Skip to content

Fix double-free when connecting to WPA2-Enterprise networks #8529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jun 2, 2022
Merged

Fix double-free when connecting to WPA2-Enterprise networks #8529

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
86a274b
Fix double-free when connecting to WPA2-Enterprise networks
Flole998 Apr 4, 2022
24ec3ce
Apply suggestions from code review
Flole998 Apr 30, 2022
279b21f
Merge branch 'master' into master
d-a-v May 12, 2022
9320596
Merge branch 'master' into master
d-a-v May 12, 2022
1b5023c
Merge branch 'master' into master
d-a-v Jun 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified tools/sdk/lib/NONOSDK221/libwpa2.a
View file
Open in desktop
Binary file not shown.
Binary file modified tools/sdk/lib/NONOSDK22x_190313/libwpa2.a
View file
Open in desktop
Binary file not shown.
Binary file modified tools/sdk/lib/NONOSDK22x_190703/libwpa2.a
View file
Open in desktop
Binary file not shown.
Binary file modified tools/sdk/lib/NONOSDK22x_191024/libwpa2.a
View file
Open in desktop
Binary file not shown.
Binary file modified tools/sdk/lib/NONOSDK22x_191105/libwpa2.a
View file
Open in desktop
Binary file not shown.
Binary file modified tools/sdk/lib/NONOSDK22x_191122/libwpa2.a
View file
Open in desktop
Binary file not shown.
Binary file modified tools/sdk/lib/NONOSDK3V0/libwpa2.a
View file
Open in desktop
Binary file not shown.
49 changes: 40 additions & 9 deletions tools/sdk/lib/fix_sdk_libs.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,36 +1,67 @@
#!/bin/bash
set -e

export PATH=../../xtensa-lx106-elf/bin:$PATH
export PATH=../../../xtensa-lx106-elf/bin:$PATH
VERSION=$(basename ${PWD})

addSymbol_system_func1() {
ADDRESS=$1
xtensa-lx106-elf-objcopy --add-symbol system_func1=.irom0.text:${ADDRESS},function,global user_interface.o
if ! xtensa-lx106-elf-nm user_interface.o | grep -q " T system_func1"; then # Don't add symbol if it already exists
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I just noticed that grep -q will always return 0.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even if it's not in there yet? That's strange (be aware that it got already added twice or so...)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that's what I noticed when I tried some modifications. grep -q appears to be an exception on returning non-zero exit status.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For me it works:

$ echo ThisIsATest | grep -q Test
$ echo ?$
0
$ echo ThisIsATest | grep -q Fail
$ echo $?
1

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, I am confused. It wasn't working for me and now it is. I had duplicate entries and the man page says grep -q exits with 0. However, I just tried everything again and it worked.

Sorry, I don't know what happened. Just ignore me, I am going to take a break.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current version as it is in the repo at the moment is having duplicate entries, those should be removed at some point. So maybe that caused the confusion (and that's why I added that check)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, strange. I only picked up the script and tried it and had duplicate entries. As well as other problems from running the script at the wrong directory which creates a libmain.a which creates a lot of grief.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Flole998 what do you mean "duplicate entries in the current version" ?
Is it in master or in this pull request ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In master (and also in this pull request because I didn't remove/fix it as that would be something for another PR I figured)

ADDRESS=$1
xtensa-lx106-elf-objcopy --add-symbol system_func1=.irom0.text:${ADDRESS},function,global user_interface.o
fi
}

patchFile() {
FILE=$1
ADDRESS=$2 # DO NOT PASS AS HEX!
LENGTH=$3 # DO NOT PASS AS HEX!
EXPECTED=$4
REPLACEWITH=$5
if [[ "$(dd if=eap.o bs=1 count=$LENGTH skip=$ADDRESS status=none | base64 -w0)" = "$EXPECTED" ]]; then
echo "Patching $1..."
echo $5 | base64 -d | dd of=eap.o bs=1 count=$LENGTH seek=$ADDRESS conv=notrunc
elif ! [[ "$(dd if=eap.o bs=1 count=$LENGTH skip=$ADDRESS status=none | base64 -w0)" = "$REPLACEWITH" ]]; then
echo "PATCH FAILED!"
exit 0
fi
}

# Remove mem_manager.o from libmain.a to use custom heap implementation,
# and time.o to fix redefinition of time-related functions:
xtensa-lx106-elf-ar d libmain.a mem_manager.o
xtensa-lx106-elf-ar d libmain.a time.o

# Patch WPA2-Enterprise double-free
xtensa-lx106-elf-ar x libwpa2.a eap.o
eapcs=$(sha256sum eap.o | awk '{print $1}')

# Rename `hostname` and `default_hostname` symbols:
xtensa-lx106-elf-ar x libmain.a eagle_lwip_if.o user_interface.o
xtensa-lx106-elf-objcopy --redefine-sym hostname=wifi_station_hostname user_interface.o
xtensa-lx106-elf-objcopy --redefine-sym hostname=wifi_station_hostname eagle_lwip_if.o
xtensa-lx106-elf-objcopy --redefine-sym default_hostname=wifi_station_default_hostname user_interface.o
xtensa-lx106-elf-objcopy --redefine-sym default_hostname=wifi_station_default_hostname eagle_lwip_if.o
lwipcs=$(sha256sum eagle_lwip_if.o | awk '{print $1}')
uics=$(sha256sum user_interface.o | awk '{print $1}')
xtensa-lx106-elf-objcopy --redefine-sym hostname=wifi_station_hostname user_interface.o
xtensa-lx106-elf-objcopy --redefine-sym hostname=wifi_station_hostname eagle_lwip_if.o
xtensa-lx106-elf-objcopy --redefine-sym default_hostname=wifi_station_default_hostname user_interface.o
xtensa-lx106-elf-objcopy --redefine-sym default_hostname=wifi_station_default_hostname eagle_lwip_if.o

if [[ ${VERSION} == "NONOSDK221" ]]; then
addSymbol_system_func1 "0x60"
patchFile "eap.o" "3055" "2" "wAA=" "8CA=" # WPA2-Enterprise patch which replaces a double-free with nop, see #8082
elif [[ ${VERSION} == "NONOSDK22x"* ]]; then
addSymbol_system_func1 "0x54"
patchFile "eap.o" "3059" "2" "wAA=" "8CA=" # WPA2-Enterprise patch which replaces a double-free with nop, see #8082
elif [[ ${VERSION} == "NONOSDK3"* ]]; then
addSymbol_system_func1 "0x60"
patchFile "eap.o" "3059" "2" "wAA=" "8CA=" # WPA2-Enterprise patch which replaces a double-free with nop, see #8082
else
echo "WARN: Unknown address for system_func1() called by system_restart_local()"
fi

xtensa-lx106-elf-ar r libmain.a eagle_lwip_if.o user_interface.o
rm -f eagle_lwip_if.o user_interface.o
if [[ $(sha256sum eap.o | awk '{print $1}') != $eapcs ]]; then
xtensa-lx106-elf-ar r libwpa2.a eap.o
fi
if [[ $(sha256sum user_interface.o | awk '{print $1}') != $uics || $(sha256sum eagle_lwip_if.o | awk '{print $1}') != $lwipcs ]]; then
xtensa-lx106-elf-ar r libmain.a eagle_lwip_if.o user_interface.o
fi
rm -f eagle_lwip_if.o user_interface.o eap.o