Created
January 28, 2018 02:30
-
-
Save puppykitten/6a2332084862a9a810d08f265f7106ef to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
__int64 __fastcall binder_handler(android::IPCThreadState *IPCThreadState, unsigned int cmd_, const android::Parcel *data, android::Parcel *reply_, unsigned int flags_) | |
{ | |
// (...) | |
switch ( cmd ) | |
{ | |
case 0u: | |
__android_log_print(4LL, "TLC_SERVER", "OPENSWCONN"); | |
if ( !(unsigned __int8)android::Parcel::checkInterface(parcel_data, (char *)IPCThreadState_ + 16) ) | |
goto LABEL_93; | |
if ( !reply ) | |
goto LABEL_90; | |
if ( *((_DWORD *)IPCThreadState_ + 20) > 0 ) | |
goto LABEL_35; | |
tlc_comm_cxt_ptr = (comm_cxt_t **)malloc(8LL); | |
if ( !tlc_comm_cxt_ptr ) | |
{ | |
__android_log_print(6LL, "TLC_SERVER", "tlc_server_ctx_t malloc failed"); | |
goto LABEL_126; | |
} | |
*tlc_comm_cxt_ptr = 0LL; | |
comm_cxt = create_comm_ctx( // TLC_COMM_TYPE: | |
// 0 - proxy | |
// 1 - direct | |
// | |
// ==> we create direct | |
// | |
// | |
// direct_comm_cxt() | |
// - instantiate directCommImpl with these parameters | |
// - includes root (== device id, switched out to 0) and process (==uuid) | |
// - call tlc_open | |
// - mcOpenDevice(0) and mcOpenSession to uuid, | |
// after it mmaps the TLC buffer, to sendmsglen+recvmsglen length | |
TLC_COMMUNICATION_TYPE_DIRECT, | |
comm_data_root, | |
comm_data_root_strlen, | |
comm_data_process, | |
comm_data_process_strlen, | |
comm_data_max_sendmsg_size, | |
comm_data_max_recvmsg_size); | |
*tlc_comm_cxt_ptr = comm_cxt; | |
if ( !comm_cxt ) | |
{ | |
__android_log_print(6LL, "TLC_SERVER", "Failed to establish secure world communication"); | |
free(tlc_comm_cxt_ptr); | |
goto LABEL_126; | |
} | |
if ( !(unsigned int)strcmp(&service_name, "ESECOMM") ) | |
{ | |
__android_log_print(4LL, "TLC_SERVER", "ESECOMM tlc_server connecting to SPI"); | |
if ( (unsigned __int16)secEseSPI_open() ) | |
{ | |
__android_log_print(6LL, "TLC_SERVER", "*** secEseSPI_open failed : %d ***"); | |
free(tlc_comm_cxt_ptr); | |
LABEL_126: | |
v52 = "Ctx creation failed - TZ app not loaded"; | |
tlc_comm_ctx_ptr_global = 0LL; | |
goto OPEN_HANDLED; | |
} | |
} | |
tlc_comm_ctx_ptr_global = tlc_comm_cxt_ptr; | |
//(...) | |
case 1u: | |
__android_log_print(4LL, "TLC_SERVER", "CLOSESWCONN"); | |
//(...) | |
case 2u: | |
__android_log_print(4LL, "TLC_SERVER", "COMM"); | |
//(...) | |
android::defaultServiceManager(v73); // sp<IServiceManager> sm = defaultServiceManager() | |
//(...) | |
if ( sm ) | |
{ | |
v78 = *(int (__fastcall **)(__int64, int *))(*sm + 32LL); | |
android::String16::String16((android::String16 *)&recv_msg_len, "SEAMService"); | |
v78(v77, &recv_msg_len); // defaultServiceManager->addService() | |
//(...) | |
isAuthorized_fnptr = *(__int64 (__fastcall **)(__int64, _QWORD, signed __int64, int *, _QWORD **))(*sm__ + 32LL); | |
android::String16::String16((android::String16 *)&recv_msg_len, "knox_ccm_policy"); | |
android::String16::String16((android::String16 *)&send_msg_len, "C_SignInit"); | |
v83 = isAuthorized_fnptr(sm__, mCallingPid, 0xFFFFFFFFLL, &recv_msg_len, &send_msg_len); | |
// sm->isAuthorized(mCallingPid, -1, service_name, &sm (?)) | |
// can the calling pid call to the knox_ccm_policy service? | |
//(...) | |
if ( v83 ) | |
{ | |
v84 = "isAuthorized() returns an error!"; | |
} | |
else | |
