From 86a274bd4c9cc21b65f910641f96a3eefb1c37db Mon Sep 17 00:00:00 2001 From: Flole Date: Mon, 4 Apr 2022 19:25:05 +0200 Subject: [PATCH 1/2] Fix double-free when connecting to WPA2-Enterprise networks Fixes: #8082 This patches the callx0 instruction to a nop in eap.o which is part of libwpa2.a. It looks like espressif fixed the Bug in newer SDK versions, so if we update to the latest NONOS-SDK it is most likely not necessary to add/adapt this patch. Also modifies the fix_sdk_libs.sh script as it even changed files if no changes were necessary, for example adding multiple system_func1 exports. --- tools/sdk/lib/NONOSDK221/libwpa2.a | Bin 475218 -> 475218 bytes tools/sdk/lib/NONOSDK22x_190313/libwpa2.a | Bin 475222 -> 475222 bytes tools/sdk/lib/NONOSDK22x_190703/libwpa2.a | Bin 475222 -> 475222 bytes tools/sdk/lib/NONOSDK22x_191024/libwpa2.a | Bin 475222 -> 475222 bytes tools/sdk/lib/NONOSDK22x_191105/libwpa2.a | Bin 475222 -> 475222 bytes tools/sdk/lib/NONOSDK22x_191122/libwpa2.a | Bin 475222 -> 475222 bytes tools/sdk/lib/NONOSDK3V0/libwpa2.a | Bin 475358 -> 475358 bytes tools/sdk/lib/fix_sdk_libs.sh | 49 ++++++++++++++++++---- 8 files changed, 40 insertions(+), 9 deletions(-) diff --git a/tools/sdk/lib/NONOSDK221/libwpa2.a b/tools/sdk/lib/NONOSDK221/libwpa2.a index 1f7aabb6881af8cbac966e4042736747404cebf4..1c91e22130331c6d57bad93c0bcd404107fd0ac7 100644 GIT binary patch delta 83 zcmccAAbY7nc7i0QnTe%=rLlpLaih{!B}T`1F}Q$&f|;SEi6MmCUK!8G!o&1Ip}jtv V5r~<9m>Gy!fS7fAeKyGy!fS7fAb2i)MD*(<28A1R6 delta 60 zcmccCAbYJrc7o(|{+%q`jVfDJ813Vyw{tPcZ*Pic{LjsFfT6uPn-PeafS4JGS%8>z KdviA1Gy!fS7fAb2i)MD*(<48A1R6 delta 60 zcmccCAbYJrc7o(|{+%q`jVfDJ813Vyw{tPcZ*Pic{LjsFfT6uPn-PeafS4JGS%8>z KdviA1fp(B7QQ V2*gZ4%nZaVK+L+mIh*bB6#%;Y84Lgb delta 60 zcmccCAbYJrc7o(|{+%q`jVfDJ813Vyw{tPcZ*Pic{LjsFfT6uPn-PeafS4JGS%8>z KdviA1Gy!fS7fAb2i)MD*({G8BPEI delta 60 zcmccCAbYJrc7o(|{+%q`jVfDJ813Vyw{tPcZ*Pic{LjsFfT6uPn-PeafS4JGS%8>z KdviA1Gy!fS7fAb2i)MD*(^h8A<>E delta 60 zcmccCAbYJrc7o(|{+%q`jVfDJ813Vyw{tPcZ*Pic{LjsFfT6uPn-PeafS4JGS%8>z KdviA1tIF*6Xe05R+K$=Ph)R{`H38BqWL delta 60 zcmccDD0{C_c7o(||A|c8jVfDJ82#g?b91oDZ=V#;_@A5U07LuaY(^kv0%B$$W&vW> L?US?FysrWPm_Zg9 diff --git a/tools/sdk/lib/fix_sdk_libs.sh b/tools/sdk/lib/fix_sdk_libs.sh index b6aea12752..4e9ab3d0cc 100755 --- a/tools/sdk/lib/fix_sdk_libs.sh +++ b/tools/sdk/lib/fix_sdk_libs.sh @@ -1,36 +1,67 @@ #!/bin/bash set -e -export PATH=../../xtensa-lx106-elf/bin:$PATH +export PATH=../../../xtensa-lx106-elf/bin:$PATH VERSION=$(basename ${PWD}) addSymbol_system_func1() { - ADDRESS=$1 - xtensa-lx106-elf-objcopy --add-symbol system_func1=.irom0.text:${ADDRESS},function,global user_interface.o + if ! xtensa-lx106-elf-nm user_interface.o | grep -q " T system_func1"; then # Don't add symbol if it already exists + ADDRESS=$1 + xtensa-lx106-elf-objcopy --add-symbol system_func1=.irom0.text:${ADDRESS},function,global user_interface.o + fi } +patchFile() { + FILE=$1 + ADDRESS=$2 # DO NOT PASS AS HEX! + LENGTH=$3 # DO NOT PASS AS HEX! + EXPECTED=$4 + REPLACEWITH=$5 + if [[ "$(dd if=eap.o bs=1 count=$LENGTH skip=$ADDRESS status=none | base64 -w0)" = "$EXPECTED" ]]; then + echo "Patching $1..." + echo $5 | base64 -d | dd of=eap.o bs=1 count=$LENGTH seek=$ADDRESS conv=notrunc + elif ! [[ "$(dd if=eap.o bs=1 count=$LENGTH skip=$ADDRESS status=none | base64 -w0)" = "$REPLACEWITH" ]]; then + echo "PATCH FAILED!" + exit 0 + fi +} # Remove mem_manager.o from libmain.a to use custom heap implementation, # and time.o to fix redefinition of time-related functions: