Skip to content

Commit

Permalink
Directly use FDT headers for detection
Browse files Browse the repository at this point in the history
  • Loading branch information
@topjohnwu
topjohnwu committed Feb 21, 2019
1 parent da3394f commit 69d10b7
Showing 1 changed file with 13 additions and 9 deletions.
22 changes: 13 additions & 9 deletions native/jni/magiskboot/bootimg.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,8 @@ int boot_img::parse_file(const char *image) {
exit(ELF32_RET);
case ELF64:
exit(ELF64_RET);
default:
break;
}
}
LOGE("No boot image magic found!\n");
Expand Down Expand Up @@ -180,28 +182,30 @@ int boot_img::parse_image(uint8_t *head) {

void boot_img::find_dtb() {
for (uint32_t i = 0; i < hdr->kernel_size; ++i) {
if (memcmp(kernel + i, DTB_MAGIC, 4))
auto fdt_hdr = reinterpret_cast<fdt_header *>(kernel + i);
if (fdt32_to_cpu(fdt_hdr->magic) != FDT_MAGIC)
continue;

// Check that fdt_header.totalsize does not overflow kernel image size
uint32_t dt_sz = fdt32_to_cpu(*(uint32_t *)(kernel + i + 4));
if (dt_sz > hdr->kernel_size - i) {
uint32_t totalsize = fdt32_to_cpu(fdt_hdr->totalsize);
if (totalsize > hdr->kernel_size - i) {
fprintf(stderr, "Invalid DTB detection at 0x%x: size (%u) > remaining (%u)\n",
i, dt_sz, hdr->kernel_size - i);
i, totalsize, hdr->kernel_size - i);
continue;
}

// Check that fdt_header.off_dt_struct does not overflow kernel image size
uint32_t dt_struct_offset = fdt32_to_cpu(*(uint32_t *)(kernel + i + 8));
if (dt_struct_offset > hdr->kernel_size - i) {
uint32_t off_dt_struct = fdt32_to_cpu(fdt_hdr->off_dt_struct);
if (off_dt_struct > hdr->kernel_size - i) {
fprintf(stderr, "Invalid DTB detection at 0x%x: "
"struct offset (%u) > remaining (%u)\n",
i, dt_struct_offset, hdr->kernel_size - i);
i, off_dt_struct, hdr->kernel_size - i);
continue;
}

// Check that fdt_node_header.tag of first node is FDT_BEGIN_NODE
uint32_t dt_begin_node = fdt32_to_cpu(*(uint32_t *)(kernel + i + dt_struct_offset));
if (dt_begin_node != FDT_BEGIN_NODE) {
auto fdt_node_hdr = reinterpret_cast<fdt_node_header *>(kernel + i + off_dt_struct);
if (fdt32_to_cpu(fdt_node_hdr->tag) != FDT_BEGIN_NODE) {
fprintf(stderr, "Invalid DTB detection at 0x%x: "
"header tag of first node != FDT_BEGIN_NODE\n", i);
continue;
Expand Down

0 comments on commit 69d10b7

Please sign in to comment.