int applypatch(const char* source_filename, const char* target_filename, const char* target_sha1_str, size_t target_size, int num_patches, char** const patch_sha1_str, Value** patch_data) { printf("\napplying patch to %s\n", source_filename); if (target_filename[0] == '-' && target_filename[1] == '\0') { target_filename = source_filename; } uint8_t target_sha1[SHA_DIGEST_SIZE]; if (ParseSha1(target_sha1_str, target_sha1) != 0) { printf("failed to parse tgt-sha1 \"%s\"\n", target_sha1_str); return 1; } FileContents copy_file; FileContents source_file; const Value* source_patch_value = NULL; const Value* copy_patch_value = NULL; int made_copy = 0; // We try to load the target file into the source_file object. if (LoadFileContents(target_filename, &source_file, RETOUCH_DO_MASK) == 0) { if (memcmp(source_file.sha1, target_sha1, SHA_DIGEST_SIZE) == 0) { // The early-exit case: the patch was already applied, this file // has the desired hash, nothing for us to do. printf("\"%s\" is already target; no patch needed\n", target_filename); return 0; } } if (source_file.data == NULL || (target_filename != source_filename && strcmp(target_filename, source_filename) != 0)) { // Need to load the source file: either we failed to load the // target file, or we did but it's different from the source file. free(source_file.data); LoadFileContents(source_filename, &source_file, RETOUCH_DO_MASK); } if (source_file.data != NULL) { int to_use = FindMatchingPatch(source_file.sha1, patch_sha1_str, num_patches); if (to_use >= 0) { source_patch_value = patch_data[to_use]; } } if (source_patch_value == NULL) { free(source_file.data); printf("source file is bad; trying copy\n"); if (LoadFileContents(CACHE_TEMP_SOURCE, ©_file, RETOUCH_DO_MASK) < 0) { // fail. printf("failed to read copy file\n"); return 1; } int to_use = FindMatchingPatch(copy_file.sha1, patch_sha1_str, num_patches); if (to_use >= 0) { copy_patch_value = patch_data[to_use]; } if (copy_patch_value == NULL) { // fail. printf("copy file doesn't match source SHA-1s either\n"); return 1; } } int retry = 1; SHA_CTX ctx; int output; MemorySinkInfo msi; FileContents* source_to_use; char* outname; // assume that target_filename (eg "/system/app/Foo.apk") is located // on the same filesystem as its top-level directory ("/system"). // We need something that exists for calling statfs(). char target_fs[strlen(target_filename)+1]; char* slash = strchr(target_filename+1, '/'); if (slash != NULL) { int count = slash - target_filename; strncpy(target_fs, target_filename, count); target_fs[count] = '\0'; } else { strcpy(target_fs, target_filename); } do { // Is there enough room in the target filesystem to hold the patched // file? if (strncmp(target_filename, "EMMC:", 5) == 0) { // If the target is a partition, we're actually going to // write the output to /tmp and then copy it to the // partition. statfs() always returns 0 blocks free for // /tmp, so instead we'll just assume that /tmp has enough // space to hold the file. // We still write the original source to cache, in case // the partition write is interrupted. if (MakeFreeSpaceOnCache(source_file.size) < 0) { printf("not enough free space on /cache\n"); return 1; } if (SaveFileContents(CACHE_TEMP_SOURCE, source_file) < 0) { printf("failed to back up source file\n"); return 1; } made_copy = 1; retry = 0; } else { int enough_space = 0; if (retry > 0) { size_t free_space = FreeSpaceForFile(target_fs); enough_space = (free_space > (256 << 10)) && // 256k (two-block) minimum (free_space > (target_size * 3 / 2)); // 50% margin of error printf("target %ld bytes; free space %ld bytes; retry %d; enough %d\n", (long)target_size, (long)free_space, retry, enough_space); } if (!enough_space) { retry = 0; } if (!enough_space && source_patch_value != NULL) { // Using the original source, but not enough free space. First // copy the source file to cache, then delete it from the original // location. if (strncmp(source_filename, "EMMC:", 5) == 0) { // It's impossible to free space on the target filesystem by // deleting the source if the source is a partition. If // we're ever in a state where we need to do this, fail. printf("not enough free space for target but source " "is partition\n"); return 1; } if (MakeFreeSpaceOnCache(source_file.size) < 0) { printf("not enough free space on /cache\n"); return 1; } if (SaveFileContents(CACHE_TEMP_SOURCE, source_file) < 0) { printf("failed to back up source file\n"); return 1; } made_copy = 1; unlink(source_filename); size_t free_space = FreeSpaceForFile(target_fs); printf("(now %ld bytes free for target)\n", (long)free_space); } } const Value* patch; if (source_patch_value != NULL) { source_to_use = &source_file; patch = source_patch_value; } else { source_to_use = ©_file; patch = copy_patch_value; } if (patch->type != VAL_BLOB) { printf("patch is not a blob\n"); return 1; } SinkFn sink = NULL; void* token = NULL; output = -1; outname = NULL; if (strncmp(target_filename, "EMMC:", 5) == 0) { // We store the decoded output in memory. msi.buffer = malloc(target_size); if (msi.buffer == NULL) { printf("failed to alloc %ld bytes for output\n", (long)target_size); return 1; } msi.pos = 0; msi.size = target_size; sink = MemorySink; token = &msi; } else { // We write the decoded output to "<tgt-file>.patch". outname = (char*)malloc(strlen(target_filename) + 10); strcpy(outname, target_filename); strcat(outname, ".patch"); output = open(outname, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC, S_IRUSR | S_IWUSR); if (output < 0) { printf("failed to open output file %s: %s\n", outname, strerror(errno)); return 1; } sink = FileSink; token = &output; } char* header = patch->data; ssize_t header_bytes_read = patch->size; SHA_init(&ctx); int result; if (header_bytes_read >= 8 && memcmp(header, "BSDIFF40", 8) == 0) { result = ApplyBSDiffPatch(source_to_use->data, source_to_use->size, patch, 0, sink, token, &ctx); } else if (header_bytes_read >= 8 && memcmp(header, "IMGDIFF2", 8) == 0) { result = ApplyImagePatch(source_to_use->data, source_to_use->size, patch, sink, token, &ctx); } else { printf("Unknown patch file format\n"); return 1; } if (output >= 0) { fsync(output); close(output); } if (result != 0) { if (retry == 0) { printf("applying patch failed\n"); return result != 0; } else { printf("applying patch failed; retrying\n"); } if (outname != NULL) { unlink(outname); } } else { // succeeded; no need to retry break; } } while (retry-- > 0); const uint8_t* current_target_sha1 = SHA_final(&ctx); if (memcmp(current_target_sha1, target_sha1, SHA_DIGEST_SIZE) != 0) { printf("patch did not produce expected sha1\n"); return 1; } if (output < 0) { // Copy the temp file to the partition. if (WriteToPartition(msi.buffer, msi.pos, target_filename) != 0) { printf("write of patched data to %s failed\n", target_filename); return 1; } free(msi.buffer); } else { // Give the .patch file the same owner, group, and mode of the // original source file. if (chmod(outname, source_to_use->st.st_mode) != 0) { printf("chmod of \"%s\" failed: %s\n", outname, strerror(errno)); return 1; } if (chown(outname, source_to_use->st.st_uid, source_to_use->st.st_gid) != 0) { printf("chown of \"%s\" failed: %s\n", outname, strerror(errno)); return 1; } // Finally, rename the .patch file to replace the target file. if (rename(outname, target_filename) != 0) { printf("rename of .patch to \"%s\" failed: %s\n", target_filename, strerror(errno)); return 1; } } // If this run of applypatch created the copy, and we're here, we // can delete it. if (made_copy) unlink(CACHE_TEMP_SOURCE); // Success! return 0; }
int applypatch(int argc, char** argv) { if (argc < 2) { return 2; } if (strncmp(argv[1], "-l", 3) == 0) { return ShowLicenses(); } if (strncmp(argv[1], "-c", 3) == 0) { return CheckMode(argc, argv); } if (strncmp(argv[1], "-s", 3) == 0) { if (argc != 3) { return 2; } size_t bytes = strtol(argv[2], NULL, 10); if (MakeFreeSpaceOnCache(bytes) < 0) { printf("unable to make %ld bytes available on /cache\n", (long)bytes); return 1; } else { return 0; } } uint8_t target_sha1[SHA_DIGEST_SIZE]; const char* source_filename = argv[1]; const char* target_filename = argv[2]; if (target_filename[0] == '-' && target_filename[1] == '\0') { target_filename = source_filename; } if (ParseSha1(argv[3], target_sha1) != 0) { fprintf(stderr, "failed to parse tgt-sha1 \"%s\"\n", argv[3]); return 1; } unsigned long target_size = strtoul(argv[4], NULL, 0); int num_patches; Patch* patches; if (ParseShaArgs(argc-5, argv+5, &patches, &num_patches) < 0) { return 1; } FileContents copy_file; FileContents source_file; const char* source_patch_filename = NULL; const char* copy_patch_filename = NULL; int made_copy = 0; // We try to load the target file into the source_file object. if (LoadFileContents(target_filename, &source_file) == 0) { if (memcmp(source_file.sha1, target_sha1, SHA_DIGEST_SIZE) == 0) { // The early-exit case: the patch was already applied, this file // has the desired hash, nothing for us to do. fprintf(stderr, "\"%s\" is already target; no patch needed\n", target_filename); return 0; } } if (source_file.data == NULL || (target_filename != source_filename && strcmp(target_filename, source_filename) != 0)) { // Need to load the source file: either we failed to load the // target file, or we did but it's different from the source file. free(source_file.data); LoadFileContents(source_filename, &source_file); } if (source_file.data != NULL) { const Patch* to_use = FindMatchingPatch(source_file.sha1, patches, num_patches); if (to_use != NULL) { source_patch_filename = to_use->patch_filename; } } if (source_patch_filename == NULL) { free(source_file.data); fprintf(stderr, "source file is bad; trying copy\n"); if (LoadFileContents(CACHE_TEMP_SOURCE, ©_file) < 0) { // fail. fprintf(stderr, "failed to read copy file\n"); return 1; } const Patch* to_use = FindMatchingPatch(copy_file.sha1, patches, num_patches); if (to_use != NULL) { copy_patch_filename = to_use->patch_filename; } if (copy_patch_filename == NULL) { // fail. fprintf(stderr, "copy file doesn't match source SHA-1s either\n"); return 1; } } // Is there enough room in the target filesystem to hold the patched // file? if (strncmp(target_filename, "MTD:", 4) == 0) { // If the target is an MTD partition, we're actually going to // write the output to /tmp and then copy it to the partition. // statfs() always returns 0 blocks free for /tmp, so instead // we'll just assume that /tmp has enough space to hold the file. // We still write the original source to cache, in case the MTD // write is interrupted. if (MakeFreeSpaceOnCache(source_file.size) < 0) { fprintf(stderr, "not enough free space on /cache\n"); return 1; } if (SaveFileContents(CACHE_TEMP_SOURCE, source_file) < 0) { fprintf(stderr, "failed to back up source file\n"); return 1; } made_copy = 1; } else { // assume that target_filename (eg "/system/app/Foo.apk") is located // on the same filesystem as its top-level directory ("/system"). // We need something that exists for calling statfs(). char* target_fs = strdup(target_filename); char* slash = strchr(target_fs+1, '/'); if (slash != NULL) { *slash = '\0'; } size_t free_space = FreeSpaceForFile(target_fs); int enough_space = free_space > (target_size * 3 / 2); // 50% margin of error printf("target %ld bytes; free space %ld bytes; enough %d\n", (long)target_size, (long)free_space, enough_space); if (!enough_space && source_patch_filename != NULL) { // Using the original source, but not enough free space. First // copy the source file to cache, then delete it from the original // location. if (strncmp(source_filename, "MTD:", 4) == 0) { // It's impossible to free space on the target filesystem by // deleting the source if the source is an MTD partition. If // we're ever in a state where we need to do this, fail. fprintf(stderr, "not enough free space for target but source is MTD\n"); return 1; } if (MakeFreeSpaceOnCache(source_file.size) < 0) { fprintf(stderr, "not enough free space on /cache\n"); return 1; } if (SaveFileContents(CACHE_TEMP_SOURCE, source_file) < 0) { fprintf(stderr, "failed to back up source file\n"); return 1; } made_copy = 1; unlink(source_filename); size_t free_space = FreeSpaceForFile(target_fs); printf("(now %ld bytes free for target)\n", (long)free_space); } } FileContents* source_to_use; const char* patch_filename; if (source_patch_filename != NULL) { source_to_use = &source_file; patch_filename = source_patch_filename; } else { source_to_use = ©_file; patch_filename = copy_patch_filename; } char* outname = NULL; FILE* output = NULL; MemorySinkInfo msi; SinkFn sink = NULL; void* token = NULL; if (strncmp(target_filename, "MTD:", 4) == 0) { // We store the decoded output in memory. msi.buffer = malloc(target_size); if (msi.buffer == NULL) { fprintf(stderr, "failed to alloc %ld bytes for output\n", (long)target_size); return 1; } msi.pos = 0; msi.size = target_size; sink = MemorySink; token = &msi; } else { // We write the decoded output to "<tgt-file>.patch". outname = (char*)malloc(strlen(target_filename) + 10); strcpy(outname, target_filename); strcat(outname, ".patch"); output = fopen(outname, "wb"); if (output == NULL) { fprintf(stderr, "failed to open output file %s: %s\n", outname, strerror(errno)); return 1; } sink = FileSink; token = output; } #define MAX_HEADER_LENGTH 8 unsigned char header[MAX_HEADER_LENGTH]; FILE* patchf = fopen(patch_filename, "rb"); if (patchf == NULL) { fprintf(stderr, "failed to open patch file %s: %s\n", patch_filename, strerror(errno)); return 1; } int header_bytes_read = fread(header, 1, MAX_HEADER_LENGTH, patchf); fclose(patchf); SHA_CTX ctx; SHA_init(&ctx); if (header_bytes_read >= 4 && header[0] == 0xd6 && header[1] == 0xc3 && header[2] == 0xc4 && header[3] == 0) { // xdelta3 patches begin "VCD" (with the high bits set) followed // by a zero byte (the version number). fprintf(stderr, "error: xdelta3 patches no longer supported\n"); return 1; } else if (header_bytes_read >= 8 && memcmp(header, "BSDIFF40", 8) == 0) { int result = ApplyBSDiffPatch(source_to_use->data, source_to_use->size, patch_filename, 0, sink, token, &ctx); if (result != 0) { fprintf(stderr, "ApplyBSDiffPatch failed\n"); return result; } } else if (header_bytes_read >= 8 && memcmp(header, "IMGDIFF", 7) == 0 && (header[7] == '1' || header[7] == '2')) { int result = ApplyImagePatch(source_to_use->data, source_to_use->size, patch_filename, sink, token, &ctx); if (result != 0) { fprintf(stderr, "ApplyImagePatch failed\n"); return result; } } else { fprintf(stderr, "Unknown patch file format\n"); return 1; } if (output != NULL) { fflush(output); fsync(fileno(output)); fclose(output); } const uint8_t* current_target_sha1 = SHA_final(&ctx); if (memcmp(current_target_sha1, target_sha1, SHA_DIGEST_SIZE) != 0) { fprintf(stderr, "patch did not produce expected sha1\n"); return 1; } if (output == NULL) { // Copy the temp file to the MTD partition. if (WriteToMTDPartition(msi.buffer, msi.pos, target_filename) != 0) { fprintf(stderr, "write of patched data to %s failed\n", target_filename); return 1; } free(msi.buffer); } else { // Give the .patch file the same owner, group, and mode of the // original source file. if (chmod(outname, source_to_use->st.st_mode) != 0) { fprintf(stderr, "chmod of \"%s\" failed: %s\n", outname, strerror(errno)); return 1; } if (chown(outname, source_to_use->st.st_uid, source_to_use->st.st_gid) != 0) { fprintf(stderr, "chown of \"%s\" failed: %s\n", outname, strerror(errno)); return 1; } // Finally, rename the .patch file to replace the target file. if (rename(outname, target_filename) != 0) { fprintf(stderr, "rename of .patch to \"%s\" failed: %s\n", target_filename, strerror(errno)); return 1; } } // If this run of applypatch created the copy, and we're here, we // can delete it. if (made_copy) unlink(CACHE_TEMP_SOURCE); // Success! return 0; }
/* * Apply the patch given in 'patch_filename' to the source data given * by (old_data, old_size). Write the patched output to the 'output' * file, and update the SHA context with the output data as well. * Return 0 on success. */ int ApplyImagePatch(const unsigned char* old_data, ssize_t old_size, const char* patch_filename, SinkFn sink, void* token, SHA_CTX* ctx) { FILE* f; if ((f = fopen(patch_filename, "rb")) == NULL) { printf("failed to open patch file\n"); return -1; } unsigned char header[12]; if (fread(header, 1, 12, f) != 12) { printf("failed to read patch file header\n"); return -1; } // IMGDIFF1 uses CHUNK_NORMAL and CHUNK_GZIP. // IMGDIFF2 uses CHUNK_NORMAL, CHUNK_DEFLATE, and CHUNK_RAW. if (memcmp(header, "IMGDIFF", 7) != 0 || (header[7] != '1' && header[7] != '2')) { printf("corrupt patch file header (magic number)\n"); return -1; } int num_chunks = Read4(header+8); int i; for (i = 0; i < num_chunks; ++i) { // each chunk's header record starts with 4 bytes. unsigned char chunk[4]; if (fread(chunk, 1, 4, f) != 4) { printf("failed to read chunk %d record\n", i); return -1; } int type = Read4(chunk); if (type == CHUNK_NORMAL) { unsigned char normal_header[24]; if (fread(normal_header, 1, 24, f) != 24) { printf("failed to read chunk %d normal header data\n", i); return -1; } size_t src_start = Read8(normal_header); size_t src_len = Read8(normal_header+8); size_t patch_offset = Read8(normal_header+16); printf("CHUNK %d: normal patch offset %d\n", i, patch_offset); ApplyBSDiffPatch(old_data + src_start, src_len, patch_filename, patch_offset, sink, token, ctx); } else if (type == CHUNK_GZIP) { // This branch is basically a duplicate of the CHUNK_DEFLATE // branch, with a bit of extra processing for the gzip header // and footer. I've avoided factoring the common code out since // this branch will just be deleted when we drop support for // IMGDIFF1. // gzip chunks have an additional 64 + gzip_header_len + 8 bytes // in their chunk header. unsigned char* gzip = malloc(64); if (fread(gzip, 1, 64, f) != 64) { printf("failed to read chunk %d initial gzip header data\n", i); return -1; } size_t gzip_header_len = Read4(gzip+60); gzip = realloc(gzip, 64 + gzip_header_len + 8); if (fread(gzip+64, 1, gzip_header_len+8, f) != gzip_header_len+8) { printf("failed to read chunk %d remaining gzip header data\n", i); return -1; } size_t src_start = Read8(gzip); size_t src_len = Read8(gzip+8); size_t patch_offset = Read8(gzip+16); size_t expanded_len = Read8(gzip+24); size_t target_len = Read8(gzip+32); int gz_level = Read4(gzip+40); int gz_method = Read4(gzip+44); int gz_windowBits = Read4(gzip+48); int gz_memLevel = Read4(gzip+52); int gz_strategy = Read4(gzip+56); printf("CHUNK %d: gzip patch offset %d\n", i, patch_offset); // Decompress the source data; the chunk header tells us exactly // how big we expect it to be when decompressed. unsigned char* expanded_source = malloc(expanded_len); if (expanded_source == NULL) { printf("failed to allocate %d bytes for expanded_source\n", expanded_len); return -1; } z_stream strm; strm.zalloc = Z_NULL; strm.zfree = Z_NULL; strm.opaque = Z_NULL; strm.avail_in = src_len - (gzip_header_len + 8); strm.next_in = (unsigned char*)(old_data + src_start + gzip_header_len); strm.avail_out = expanded_len; strm.next_out = expanded_source; int ret; ret = inflateInit2(&strm, -15); if (ret != Z_OK) { printf("failed to init source inflation: %d\n", ret); return -1; } // Because we've provided enough room to accommodate the output // data, we expect one call to inflate() to suffice. ret = inflate(&strm, Z_SYNC_FLUSH); if (ret != Z_STREAM_END) { printf("source inflation returned %d\n", ret); return -1; } // We should have filled the output buffer exactly. if (strm.avail_out != 0) { printf("source inflation short by %d bytes\n", strm.avail_out); return -1; } inflateEnd(&strm); // Next, apply the bsdiff patch (in memory) to the uncompressed // data. unsigned char* uncompressed_target_data; ssize_t uncompressed_target_size; if (ApplyBSDiffPatchMem(expanded_source, expanded_len, patch_filename, patch_offset, &uncompressed_target_data, &uncompressed_target_size) != 0) { return -1; } // Now compress the target data and append it to the output. // start with the gzip header. sink(gzip+64, gzip_header_len, token); SHA_update(ctx, gzip+64, gzip_header_len); // we're done with the expanded_source data buffer, so we'll // reuse that memory to receive the output of deflate. unsigned char* temp_data = expanded_source; ssize_t temp_size = expanded_len; if (temp_size < 32768) { // ... unless the buffer is too small, in which case we'll // allocate a fresh one. free(temp_data); temp_data = malloc(32768); temp_size = 32768; } // now the deflate stream strm.zalloc = Z_NULL; strm.zfree = Z_NULL; strm.opaque = Z_NULL; strm.avail_in = uncompressed_target_size; strm.next_in = uncompressed_target_data; ret = deflateInit2(&strm, gz_level, gz_method, gz_windowBits, gz_memLevel, gz_strategy); do { strm.avail_out = temp_size; strm.next_out = temp_data; ret = deflate(&strm, Z_FINISH); size_t have = temp_size - strm.avail_out; if (sink(temp_data, have, token) != have) { printf("failed to write %d compressed bytes to output\n", have); return -1; } SHA_update(ctx, temp_data, have); } while (ret != Z_STREAM_END); deflateEnd(&strm); // lastly, the gzip footer. sink(gzip+64+gzip_header_len, 8, token); SHA_update(ctx, gzip+64+gzip_header_len, 8); free(temp_data); free(uncompressed_target_data); free(gzip); } else if (type == CHUNK_RAW) { unsigned char raw_header[4]; if (fread(raw_header, 1, 4, f) != 4) { printf("failed to read chunk %d raw header data\n", i); return -1; } size_t data_len = Read4(raw_header); printf("CHUNK %d: raw data %d\n", i, data_len); unsigned char* temp = malloc(data_len); if (fread(temp, 1, data_len, f) != data_len) { printf("failed to read chunk %d raw data\n", i); return -1; } SHA_update(ctx, temp, data_len); if (sink(temp, data_len, token) != data_len) { printf("failed to write chunk %d raw data\n", i); return -1; } } else if (type == CHUNK_DEFLATE) { // deflate chunks have an additional 60 bytes in their chunk header. unsigned char deflate_header[60]; if (fread(deflate_header, 1, 60, f) != 60) { printf("failed to read chunk %d deflate header data\n", i); return -1; } size_t src_start = Read8(deflate_header); size_t src_len = Read8(deflate_header+8); size_t patch_offset = Read8(deflate_header+16); size_t expanded_len = Read8(deflate_header+24); size_t target_len = Read8(deflate_header+32); int level = Read4(deflate_header+40); int method = Read4(deflate_header+44); int windowBits = Read4(deflate_header+48); int memLevel = Read4(deflate_header+52); int strategy = Read4(deflate_header+56); printf("CHUNK %d: deflate patch offset %d\n", i, patch_offset); // Decompress the source data; the chunk header tells us exactly // how big we expect it to be when decompressed. unsigned char* expanded_source = malloc(expanded_len); if (expanded_source == NULL) { printf("failed to allocate %d bytes for expanded_source\n", expanded_len); return -1; } z_stream strm; strm.zalloc = Z_NULL; strm.zfree = Z_NULL; strm.opaque = Z_NULL; strm.avail_in = src_len; strm.next_in = (unsigned char*)(old_data + src_start); strm.avail_out = expanded_len; strm.next_out = expanded_source; int ret; ret = inflateInit2(&strm, -15); if (ret != Z_OK) { printf("failed to init source inflation: %d\n", ret); return -1; } // Because we've provided enough room to accommodate the output // data, we expect one call to inflate() to suffice. ret = inflate(&strm, Z_SYNC_FLUSH); if (ret != Z_STREAM_END) { printf("source inflation returned %d\n", ret); return -1; } // We should have filled the output buffer exactly. if (strm.avail_out != 0) { printf("source inflation short by %d bytes\n", strm.avail_out); return -1; } inflateEnd(&strm); // Next, apply the bsdiff patch (in memory) to the uncompressed // data. unsigned char* uncompressed_target_data; ssize_t uncompressed_target_size; if (ApplyBSDiffPatchMem(expanded_source, expanded_len, patch_filename, patch_offset, &uncompressed_target_data, &uncompressed_target_size) != 0) { return -1; } // Now compress the target data and append it to the output. // we're done with the expanded_source data buffer, so we'll // reuse that memory to receive the output of deflate. unsigned char* temp_data = expanded_source; ssize_t temp_size = expanded_len; if (temp_size < 32768) { // ... unless the buffer is too small, in which case we'll // allocate a fresh one. free(temp_data); temp_data = malloc(32768); temp_size = 32768; } // now the deflate stream strm.zalloc = Z_NULL; strm.zfree = Z_NULL; strm.opaque = Z_NULL; strm.avail_in = uncompressed_target_size; strm.next_in = uncompressed_target_data; ret = deflateInit2(&strm, level, method, windowBits, memLevel, strategy); do { strm.avail_out = temp_size; strm.next_out = temp_data; ret = deflate(&strm, Z_FINISH); size_t have = temp_size - strm.avail_out; if (sink(temp_data, have, token) != have) { printf("failed to write %d compressed bytes to output\n", have); return -1; } SHA_update(ctx, temp_data, have); } while (ret != Z_STREAM_END); deflateEnd(&strm); free(temp_data); free(uncompressed_target_data); } else { printf("patch chunk %d is unknown type %d\n", i, type); return -1; } } return 0; }
/* * Apply the patch given in 'patch_filename' to the source data given * by (old_data, old_size). Write the patched output to the 'output' * file, and update the SHA context with the output data as well. * Return 0 on success. */ int ApplyImagePatch(const unsigned char* old_data, ssize_t old_size, const Value* patch, SinkFn sink, void* token, SHA_CTX* ctx, const Value* bonus_data) { ssize_t pos = 12; char* header = patch->data; if (patch->size < 12) { printf("patch too short to contain header\n"); return -1; } // IMGDIFF2 uses CHUNK_NORMAL, CHUNK_DEFLATE, and CHUNK_RAW. // (IMGDIFF1, which is no longer supported, used CHUNK_NORMAL and // CHUNK_GZIP.) if (memcmp(header, "IMGDIFF2", 8) != 0) { printf("corrupt patch file header (magic number)\n"); return -1; } int num_chunks = Read4(header+8); int i; for (i = 0; i < num_chunks; ++i) { // each chunk's header record starts with 4 bytes. if (pos + 4 > patch->size) { printf("failed to read chunk %d record\n", i); return -1; } int type = Read4(patch->data + pos); pos += 4; if (type == CHUNK_NORMAL) { char* normal_header = patch->data + pos; pos += 24; if (pos > patch->size) { printf("failed to read chunk %d normal header data\n", i); return -1; } size_t src_start = Read8(normal_header); size_t src_len = Read8(normal_header+8); size_t patch_offset = Read8(normal_header+16); ApplyBSDiffPatch(old_data + src_start, src_len, patch, patch_offset, sink, token, ctx); } else if (type == CHUNK_RAW) { char* raw_header = patch->data + pos; pos += 4; if (pos > patch->size) { printf("failed to read chunk %d raw header data\n", i); return -1; } ssize_t data_len = Read4(raw_header); if (pos + data_len > patch->size) { printf("failed to read chunk %d raw data\n", i); return -1; } SHA_update(ctx, patch->data + pos, data_len); if (sink((unsigned char*)patch->data + pos, data_len, token) != data_len) { printf("failed to write chunk %d raw data\n", i); return -1; } pos += data_len; } else if (type == CHUNK_DEFLATE) { // deflate chunks have an additional 60 bytes in their chunk header. char* deflate_header = patch->data + pos; pos += 60; if (pos > patch->size) { printf("failed to read chunk %d deflate header data\n", i); return -1; } size_t src_start = Read8(deflate_header); size_t src_len = Read8(deflate_header+8); size_t patch_offset = Read8(deflate_header+16); size_t expanded_len = Read8(deflate_header+24); size_t target_len = Read8(deflate_header+32); int level = Read4(deflate_header+40); int method = Read4(deflate_header+44); int windowBits = Read4(deflate_header+48); int memLevel = Read4(deflate_header+52); int strategy = Read4(deflate_header+56); // Decompress the source data; the chunk header tells us exactly // how big we expect it to be when decompressed. // Note: expanded_len will include the bonus data size if // the patch was constructed with bonus data. The // deflation will come up 'bonus_size' bytes short; these // must be appended from the bonus_data value. size_t bonus_size = (i == 1 && bonus_data != NULL) ? bonus_data->size : 0; unsigned char* expanded_source = malloc(expanded_len); if (expanded_source == NULL) { printf("failed to allocate %d bytes for expanded_source\n", expanded_len); return -1; } z_stream strm; strm.zalloc = Z_NULL; strm.zfree = Z_NULL; strm.opaque = Z_NULL; strm.avail_in = src_len; strm.next_in = (unsigned char*)(old_data + src_start); strm.avail_out = expanded_len; strm.next_out = expanded_source; int ret; ret = inflateInit2(&strm, -15); if (ret != Z_OK) { printf("failed to init source inflation: %d\n", ret); return -1; } // Because we've provided enough room to accommodate the output // data, we expect one call to inflate() to suffice. ret = inflate(&strm, Z_SYNC_FLUSH); if (ret != Z_STREAM_END) { printf("source inflation returned %d\n", ret); return -1; } // We should have filled the output buffer exactly, except // for the bonus_size. if (strm.avail_out != bonus_size) { printf("source inflation short by %zu bytes\n", strm.avail_out-bonus_size); return -1; } inflateEnd(&strm); if (bonus_size) { memcpy(expanded_source + (expanded_len - bonus_size), bonus_data->data, bonus_size); } // Next, apply the bsdiff patch (in memory) to the uncompressed // data. unsigned char* uncompressed_target_data; ssize_t uncompressed_target_size; if (ApplyBSDiffPatchMem(expanded_source, expanded_len, patch, patch_offset, &uncompressed_target_data, &uncompressed_target_size) != 0) { return -1; } // Now compress the target data and append it to the output. // we're done with the expanded_source data buffer, so we'll // reuse that memory to receive the output of deflate. unsigned char* temp_data = expanded_source; ssize_t temp_size = expanded_len; if (temp_size < 32768) { // ... unless the buffer is too small, in which case we'll // allocate a fresh one. free(temp_data); temp_data = malloc(32768); temp_size = 32768; } // now the deflate stream strm.zalloc = Z_NULL; strm.zfree = Z_NULL; strm.opaque = Z_NULL; strm.avail_in = uncompressed_target_size; strm.next_in = uncompressed_target_data; ret = deflateInit2(&strm, level, method, windowBits, memLevel, strategy); do { strm.avail_out = temp_size; strm.next_out = temp_data; ret = deflate(&strm, Z_FINISH); ssize_t have = temp_size - strm.avail_out; if (sink(temp_data, have, token) != have) { printf("failed to write %ld compressed bytes to output\n", (long)have); return -1; } SHA_update(ctx, temp_data, have); } while (ret != Z_STREAM_END); deflateEnd(&strm); free(temp_data); free(uncompressed_target_data); } else { printf("patch chunk %d is unknown type %d\n", i, type); return -1; } } return 0; }
Value* BlockImageUpdateFn(const char* name, State* state, int argc, Expr* argv[]) { Value* blockdev_filename; Value* transfer_list_value; char* transfer_list = NULL; Value* new_data_fn; Value* patch_data_fn; bool success = false; if (ReadValueArgs(state, argv, 4, &blockdev_filename, &transfer_list_value, &new_data_fn, &patch_data_fn) < 0) { return NULL; } if (blockdev_filename->type != VAL_STRING) { ErrorAbort(state, "blockdev_filename argument to %s must be string", name); goto done; } if (transfer_list_value->type != VAL_BLOB) { ErrorAbort(state, "transfer_list argument to %s must be blob", name); goto done; } if (new_data_fn->type != VAL_STRING) { ErrorAbort(state, "new_data_fn argument to %s must be string", name); goto done; } if (patch_data_fn->type != VAL_STRING) { ErrorAbort(state, "patch_data_fn argument to %s must be string", name); goto done; } UpdaterInfo* ui = (UpdaterInfo*)(state->cookie); FILE* cmd_pipe = ui->cmd_pipe; ZipArchive* za = ((UpdaterInfo*)(state->cookie))->package_zip; const ZipEntry* patch_entry = mzFindZipEntry(za, patch_data_fn->data); if (patch_entry == NULL) { ErrorAbort(state, "%s(): no file \"%s\" in package", name, patch_data_fn->data); goto done; } uint8_t* patch_start = ((UpdaterInfo*)(state->cookie))->package_zip_addr + mzGetZipEntryOffset(patch_entry); const ZipEntry* new_entry = mzFindZipEntry(za, new_data_fn->data); if (new_entry == NULL) { ErrorAbort(state, "%s(): no file \"%s\" in package", name, new_data_fn->data); goto done; } // The transfer list is a text file containing commands to // transfer data from one place to another on the target // partition. We parse it and execute the commands in order: // // zero [rangeset] // - fill the indicated blocks with zeros // // new [rangeset] // - fill the blocks with data read from the new_data file // // bsdiff patchstart patchlen [src rangeset] [tgt rangeset] // imgdiff patchstart patchlen [src rangeset] [tgt rangeset] // - read the source blocks, apply a patch, write result to // target blocks. bsdiff or imgdiff specifies the type of // patch. // // move [src rangeset] [tgt rangeset] // - copy data from source blocks to target blocks (no patch // needed; rangesets are the same size) // // erase [rangeset] // - mark the given blocks as empty // // The creator of the transfer list will guarantee that no block // is read (ie, used as the source for a patch or move) after it // has been written. // // Within one command the source and target ranges may overlap so // in general we need to read the entire source into memory before // writing anything to the target blocks. // // All the patch data is concatenated into one patch_data file in // the update package. It must be stored uncompressed because we // memory-map it in directly from the archive. (Since patches are // already compressed, we lose very little by not compressing // their concatenation.) pthread_t new_data_thread; NewThreadInfo nti; nti.za = za; nti.entry = new_entry; nti.rss = NULL; pthread_mutex_init(&nti.mu, NULL); pthread_cond_init(&nti.cv, NULL); pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE); pthread_create(&new_data_thread, &attr, unzip_new_data, &nti); int i, j; char* linesave; char* wordsave; int fd = open(blockdev_filename->data, O_RDWR); if (fd < 0) { ErrorAbort(state, "failed to open %s: %s", blockdev_filename->data, strerror(errno)); goto done; } char* line; char* word; // The data in transfer_list_value is not necessarily // null-terminated, so we need to copy it to a new buffer and add // the null that strtok_r will need. transfer_list = malloc(transfer_list_value->size+1); if (transfer_list == NULL) { fprintf(stderr, "failed to allocate %zd bytes for transfer list\n", transfer_list_value->size+1); exit(1); } memcpy(transfer_list, transfer_list_value->data, transfer_list_value->size); transfer_list[transfer_list_value->size] = '\0'; line = strtok_r(transfer_list, "\n", &linesave); // first line in transfer list is the version number; currently // there's only version 1. if (strcmp(line, "1") != 0) { ErrorAbort(state, "unexpected transfer list version [%s]\n", line); goto done; } // second line in transfer list is the total number of