{ | |
v74 = (*((__int64 (__fastcall **)(comm_cxt_t *))(*tlc_comm_ctx_ptr_global)->vtable_ptr + 8))(*tlc_comm_ctx_ptr_global); | |
// tlc_communicate() | |
//(...) | |
case 3u: | |
__android_log_print(4LL, "TLC_SERVER", "COMM_VIA_ASHMEM"); | |
if ( !(android::Parcel::checkInterface(parcel_data, (char *)IPCThreadState_ + 16) & 1) ) | |
{ | |
v30 = -1; | |
goto LABEL_119; | |
} | |
if ( !v6 ) | |
goto LABEL_72; | |
v43 = 0LL; | |
v44 = (_DWORD *)((char *)IPCThreadState_ + 92); | |
do | |
{ | |
if ( *(v44 - 2) == v13 || *v44 == v13 ) | |
goto LABEL_53; | |
v43 += 2LL; | |
v44 += 4; | |
} | |
while ( v43 < 1024 ); | |
if ( (_DWORD)v43 == 1024 ) | |
goto LABEL_70; | |
LABEL_53: | |
if ( (unsigned int)android::Parcel::readInt32(parcel_data, &msglen.recv_len) ) | |
goto LABEL_105; | |
recvlen = msglen.recv_len; | |
max_recvmsg_len = (*((__int64 (**)(void))(*tlc_comm_ctx_ptr_global)->vtable_ptr + 4))(); | |
// direct_comm_cxt->get_max_recvmsg_size() | |
recvlen_ = msglen.recv_len; | |
max_recvmsg_len_1 = max_recvmsg_len; | |
max_recvmsg_len_2 = (unsigned int)(*((__int64 (__fastcall **)(comm_cxt_t *))(*tlc_comm_ctx_ptr_global)->vtable_ptr | |
+ 4))(*tlc_comm_ctx_ptr_global); | |
// direct_comm_cxt->get_max_recvmsg_size() | |
if ( recvlen > max_recvmsg_len_1 || recvlen_ & 0x80000000 ) //negative check: fix to older bug | |
//this was one of the tlc_server bugs reported by Gal | |
{ | |
v65 = "TLC_SERVER"; | |
v66 = "Invalid recv message length! %d > %d"; | |
} | |
else | |
{ | |
__android_log_print( | |
4LL, | |
"TLC_SERVER", | |
"Recv message length is %d, max length is %d", | |
recvlen_, | |
max_recvmsg_len_2); | |
if ( (unsigned int)android::Parcel::readInt32(parcel_data, (int *)&msglen) ) | |
goto LABEL_105; | |
sendlen_ = msglen.send_len; | |
sendlen_max = (*((__int64 (**)(void))(*tlc_comm_ctx_ptr_global)->vtable_ptr + 3))(); | |
//direct_comm_cxt->get_max_sendmsg_size() | |
recvlen_ = msglen.send_len; | |
v52 = *tlc_comm_ctx_ptr_global; | |
if ( sendlen_ <= sendlen_max && !(msglen.send_len & 0x80000000) ) //negative check: fix to older bug | |
{ | |
sendmsg_buf = (*((__int64 (__fastcall **)(comm_cxt_t *, _QWORD))v52->vtable_ptr + 6))( | |
v52, | |
(unsigned int)msglen.send_len); | |
if ( sendmsg_buf ) | |
{ | |
fd = android::Parcel::readFileDescriptor(parcel_data); | |
mmap_buf = mmap(0LL, msglen.send_len, 3LL, 1LL, fd, 0LL);// MMAP happens to SEND len | |
if ( mmap_buf != -1 ) | |
{ | |
memcpy(sendmsg_buf, mmap_buf, msglen.send_len);// memcpy happens with SEND len | |
v56 = (*((__int64 (**)(void))(*tlc_comm_ctx_ptr_global)->vtable_ptr + 8))(); | |
__android_log_print(4LL, "TLC_SERVER", "comm_request() finished"); | |
if ( v56 ) | |
{ | |
__android_log_print(6LL, "TLC_SERVER", "tlc_communicate failed: ret = 0x%08x", v56); | |
} | |
else | |
{ | |
android::Parcel::writeInt32(v6, msglen.recv_len); | |
recvmsg_buf = (*((__int64 (**)(void))(*tlc_comm_ctx_ptr_global)->vtable_ptr + 7))(); | |
if ( recvmsg_buf ) | |
{ | |
memcpy(mmap_buf, recvmsg_buf, msglen.recv_len); | |
// response memcpy happens with RECV len! | |
// the following condition would cause BOF: | |
// | |
// send_len << recv_len < recv_max_len < send_max_len | |
// | |
// the max send len is 4416 | |
// the max recv len is 4416 | |
v20 = munmap(mmap_buf, msglen.send_len); | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment