-
Notifications
You must be signed in to change notification settings - Fork 211
RootTicket verification error #18
Comments
The iOS command is still missing some stuff... Check Auto boot |
adding |
Yeah, I'm guessing that idevicerestore changed. FYI, I'm using commit dfa05a8c417e785799a0d8ea0f9a58ed89a13085 But I will get the latest upstream and try to fix it. |
Using that commit and applying the patch does seem to fix the problem, but: I am getting verification error at RootTicket
The root_ticket.der passed to the iOS emulator identical to the ticket passed to idevicerestore Full log:
|
|
root_ticket.der does exist, but it appears to be invalid? |
qemu doesn't parse the ticket, it simply sets the |
OK, I did something wrong after all |
No, there is a bug in QEMU that broke hashing somewhere... |
I pushed a patch |
Restoring. It fixed the problem. Will not close issue until successful restore |
!!!
|
Include the qtest reproducer provided by Alexander Bulekov in https://gitlab.com/qemu-project/qemu/-/issues/542. Without the previous commit, we get: $ make check-qtest-i386 ... Running test tests/qtest/intel-hda-test AddressSanitizer:DEADLYSIGNAL ================================================================= ==1580408==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc3d566fe0 #0 0x63d297cf in address_space_translate_internal softmmu/physmem.c:356 TrungNguyen1909#1 0x63d27260 in flatview_do_translate softmmu/physmem.c:499:15 TrungNguyen1909#2 0x63d27af5 in flatview_translate softmmu/physmem.c:565:15 TrungNguyen1909#3 0x63d4ce84 in flatview_write softmmu/physmem.c:2850:10 TrungNguyen1909#4 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 TrungNguyen1909#5 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 TrungNguyen1909#6 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 TrungNguyen1909#7 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 TrungNguyen1909#8 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 TrungNguyen1909#9 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1 TrungNguyen1909#10 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1 TrungNguyen1909#11 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12 TrungNguyen1909#12 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5 TrungNguyen1909#13 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5 TrungNguyen1909#14 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5 TrungNguyen1909#15 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9 TrungNguyen1909#16 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5 TrungNguyen1909#17 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9 TrungNguyen1909#18 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5 TrungNguyen1909#19 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5 TrungNguyen1909#20 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18 TrungNguyen1909#21 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16 TrungNguyen1909#22 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23 TrungNguyen1909#23 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12 TrungNguyen1909#24 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 TrungNguyen1909#25 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 TrungNguyen1909#26 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #27 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 TrungNguyen1909#28 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 TrungNguyen1909#29 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1 TrungNguyen1909#30 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1 TrungNguyen1909#31 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12 TrungNguyen1909#32 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5 TrungNguyen1909#33 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5 TrungNguyen1909#34 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5 TrungNguyen1909#35 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9 TrungNguyen1909#36 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5 TrungNguyen1909#37 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9 TrungNguyen1909#38 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5 TrungNguyen1909#39 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5 TrungNguyen1909#40 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18 TrungNguyen1909#41 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16 TrungNguyen1909#42 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23 TrungNguyen1909#43 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12 TrungNguyen1909#44 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 TrungNguyen1909#45 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 TrungNguyen1909#46 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 TrungNguyen1909#47 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 TrungNguyen1909#48 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 ... SUMMARY: AddressSanitizer: stack-overflow softmmu/physmem.c:356 in address_space_translate_internal ==1580408==ABORTING Broken pipe Aborted (core dumped) Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Acked-by: Thomas Huth <thuth@redhat.com> Message-Id: <20211218160912.1591633-4-philmd@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