blocks we // expect to write. line = strtok_r(NULL, "\n", &linesave); int total_blocks = strtol(line, NULL, 0); // shouldn't happen, but avoid divide by zero. if (total_blocks == 0) ++total_blocks; int blocks_so_far = 0; uint8_t* buffer = NULL; size_t buffer_alloc = 0; // third and subsequent lines are all individual transfer commands. for (line = strtok_r(NULL, "\n", &linesave); line; line = strtok_r(NULL, "\n", &linesave)) { char* style; style = strtok_r(line, " ", &wordsave); if (strcmp("move", style) == 0) { word = strtok_r(NULL, " ", &wordsave); RangeSet* src = parse_range(word); word = strtok_r(NULL, " ", &wordsave); RangeSet* tgt = parse_range(word); printf(" moving %d blocks\n", src->size); allocate(src->size * BLOCKSIZE, &buffer, &buffer_alloc); size_t p = 0; for (i = 0; i < src->count; ++i) { check_lseek(fd, (off64_t)src->pos[i*2] * BLOCKSIZE, SEEK_SET); size_t sz = (src->pos[i*2+1] - src->pos[i*2]) * BLOCKSIZE; readblock(fd, buffer+p, sz); p += sz; } p = 0; for (i = 0; i < tgt->count; ++i) { check_lseek(fd, (off64_t)tgt->pos[i*2] * BLOCKSIZE, SEEK_SET); size_t sz = (tgt->pos[i*2+1] - tgt->pos[i*2]) * BLOCKSIZE; writeblock(fd, buffer+p, sz); p += sz; } blocks_so_far += tgt->size; fprintf(cmd_pipe, "set_progress %.4f\n", (double)blocks_so_far / total_blocks); fflush(cmd_pipe); free(src); free(tgt); } else if (strcmp("zero", style) == 0 || (DEBUG_ERASE && strcmp("erase", style) == 0)) { word = strtok_r(NULL, " ", &wordsave); RangeSet* tgt = parse_range(word); printf(" zeroing %d blocks\n", tgt->size); allocate(BLOCKSIZE, &buffer, &buffer_alloc); memset(buffer, 0, BLOCKSIZE); for (i = 0; i < tgt->count; ++i) { check_lseek(fd, (off64_t)tgt->pos[i*2] * BLOCKSIZE, SEEK_SET); for (j = tgt->pos[i*2]; j < tgt->pos[i*2+1]; ++j) { writeblock(fd, buffer, BLOCKSIZE); } } if (style[0] == 'z') { // "zero" but not "erase" blocks_so_far += tgt->size; fprintf(cmd_pipe, "set_progress %.4f\n", (double)blocks_so_far / total_blocks); fflush(cmd_pipe); } free(tgt); } else if (strcmp("new", style) == 0) { word = strtok_r(NULL, " ", &wordsave); RangeSet* tgt = parse_range(word); printf(" writing %d blocks of new data\n", tgt->size); RangeSinkState rss; rss.fd = fd; rss.tgt = tgt; rss.p_block = 0; rss.p_remain = (tgt->pos[1] - tgt->pos[0]) * BLOCKSIZE; check_lseek(fd, (off64_t)tgt->pos[0] * BLOCKSIZE, SEEK_SET); pthread_mutex_lock(&nti.mu); nti.rss = &rss; pthread_cond_broadcast(&nti.cv); while (nti.rss) { pthread_cond_wait(&nti.cv, &nti.mu); } pthread_mutex_unlock(&nti.mu); blocks_so_far += tgt->size; fprintf(cmd_pipe, "set_progress %.4f\n", (double)blocks_so_far / total_blocks); fflush(cmd_pipe); free(tgt); } else if (strcmp("bsdiff", style) == 0 || strcmp("imgdiff", style) == 0) { word = strtok_r(NULL, " ", &wordsave); size_t patch_offset = strtoul(word, NULL, 0); word = strtok_r(NULL, " ", &wordsave); size_t patch_len = strtoul(word, NULL, 0); word = strtok_r(NULL, " ", &wordsave); RangeSet* src = parse_range(word); word = strtok_r(NULL, " ", &wordsave); RangeSet* tgt = parse_range(word); printf(" patching %d blocks to %d\n", src->size, tgt->size); // Read the source into memory. allocate(src->size * BLOCKSIZE, &buffer, &buffer_alloc); size_t p = 0; for (i = 0; i < src->count; ++i) { check_lseek(fd, (off64_t)src->pos[i*2] * BLOCKSIZE, SEEK_SET); size_t sz = (src->pos[i*2+1] - src->pos[i*2]) * BLOCKSIZE; readblock(fd, buffer+p, sz); p += sz; } Value patch_value; patch_value.type = VAL_BLOB; patch_value.size = patch_len; patch_value.data = (char*)(patch_start + patch_offset); RangeSinkState rss; rss.fd = fd; rss.tgt = tgt; rss.p_block = 0; rss.p_remain = (tgt->pos[1] - tgt->pos[0]) * BLOCKSIZE; check_lseek(fd, (off64_t)tgt->pos[0] * BLOCKSIZE, SEEK_SET); if (style[0] == 'i') { // imgdiff ApplyImagePatch(buffer, src->size * BLOCKSIZE, &patch_value, &RangeSinkWrite, &rss, NULL, NULL); } else { ApplyBSDiffPatch(buffer, src->size * BLOCKSIZE, &patch_value, 0, &RangeSinkWrite, &rss, NULL); } // We expect the output of the patcher to fill the tgt ranges exactly. if (rss.p_block != tgt->count || rss.p_remain != 0) { fprintf(stderr, "range sink underrun?\n"); } blocks_so_far += tgt->size; fprintf(cmd_pipe, "set_progress %.4f\n", (double)blocks_so_far / total_blocks); fflush(cmd_pipe); free(src); free(tgt); } else if (!DEBUG_ERASE && strcmp("erase", style) == 0) { struct stat st; if (fstat(fd, &st) == 0 && S_ISBLK(st.st_mode)) { word = strtok_r(NULL, " ", &wordsave); RangeSet* tgt = parse_range(word); printf(" erasing %d blocks\n", tgt->size); for (i = 0; i < tgt->count; ++i) { uint64_t range[2]; // offset in bytes range[0] = tgt->pos[i*2] * (uint64_t)BLOCKSIZE; // len in bytes range[1] = (tgt->pos[i*2+1] - tgt->pos[i*2]) * (uint64_t)BLOCKSIZE; if (ioctl(fd, BLKDISCARD, &range) < 0) { printf(" blkdiscard failed: %s\n", strerror(errno)); } } free(tgt); } else { printf(" ignoring erase (not block device)\n"); } } else { fprintf(stderr, "unknown transfer style \"%s\"\n", style); exit(1); } } pthread_join(new_data_thread, NULL); success = true; free(buffer); printf("wrote %d blocks; expected %d\n", blocks_so_far, total_blocks); printf("max alloc needed was %zu\n", buffer_alloc); done: free(transfer_list); FreeValue(blockdev_filename); FreeValue(transfer_list_value); FreeValue(new_data_fn); FreeValue(patch_data_fn); return StringValue(success ? strdup("t") : strdup("")); }
