_bytes(uint8_t *encoded_bytes, int encoded_size,
48 int32_t *dst_offset, uint32_t *dst_contents) {
49 if (encoded_size == 2) {
50 *dst_offset = offs_prev + (((encoded_bytes[0]&0x60)>>5)+1)*4;
51
52 // if the original was negative, we need to 1-pad before applying delta
53 int32_t tmp = (((encoded_bytes[0] & 0x0000001f) << 8) |
54 encoded_bytes[1]);
55 if (tmp & 0x1000) tmp = 0xffffe000 | tmp;
56 *dst_contents = cont_prev + tmp;
57 } else if (encoded_size == 3) {
58 *dst_offset = offs_prev + (((encoded_bytes[0]&0x30)>>4)+1)*4;
59
60 // if the original was negative, we need to 1-pad before applying delta
61 int32_t tmp = (((encoded_bytes[0] & 0x0000000f) << 16) |
62 (encoded_bytes[1] << 8) |
63 encoded_bytes[2]);
64 if (tmp & 0x80000) tmp = 0xfff00000 | tmp;
65 *dst_contents = cont_prev + tmp;
66 } else {
67 *dst_offset =
68 (encoded_bytes[0]<<24) |
69 (encoded_bytes[1]<<16) |
70 (encoded_bytes[2]<<8) |
71 encoded_bytes[3];
72 if (*dst_offset == 0x3fffffff) *dst_offset = -1;
73 *dst_contents =
74 (encoded_bytes[4]<<24) |
75 (encoded_bytes[5]<<16) |
76 (encoded_bytes[6]<<8) |
77 encoded_bytes[7];
78 }
79 }
80
decode_in_memory(uint8_t * encoded_bytes,int32_t * offset,uint32_t * contents)81 static uint8_t *decode_in_memory(uint8_t *encoded_bytes,
82 int32_t *offset, uint32_t *contents) {
83 int input_size, charIx;
84 uint8_t input[8];
85
86 input[0] = *(encoded_bytes++);
87 if (input[0] & 0x80)
88 input_size = 2;
89 else if (input[0] & 0x40)
90 input_size = 3;
91 else
92 input_size = 8;
93
94 // we already read one byte..
95 charIx = 1;
96 while (charIx < input_size) {
97 input[charIx++] = *(encoded_bytes++);
98 }
99
100 // depends on the decoder state!
101 decode_bytes(input, input_size, offset, contents);
102
103 offs_prev = *offset;
104 cont_prev = *contents;
105
106 return encoded_bytes;
107 }
108
retouch_mask_data(uint8_t * binary_object,int32_t binary_size,int32_t * desired_offset,int32_t * retouch_offset)109 int retouch_mask_data(uint8_t *binary_object,
110 int32_t binary_size,
111 int32_t *desired_offset,
112 int32_t *retouch_offset) {
113 retouch_info_t *r_info;
114 prelink_info_t *p_info;
115
116 int32_t target_offset = 0;
117 if (desired_offset) target_offset = *desired_offset;
118
119 int32_t p_offs = binary_size-sizeof(prelink_info_t); // prelink_info_t
120 int32_t r_offs = p_offs-sizeof(retouch_info_t); // retouch_info_t
121 int32_t b_offs; // retouch data blob
122
123 // If not retouched, we say it was a match. This might get invoked on
124 // non-retouched binaries, so that's why we need to do this.
125 if (retouch_offset != NULL) *retouch_offset = target_offset;
126 if (r_offs < 0) return (desired_offset == NULL) ?
127 RETOUCH_DATA_NOTAPPLICABLE : RETOUCH_DATA_MATCHED;
128 p_info = (prelink_info_t *)(binary_object+p_offs);
129 r_info = (retouch_info_t *)(binary_object+r_offs);
130 if (strncmp(p_info->tag, "PRE ", 4) ||
131 strncmp(r_info->tag, "RETOUCH ", 8))
132 return (desired_offset == NULL) ?
133 RETOUCH_DATA_NOTAPPLICABLE : RETOUCH_DATA_MATCHED;
134
135 b_offs = r_offs-r_info->blob_size;
136 if (b_offs < 0) {
137 printf("negative binary offset: %d = %d - %d\n",
138 b_offs, r_offs, r_info->blob_size);
139 return RETOUCH_DATA_ERROR;
140 }
141 uint8_t *b_ptr = binary_object+b_offs;
142
143 // Retouched: let's go through the work then.