xtensa-lx106-elf-ar d libmain.a mem_manager.o xtensa-lx106-elf-ar d libmain.a time.o +# Patch WPA2-Enterprise double-free +xtensa-lx106-elf-ar x libwpa2.a eap.o +eapcs=$(sha256sum eap.o | awk '{print $1}') + # Rename `hostname` and `default_hostname` symbols: xtensa-lx106-elf-ar x libmain.a eagle_lwip_if.o user_interface.o -xtensa-lx106-elf-objcopy --redefine-sym hostname=wifi_station_hostname user_interface.o -xtensa-lx106-elf-objcopy --redefine-sym hostname=wifi_station_hostname eagle_lwip_if.o -xtensa-lx106-elf-objcopy --redefine-sym default_hostname=wifi_station_default_hostname user_interface.o -xtensa-lx106-elf-objcopy --redefine-sym default_hostname=wifi_station_default_hostname eagle_lwip_if.o +lwipcs=$(sha256sum eagle_lwip_if.o | awk '{print $1}') +uics=$(sha256sum user_interface.o | awk '{print $1}') +xtensa-lx106-elf-objcopy --redefine-sym hostname=wifi_station_hostname user_interface.o +xtensa-lx106-elf-objcopy --redefine-sym hostname=wifi_station_hostname eagle_lwip_if.o +xtensa-lx106-elf-objcopy --redefine-sym default_hostname=wifi_station_default_hostname user_interface.o +xtensa-lx106-elf-objcopy --redefine-sym default_hostname=wifi_station_default_hostname eagle_lwip_if.o if [[ ${VERSION} == "NONOSDK221" ]]; then addSymbol_system_func1 "0x60" + patchFile "eap.o" "3055" "2" "wAA=" "8CA=" # WPA2-Enterprise patch which replaces a double-free with nop, see #8082 elif [[ ${VERSION} == "NONOSDK22x"* ]]; then addSymbol_system_func1 "0x54" + patchFile "eap.o" "3059" "2" "wAA=" "8CA=" # WPA2-Enterprise patch which replaces a double-free with nop, see #8082 elif [[ ${VERSION} == "NONOSDK3"* ]]; then addSymbol_system_func1 "0x60" + patchFile "eap.o" "3059" "2" "wAA=" "8CA=" # WPA2-Enterprise patch which replaces a double-free with nop, see #8082 else echo "WARN: Unknown address for system_func1() called by system_restart_local()" fi -xtensa-lx106-elf-ar r libmain.a eagle_lwip_if.o user_interface.o -rm -f eagle_lwip_if.o user_interface.o +if [[ $(sha256sum eap.o | awk '{print $1}') != $eapcs ]]; then + xtensa-lx106-elf-ar r libwpa2.a eap.o +fi +if [[ $(sha256sum user_interface.o | awk '{print $1}') != $uics || $(sha256sum eagle_lwip_if.o | awk '{print $1}') != $lwipcs ]]; then + xtensa-lx106-elf-ar r libmain.a eagle_lwip_if.o user_interface.o +fi +rm -f eagle_lwip_if.o user_interface.o eap.o + From 24ec3ceef0b8631b87375ecb39173bdd212aa945 Mon Sep 17 00:00:00 2001 From: Flole998 Date: Sat, 30 Apr 2022 17:30:31 +0200 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Max Prokhorov --- tools/sdk/lib/fix_sdk_libs.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/sdk/lib/fix_sdk_libs.sh b/tools/sdk/lib/fix_sdk_libs.sh index 4e9ab3d0cc..d2f2acf8ca 100755 --- a/tools/sdk/lib/fix_sdk_libs.sh +++ b/tools/sdk/lib/fix_sdk_libs.sh @@ -17,10 +17,10 @@ patchFile() { LENGTH=$3 # DO NOT PASS AS HEX! EXPECTED=$4 REPLACEWITH=$5 - if [[ "$(dd if=eap.o bs=1 count=$LENGTH skip=$ADDRESS status=none | base64 -w0)" = "$EXPECTED" ]]; then + if [[ "$(dd if=$FILE bs=1 count=$LENGTH skip=$ADDRESS status=none | base64 -w0)" = "$EXPECTED" ]]; then echo "Patching $1..." - echo $5 | base64 -d | dd of=eap.o bs=1 count=$LENGTH seek=$ADDRESS conv=notrunc - elif ! [[ "$(dd if=eap.o bs=1 count=$LENGTH skip=$ADDRESS status=none | base64 -w0)" = "$REPLACEWITH" ]]; then + echo $5 | base64 -d | dd of=$FILE bs=1 count=$LENGTH seek=$ADDRESS conv=notrunc + elif ! [[ "$(dd if=$FILE bs=1 count=$LENGTH skip=$ADDRESS status=none | base64 -w0)" = "$REPLACEWITH" ]]; then echo "PATCH FAILED!" exit 0 fi