static int GenerateTarget(FileContents* source_file, const Value* source_patch_value, FileContents* copy_file, const Value* copy_patch_value, const char* source_filename, const char* target_filename, const uint8_t target_sha1[SHA_DIGEST_SIZE], size_t target_size, const Value* bonus_data) { int retry = 1; SHA_CTX ctx; int output; MemorySinkInfo msi; FileContents* source_to_use; char* outname; int made_copy = 0; // assume that target_filename (eg "/system/app/Foo.apk") is located // on the same filesystem as its top-level directory ("/system"). // We need something that exists for calling statfs(). char target_fs[strlen(target_filename)+1]; char* slash = strchr(target_filename+1, '/'); if (slash != NULL) { int count = slash - target_filename; strncpy(target_fs, target_filename, count); target_fs[count] = '\0'; } else { strcpy(target_fs, target_filename); } do { // Is there enough room in the target filesystem to hold the patched // file? if (strncmp(target_filename, "MTD:", 4) == 0 || strncmp(target_filename, "EMMC:", 5) == 0) { // If the target is a partition, we're actually going to // write the output to /tmp and then copy it to the // partition. statfs() always returns 0 blocks free for // /tmp, so instead we'll just assume that /tmp has enough // space to hold the file. // We still write the original source to cache, in case // the partition write is interrupted. if (MakeFreeSpaceOnCache(source_file->size) < 0) { printf("not enough free space on /cache\n"); return 1; } if (SaveFileContents(CACHE_TEMP_SOURCE, source_file) < 0) { printf("failed to back up source file\n"); return 1; } made_copy = 1; retry = 0; } else { int enough_space = 0; if (retry > 0) { size_t free_space = FreeSpaceForFile(target_fs); enough_space = (free_space > (256 << 10)) && // 256k (two-block) minimum (free_space > (target_size * 3 / 2)); // 50% margin of error if (!enough_space) { printf("target %zu bytes; free space %zu bytes; retry %d; enough %d\n", target_size, free_space, retry, enough_space); } } if (!enough_space) { retry = 0; } if (!enough_space && source_patch_value != NULL) { // Using the original source, but not enough free space. First // copy the source file to cache, then delete it from the original // location. if (strncmp(source_filename, "MTD:", 4) == 0 || strncmp(source_filename, "EMMC:", 5) == 0) { // It's impossible to free space on the target filesystem by // deleting the source if the source is a partition. If // we're ever in a state where we need to do this, fail. printf("not enough free space for target but source is partition\n"); return 1; } if (MakeFreeSpaceOnCache(source_file->size) < 0) { printf("not enough free space on /cache\n"); return 1; } if (SaveFileContents(CACHE_TEMP_SOURCE, source_file) < 0) { printf("failed to back up source file\n"); return 1; } made_copy = 1; unlink(source_filename); size_t free_space = FreeSpaceForFile(target_fs); printf("(now %zu bytes free for target) ", free_space); } } const Value* patch; if (source_patch_value != NULL) { source_to_use = source_file; patch = source_patch_value; } else { source_to_use = copy_file; patch = copy_patch_value; } if (patch->type != VAL_BLOB) { printf("patch is not a blob\n"); return 1; } SinkFn sink = NULL; void* token = NULL; output = -1; outname = NULL; if (strncmp(target_filename, "MTD:", 4) == 0 || strncmp(target_filename, "EMMC:", 5) == 0) { // We store the decoded output in memory. msi.buffer = reinterpret_cast<unsigned char*>(malloc(target_size)); if (msi.buffer == NULL) { printf("failed to alloc %zu bytes for output\n", target_size); return 1; } msi.pos = 0; msi.size = target_size; sink = MemorySink; token = &msi; } else { // We write the decoded output to "<tgt-file>.patch". outname = reinterpret_cast<char*>(malloc(strlen(target_filename) + 10)); strcpy(outname, target_filename); strcat(outname, ".patch"); output = open(outname, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC, S_IRUSR | S_IWUSR); if (output < 0) { printf("failed to open output file %s: %s\n", outname, strerror(errno)); return 1; } sink = FileSink; token = &output; } char* header = patch->data; ssize_t header_bytes_read = patch->size; SHA_init(&ctx); int result; if (header_bytes_read >= 8 && memcmp(header, "BSDIFF40", 8) == 0) { result = ApplyBSDiffPatch(source_to_use->data, source_to_use->size, patch, 0, sink, token, &ctx); } else if (header_bytes_read >= 8 && memcmp(header, "IMGDIFF2", 8) == 0) { result = ApplyImagePatch(source_to_use->data, source_to_use->size, patch, sink, token, &ctx, bonus_data); } else { printf("Unknown patch file format\n"); return 1; } if (output >= 0) { if (fsync(output) != 0) { printf("failed to fsync file \"%s\" (%s)\n", outname, strerror(errno)); result = 1; } if (close(output) != 0) { printf("failed to close file \"%s\" (%s)\n", outname, strerror(errno)); result = 1; } } if (result != 0) { if (retry == 0) { printf("applying patch failed\n"); return result != 0; } else { printf("applying patch failed; retrying\n"); } if (outname != NULL) { unlink(outname); } } else { // succeeded; no need to retry break; } } while (retry-- > 0); const uint8_t* current_target_sha1 = SHA_final(&ctx); if (memcmp(current_target_sha1, target_sha1, SHA_DIGEST_SIZE) != 0) { printf("patch did not produce expected sha1\n"); return 1; } else { printf("now %s\n", short_sha1(target_sha1).c_str()); } if (output < 0) { // Copy the temp file to the partition. if (WriteToPartition(msi.buffer, msi.pos, target_filename) != 0) { printf("write of patched data to %s failed\n", target_filename); return 1; } free(msi.buffer); } else { // Give the .patch file the same owner, group, and mode of the // original source file. if (chmod(outname, source_to_use->st.st_mode) != 0) { printf("chmod of \"%s\" failed: %s\n", outname, strerror(errno)); return 1; } if (chown(outname, source_to_use->st.st_uid, source_to_use->st.st_gid) != 0) { printf("chown of \"%s\" failed: %s\n", outname, strerror(errno)); return 1; } // Finally, rename the .patch file to replace the target file. if (rename(outname, target_filename) != 0) { printf("rename of .patch to \"%s\" failed: %s\n", target_filename, strerror(errno)); return 1; } } // If this run of applypatch created the copy, and we're here, we // can delete it. if (made_copy) { unlink(CACHE_TEMP_SOURCE); } // Success! return 0; }