144 int32_t offset_candidate = target_offset;
145 bool offset_set = false, offset_mismatch = false;
146 init_compression_state();
147 while (b_ptr < (uint8_t *)r_info) {
148 int32_t retouch_entry_offset;
149 uint32_t *retouch_entry;
150 uint32_t retouch_original_value;
151
152 b_ptr = decode_in_memory(b_ptr,
153 &retouch_entry_offset,
154 &retouch_original_value);
155 if (retouch_entry_offset < (-1) ||
156 retouch_entry_offset >= b_offs) {
157 printf("bad retouch_entry_offset: %d", retouch_entry_offset);
158 return RETOUCH_DATA_ERROR;
159 }
160
161 // "-1" means this is the value in prelink_info_t, which also gets
162 // randomized.
163 if (retouch_entry_offset == -1)
164 retouch_entry = (uint32_t *)&(p_info->mmap_addr);
165 else
166 retouch_entry = (uint32_t *)(binary_object+retouch_entry_offset);
167
168 if (desired_offset)
169 *retouch_entry = retouch_original_value + target_offset;
170
171 // Infer the randomization shift, compare to previously inferred.
172 int32_t offset_of_this_entry = (int32_t)(*retouch_entry-
173 retouch_original_value);
174 if (!offset_set) {
175 offset_candidate = offset_of_this_entry;
176 offset_set = true;
177 } else {
178 if (offset_candidate != offset_of_this_entry) {
179 offset_mismatch = true;
180 printf("offset is mismatched: %d, this entry is %d,"
181 " original 0x%x @ 0x%x",
182 offset_candidate, offset_of_this_entry,
183 retouch_original_value, retouch_entry_offset);
184 }
185 }
186 }
187 if (b_ptr > (uint8_t *)r_info) {
188 printf("b_ptr went too far: %p, while r_info is %p",
189 b_ptr, r_info);
190 return RETOUCH_DATA_ERROR;
191 }
192
193 if (offset_mismatch) return RETOUCH_DATA_MISMATCHED;
194 if (retouch_offset != NULL) *retouch_offset = offset_candidate;
195 return RETOUCH_DATA_MATCHED;
196 }
197
198 // On success, _override is set to the offset that was actually applied.
199 // This implies that once we randomize to an offset we stick with it.
200 // This in turn is necessary in order to guarantee recovery after crash.
retouch_one_library(const char * binary_name,const char * binary_sha1,int32_t retouch_offset,int32_t * retouch_offset_override)201 bool retouch_one_library(const char *binary_name,
202 const char *binary_sha1,
203 int32_t retouch_offset,
204 int32_t *retouch_offset_override) {
205 bool success = true;
206 int result;
207
208 FileContents file;
209 file.data = NULL;
210
211 char binary_name_atomic[strlen(binary_name)+10];
212 strcpy(binary_name_atomic, binary_name);
213 strcat(binary_name_atomic, ".atomic");
214
215 // We need a path that exists for calling statfs() later.
216 //
217 // Assume that binary_name (eg "/system/app/Foo.apk") is located
218 // on the same filesystem as its top-level directory ("/system").
219 char target_fs[strlen(binary_name)+1];
220 char* slash = strchr(binary_name+1, '/');
221 if (slash != NULL) {
222 int count = slash - binary_name;
223 strncpy(target_fs, binary_name, count);
224 target_fs[count] = '\0';
225 } else {
226 strcpy(target_fs, binary_name);
227 }
228
229 result = LoadFileContents(binary_name, &file, RETOUCH_DONT_MASK);
230
231 if (result == 0) {
232 // Figure out the *apparent* offset to which this file has been
233 // retouched. If it looks good, we will skip processing (we might
234 // have crashed and during this recovery pass we don't want to
235 // overwrite a valuable saved file in /cache---which would happen
236 // if we blindly retouch everything again). NOTE: This implies
237 // that we might have to override the supplied retouch offset. We
238 // can do the override only once though: everything should match
239 // afterward.
240
241 int32_t inferred_offset;
242 int retouch_probe_result = retouch_mask_data(file.data,
243 file.size,
244 NULL,
245 &inferred_offset);
246
247 if (retouch_probe_result == RETOUCH_DATA_MATCHED) {
248 if ((retouch_offset == inferred_offset) ||
249 ((retouch_offset != 0 && inferred_offset != 0) &&
250 (retouch_offset_override != NULL))) {
251 // This file is OK already and we are allowed to override.
252 // Let's just return the offset override value. It is critical
253 // to skip regardless of override: a broken file might need
254 // recovery down the list and we should not mess up the saved
255 // copy by doing unnecessary retouching.
256 //
257 // NOTE: If retouching was already started with a different
258 // value, we will not be allowed to override. This happens
259 // if on the retouch list there is a patched binary (which is
260 // masked in apply_patch()) before there is a non-patched
261 // binary.
262 if (retouch_offset_override != NULL)
263 *retouch_offset_override = inferred_offset;
264 success = true;
265 goto out;
266 } else {
267 // Retouch to zero (mask the retouching), to make sure that
268 // the SHA-1 check will pass below.