The issue reported by OSS-Fuzz produces the following backtrace: ==447470==ERROR: AddressSanitizer: heap-buffer-overflow READ of size 1 at 0x61500002a080 thread T0 #0 0x71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18 TrungNguyen1909#1 0x7175f139 in sdhci_read hw/sd/sdhci.c:1022:19 TrungNguyen1909#2 0x721b937b in memory_region_read_accessor softmmu/memory.c:440:11 TrungNguyen1909#3 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18 TrungNguyen1909#4 0x7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16 TrungNguyen1909#5 0x7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9 TrungNguyen1909#6 0x7212db5d in flatview_read_continue softmmu/physmem.c:2879:23 TrungNguyen1909#7 0x7212f958 in flatview_read softmmu/physmem.c:2921:12 TrungNguyen1909#8 0x7212f418 in address_space_read_full softmmu/physmem.c:2934:18 TrungNguyen1909#9 0x721305a9 in address_space_rw softmmu/physmem.c:2962:16 TrungNguyen1909#10 0x7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 TrungNguyen1909#11 0x7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12 TrungNguyen1909#12 0x71759684 in dma_memory_read include/sysemu/dma.h:152:12 TrungNguyen1909#13 0x7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27 TrungNguyen1909#14 0x7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13 TrungNguyen1909#15 0x7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9 TrungNguyen1909#16 0x717629ee in sdhci_write hw/sd/sdhci.c:1212:9 TrungNguyen1909#17 0x72172513 in memory_region_write_accessor softmmu/memory.c:492:5 TrungNguyen1909#18 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18 TrungNguyen1909#19 0x72170766 in memory_region_dispatch_write softmmu/memory.c:1504:16 TrungNguyen1909#20 0x721419ee in flatview_write_continue softmmu/physmem.c:2812:23 TrungNguyen1909#21 0x721301eb in flatview_write softmmu/physmem.c:2854:12 TrungNguyen1909#22 0x7212fca8 in address_space_write softmmu/physmem.c:2950:18 TrungNguyen1909#23 0x721d9a53 in qtest_process_command softmmu/qtest.c:727:9 A DMA descriptor is previously filled in RAM. An I/O access to the device (frames TrungNguyen1909#22 to TrungNguyen1909#16) start the DMA engine (frame TrungNguyen1909#13). The engine fetch the descriptor and execute the request, which itself accesses the SDHCI I/O registers (frame TrungNguyen1909#1 and #0), triggering a re-entrancy issue. Fix by prohibit transactions from the DMA to devices. The DMA engine is thus restricted to memories. Reported-by: OSS-Fuzz (Issue 36391) Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/451 Message-Id: <20211215205656.488940-3-philmd@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Include the qtest reproducer provided by Alexander Bulekov in https://gitlab.com/qemu-project/qemu/-/issues/451. Without the previous commit, we get: $ make check-qtest-i386 ... Running test qtest-i386/fuzz-sdcard-test ==447470==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500002a080 at pc 0x564c71766d48 bp 0x7ffc126c62b0 sp 0x7ffc126c62a8 READ of size 1 at 0x61500002a080 thread T0 #0 0x564c71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18 TrungNguyen1909#1 0x564c7175f139 in sdhci_read hw/sd/sdhci.c:1022:19 TrungNguyen1909#2 0x564c721b937b in memory_region_read_accessor softmmu/memory.c:440:11 TrungNguyen1909#3 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18 TrungNguyen1909#4 0x564c7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16 TrungNguyen1909#5 0x564c7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9 TrungNguyen1909#6 0x564c7212db5d in flatview_read_continue softmmu/physmem.c:2879:23 TrungNguyen1909#7 0x564c7212f958 in flatview_read softmmu/physmem.c:2921:12 TrungNguyen1909#8 0x564c7212f418 in address_space_read_full softmmu/physmem.c:2934:18 TrungNguyen1909#9 0x564c721305a9 in address_space_rw softmmu/physmem.c:2962:16 TrungNguyen1909#10 0x564c7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 TrungNguyen1909#11 0x564c7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12 TrungNguyen1909#12 0x564c71759684 in dma_memory_read include/sysemu/dma.h:152:12 TrungNguyen1909#13 0x564c7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27 TrungNguyen1909#14 0x564c7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13 TrungNguyen1909#15 0x564c7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9 TrungNguyen1909#16 0x564c717629ee in sdhci_write hw/sd/sdhci.c:1212:9 TrungNguyen1909#17 0x564c72172513 in memory_region_write_accessor softmmu/memory.c:492:5 TrungNguyen1909#18 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18 TrungNguyen1909#19 0x564c72170766 in memory_region_dispatch_write softmmu/memory.c:1504:16 TrungNguyen1909#20 0x564c721419ee in flatview_write_continue softmmu/physmem.c:2812:23 TrungNguyen1909#21 0x564c721301eb in flatview_write softmmu/physmem.c:2854:12 TrungNguyen1909#22 0x564c7212fca8 in address_space_write softmmu/physmem.c:2950:18 TrungNguyen1909#23 0x564c721d9a53 in qtest_process_command softmmu/qtest.c:727:9 0x61500002a080 is located 0 bytes to the right of 512-byte region [0x615000029e80,0x61500002a080) allocated by thread T0 here: #0 0x564c708e1737 in __interceptor_calloc (qemu-system-i386+0x1e6a737) TrungNguyen1909#1 0x7ff05567b5e0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x5a5e0) TrungNguyen1909#2 0x564c71774adb in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5 SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:474:18 in sdhci_read_dataport Shadow bytes around the buggy address: 0x0c2a7fffd3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fffd3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffd3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffd3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffd400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c2a7fffd410:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fffd420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffd430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffd440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffd450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffd460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Heap left redzone: fa Freed heap region: fd ==447470==ABORTING Broken pipe ERROR qtest-i386/fuzz-sdcard-test - too few tests run (expected 3, got 2) Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Acked-by: Thomas Huth <thuth@redhat.com> Message-Id: <20211215205656.488940-4-philmd@redhat.com> [thuth: Replaced "-m 4G" with "-m 512M"] Signed-off-by: Thomas Huth <thuth@redhat.com>
I cannot seem to restore the device:
idevicerestore commit
38595f0b7dac3d53033f93e9893d9be49996ba95
with patch appliediOS version: 14.0
VM is kali linux rolling (minimal)
root_ticket.der made from ticket.shsh2 in xnu-qemu-arm64-tools
Device appears to enter restore mode successfully
Additionally, the patch does not apply for configure.ac
I ended up adding
AC_SEARCH_LIBS([pthread_create], [pthread])
to configure.ac myself and then remove that hunk of the patch.Linux boot command:
iOS boot command:
Nick Chan
The text was updated successfully, but these errors were encountered: