-
Notifications
You must be signed in to change notification settings - Fork 13.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix double-free when connecting to WPA2-Enterprise networks
Fixes: #8082 This patches the callx0 instruction to a nop in eap.o which is part of libwpa2.a. It looks like espressif fixed the Bug in newer SDK versions, so if we update to the latest NONOS-SDK it is most likely not necessary to add/adapt this patch. Also modifies the fix_sdk_libs.sh script as it even changed files if no changes were necessary, for example adding multiple system_func1 exports.
- Loading branch information
Showing
8 changed files
with
40 additions
and
9 deletions.
There are no files selected for viewing
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,36 +1,67 @@ | ||
| #!/bin/bash | ||
| set -e | ||
|
|
||
| export PATH=../../xtensa-lx106-elf/bin:$PATH | ||
| export PATH=../../../xtensa-lx106-elf/bin:$PATH | ||
| VERSION=$(basename ${PWD}) | ||
|
|
||
| addSymbol_system_func1() { | ||
| ADDRESS=$1 | ||
| xtensa-lx106-elf-objcopy --add-symbol system_func1=.irom0.text:${ADDRESS},function,global user_interface.o | ||
| if ! xtensa-lx106-elf-nm user_interface.o | grep -q " T system_func1"; then # Don't add symbol if it already exists | ||
| ADDRESS=$1 | ||
| xtensa-lx106-elf-objcopy --add-symbol system_func1=.irom0.text:${ADDRESS},function,global user_interface.o | ||
| fi | ||
| } | ||
|
|
||
| patchFile() { | ||
| FILE=$1 | ||
| ADDRESS=$2 # DO NOT PASS AS HEX! | ||
| LENGTH=$3 # DO NOT PASS AS HEX! | ||
| EXPECTED=$4 | ||
| REPLACEWITH=$5 | ||
| if [[ "$(dd if=eap.o bs=1 count=$LENGTH skip=$ADDRESS status=none | base64 -w0)" = "$EXPECTED" ]]; then | ||
| echo "Patching $1..." | ||
| echo $5 | base64 -d | dd of=eap.o bs=1 count=$LENGTH seek=$ADDRESS conv=notrunc | ||
| elif ! [[ "$(dd if=eap.o bs=1 count=$LENGTH skip=$ADDRESS status=none | base64 -w0)" = "$REPLACEWITH" ]]; then | ||
| echo "PATCH FAILED!" | ||
| exit 0 | ||
| fi | ||
| } | ||
|
|
||
| # Remove mem_manager.o from libmain.a to use custom heap implementation, | ||
| # and time.o to fix redefinition of time-related functions: | ||
| xtensa-lx106-elf-ar d libmain.a mem_manager.o | ||
| xtensa-lx106-elf-ar d libmain.a time.o | ||
|
|
||
| # Patch WPA2-Enterprise double-free | ||
| xtensa-lx106-elf-ar x libwpa2.a eap.o | ||
| espcs=$(sha256sum eap.o | awk '{print $1}') | ||
|
|
||
| # Rename `hostname` and `default_hostname` symbols: | ||
| xtensa-lx106-elf-ar x libmain.a eagle_lwip_if.o user_interface.o | ||
| xtensa-lx106-elf-objcopy --redefine-sym hostname=wifi_station_hostname user_interface.o | ||
| xtensa-lx106-elf-objcopy --redefine-sym hostname=wifi_station_hostname eagle_lwip_if.o | ||
| xtensa-lx106-elf-objcopy --redefine-sym default_hostname=wifi_station_default_hostname user_interface.o | ||
| xtensa-lx106-elf-objcopy --redefine-sym default_hostname=wifi_station_default_hostname eagle_lwip_if.o | ||
| lwipcs=$(sha256sum eagle_lwip_if.o | awk '{print $1}') | ||
| uics=$(sha256sum user_interface.o | awk '{print $1}') | ||
| xtensa-lx106-elf-objcopy --redefine-sym hostname=wifi_station_hostname user_interface.o | ||
| xtensa-lx106-elf-objcopy --redefine-sym hostname=wifi_station_hostname eagle_lwip_if.o | ||
| xtensa-lx106-elf-objcopy --redefine-sym default_hostname=wifi_station_default_hostname user_interface.o | ||
| xtensa-lx106-elf-objcopy --redefine-sym default_hostname=wifi_station_default_hostname eagle_lwip_if.o | ||
|
|
||
| if [[ ${VERSION} == "NONOSDK221" ]]; then | ||
| addSymbol_system_func1 "0x60" | ||
| patchFile "eap.o" "3055" "2" "wAA=" "8CA=" # WPA2-Enterprise patch which replaces a double-free with nop, see #8082 | ||
| elif [[ ${VERSION} == "NONOSDK22x"* ]]; then | ||
| addSymbol_system_func1 "0x54" | ||
| patchFile "eap.o" "3059" "2" "wAA=" "8CA=" # WPA2-Enterprise patch which replaces a double-free with nop, see #8082 | ||
| elif [[ ${VERSION} == "NONOSDK3"* ]]; then | ||
| addSymbol_system_func1 "0x60" | ||
| patchFile "eap.o" "3059" "2" "wAA=" "8CA=" # WPA2-Enterprise patch which replaces a double-free with nop, see #8082 | ||
| else | ||
| echo "WARN: Unknown address for system_func1() called by system_restart_local()" | ||
| fi | ||
|
|
||
| xtensa-lx106-elf-ar r libmain.a eagle_lwip_if.o user_interface.o | ||
| rm -f eagle_lwip_if.o user_interface.o | ||
| if [[ $(sha256sum eap.o | awk '{print $1}') != $eapcs ]]; then | ||
| xtensa-lx106-elf-ar r libwpa2.a eap.o | ||
| fi | ||
| if [[ $(sha256sum user_interface.o | awk '{print $1}') != $uics || $(sha256sum eagle_lwip_if.o | awk '{print $1}') != $lwipcs ]]; then | ||
| xtensa-lx106-elf-ar r libmain.a eagle_lwip_if.o user_interface.o | ||
| fi | ||
| rm -f eagle_lwip_if.o user_interface.o eap.o | ||
|
|