269 int32_t zero = 0;
270 retouch_mask_data(file.data, file.size, &zero, NULL);
271 SHA(file.data, file.size, file.sha1);
272 }
273 }
274
275 if (retouch_probe_result == RETOUCH_DATA_NOTAPPLICABLE) {
276 // In the case of not retouchable, fake it. We do not want
277 // to do the normal processing and overwrite the backup file:
278 // we might be recovering!
279 //
280 // We return a zero override, which tells the caller that we
281 // simply skipped the file.
282 if (retouch_offset_override != NULL)
283 *retouch_offset_override = 0;
284 success = true;
285 goto out;
286 }
287
288 // If we get here, either there was a mismatch in the offset, or
289 // the file has not been processed yet. Continue with normal
290 // processing.
291 }
292
293 if (result != 0 || FindMatchingPatch(file.sha1, &binary_sha1, 1) < 0) {
294 free(file.data);
295 printf("Attempting to recover source from '%s' ...\n",
296 CACHE_TEMP_SOURCE);
297 result = LoadFileContents(CACHE_TEMP_SOURCE, &file, RETOUCH_DO_MASK);
298 if (result != 0 || FindMatchingPatch(file.sha1, &binary_sha1, 1) < 0) {
299 printf(" failed.\n");
300 success = false;
301 goto out;
302 }
303 printf(" succeeded.\n");
304 }
305
306 // Retouch in-memory before worrying about backing up the original.
307 //
308 // Recovery steps will be oblivious to the actual retouch offset used,
309 // so might as well write out the already-retouched copy. Then, in the
310 // usual case, we will just swap the file locally, with no more writes
311 // needed. In the no-free-space case, we will then write the same to the
312 // original location.
313
314 result = retouch_mask_data(file.data, file.size, &retouch_offset, NULL);
315 if (result != RETOUCH_DATA_MATCHED) {
316 success = false;
317 goto out;
318 }
319 if (retouch_offset_override != NULL)
320 *retouch_offset_override = retouch_offset;
321
322 // How much free space do we need?
323 bool enough_space = false;
324 size_t free_space = FreeSpaceForFile(target_fs);
325 // 50% margin when estimating the space needed.
326 enough_space = (free_space > (file.size * 3 / 2));
327
328 // The experts say we have to allow for a retry of the
329 // whole process to avoid filesystem weirdness.
330 int retry = 1;
331 bool made_copy = false;
332 do {
333 // First figure out where to store a copy of the original.
334 // Ideally leave the original itself intact until the
335 // atomic swap. If no room on the same partition, fall back
336 // to the cache partition and remove the original.
337
338 if (!enough_space) {
339 printf("Target is %ldB; free space is %ldB: not enough.\n",
340 (long)file.size, (long)free_space);
341
342 retry = 0;
343 if (MakeFreeSpaceOnCache(file.size) < 0) {
344 printf("Not enough free space on '/cache'.\n");
345 success = false;
346 goto out;
347 }
348 if (SaveFileContents(CACHE_TEMP_SOURCE, file) < 0) {
349 printf("Failed to back up source file.\n");
350 success = false;
351 goto out;
352 }
353 made_copy = true;
354 unlink(binary_name);
355
356 size_t free_space = FreeSpaceForFile(target_fs);
357 printf("(now %ld bytes free for target)\n", (long)free_space);
358 }
359
360 result = SaveFileContents(binary_name_atomic, file);
361 if (result != 0) {
362 // Maybe the filesystem was optimistic: retry.
363 enough_space = false;
364 unlink(binary_name_atomic);
365 printf("Saving the retouched contents failed; retrying.\n");
366 continue;
367 }
368
369 // Succeeded; no need to retry.
370 break;
371 } while (retry-- > 0);
372
373 // Give the .atomic file the same owner, group, and mode of the
374 // original source file.
375 if (chmod(binary_name_atomic, file.st.st_mode) != 0) {
376 printf("chmod of \"%s\" failed: %s\n",
377 binary_name_atomic, strerror(errno));
378 success = false;
379 goto out;
380 }
381 if (chown(binary_name_atomic, file.st.st_uid, file.st.st_gid) != 0) {
382 printf("chown of \"%s\" failed: %s\n",
383 binary_name_atomic,
384 strerror(errno));
385 success = false;
386 goto out;
387 }
388
389 // Finally, rename the .atomic file to replace the target file.
390 if (rename(binary_name_atomic, binary_name) != 0) {
391 printf("rename of .atomic to \"%s\" failed: %s\n",
392 binary_name, strerror(errno));
393 success = false;
394 goto out;
395 }
396
397 // If this run created a copy, and we're here, we can delete it.
398 if (made_copy) unlink(CACHE_TEMP_SOURCE);
399
400 out:
401 // clean up
402 free(file.data);
403 unlink(binary_name_atomic);
404
405 return success;
406 }
407