Fix dex2oat fails on System Apps due to injection hardening (ThePedroo#10)

* Fix dex2oat fails on System Apps due to denylist parsing

* Update abx parser.

- Fix mem leaks.
- Enhance parser code size and memory footprint.
- Update Parser Attribution.

Co-authored-by: frknkrc44 <[email protected]>

* Update parser usage as per examples

---------

Co-authored-by: frknkrc44 <[email protected]>

Author: fatalcoder524

daemon/src/main/java/org/lsposed/lspd/service/DenylistManager.java

@@ -25,4 +25,5 @@
 
 public class DenylistManager {
     native static boolean isInDenylist(String processName);
+    native static boolean isInDenylistFromClasspathDir(String classpathDir);
 }

daemon/src/main/java/org/lsposed/lspd/service/Dex2OatService.java

@@ -26,6 +26,7 @@
 import static org.lsposed.lspd.ILSPManagerService.DEX2OAT_SEPOLICY_INCORRECT;
 
 import static org.lsposed.lspd.service.DenylistManager.isInDenylist;
+import static org.lsposed.lspd.service.DenylistManager.isInDenylistFromClasspathDir;
 
 import android.net.LocalServerSocket;
 import android.os.Build;
@@ -273,51 +274,50 @@ public void run() {
                     Log.d(TAG, "Sent fd of " + dex2oatArray[id]);
                 } else if (op == 2) {
                     /* INFO: Check if process is in denylist */
-                    int processNameLen = readInt(is);
-                    if (processNameLen < 0) {
-                        Log.w(TAG, "Dex2oat wrapper daemon received invalid process name length: " + processNameLen);
+                    int classpathDirLen = readInt(is);
+                    if (classpathDirLen < 0) {
+                        Log.w(TAG, "Dex2oat wrapper daemon received invalid classpath dir length: " + classpathDirLen);
 
                         client.close();
 
                         continue;
                     }
 
-                    Log.d(TAG, "Received process name length: " + processNameLen);
-                    if (processNameLen < 0 || processNameLen > 1024) {
-                        Log.w(TAG, "Dex2oat wrapper daemon received invalid process name length: " + processNameLen);
+                    Log.d(TAG, "Received classpath dir length: " + classpathDirLen);
+                    if (classpathDirLen < 0 || classpathDirLen > 1024) {
+                        Log.w(TAG, "Dex2oat wrapper daemon received invalid classpath dir length: " + classpathDirLen);
 
                         client.close();
 
                         continue;
                     }
 
-                    byte[] processNameBytes = new byte[processNameLen];
-                    int bytesRead = is.read(processNameBytes);
-                    if (bytesRead != processNameLen) {
+                    byte[] classpathDirBytes = new byte[classpathDirLen];
+                    int bytesRead = is.read(classpathDirBytes);
+                    if (bytesRead != classpathDirLen) {
                         Log.w(TAG, "Dex2oat wrapper daemon received incomplete process name. Expected: "
-                                + processNameLen + ", Read: " + bytesRead);
+                                + classpathDirLen + ", Read: " + bytesRead);
 
                         client.close();
 
                         continue;
                     }
 
-                    String processName = new String(processNameBytes);
-                    if (processName.isEmpty() && processNameLen > 0) {
-                        Log.w(TAG, "Dex2oat wrapper daemon received empty process name despite reported length: " + processNameLen);
+                    String classpathDirArg = new String(classpathDirBytes);
+                    if (classpathDirArg.isEmpty() && classpathDirLen > 0) {
+                        Log.w(TAG, "Dex2oat wrapper daemon received empty process name despite reported length: " + classpathDirLen);
 
                         client.close();
 
                         continue;
                     }
 
-                    Log.d(TAG, "Received process name: " + processName);
+                    Log.d(TAG, "Received classpath dir: " + classpathDirArg);
 
-                    boolean isDenied = isInDenylist(processName);
+                    boolean isDenied = isInDenylistFromClasspathDir(classpathDirArg);
 
                     writeInt(os, isDenied ? 1 : 0);
-
-                    Log.d(TAG, "Process " + processName + " is "
+                    Log.d(TAG, "Process is "
                             + (isDenied ? "denied" : "allowed") + " for injected dex2oat");
                 } else {
                     Log.w(TAG, "Dex2oat wrapper daemon received unknown operation: " + op);

daemon/src/main/jni/CMakeLists.txt

@@ -8,6 +8,7 @@ set(SOURCES
         denylist.cpp
         logcat.cpp
         obfuscation.cpp
+        packagename.cpp
         )
 
 add_library(${PROJECT_NAME} SHARED ${SOURCES})

daemon/src/main/jni/abx_utils/abx_decoder.hpp

@@ -0,0 +1,209 @@
+#include <cstring>
+#include <iostream>
+#include <map>
+#include <memory>
+#include <vector>
+
+#include "const.h"
+#include "xml_element.hpp"
+
+/*
+ * This decoder is made by frknkrc44.
+ *
+ * Thanks DanGLES3 and fatalcoder524 to find memory leaks.
+ */
+
+class AbxDecoder {
+    public:
+    AbxDecoder(std::vector<char> str) {
+		mInput = str;
+	}
+
+    bool parse() {
+        if (!isAbx())
+            return false;
+
+        std::cerr << "ABX file found" << std::endl;
+
+        docOpen = false;
+        rootClosed = false;
+        internedStrings.clear();
+		elementStack.clear();
+
+        while (true) {
+            char event = readByte();
+			int tType = event & 0x0f;
+            int dType = event & 0xf0;
+
+            // std::cout << "tType: " << tType << " dType: " << dType << std::endl;
+
+            switch (tType) {
+                case TOKEN_ATTRIBUTE: {
+                    auto attrName = readInternedString();
+                    std::vector<char> value;
+
+                    switch (dType) {
+                        case DATA_NULL: {
+                            const char* chr = "null";
+                            value.insert(value.begin(), chr, chr + strlen(chr));
+                            goto finishReadAttr;
+                        }
+                        case DATA_BOOLEAN_FALSE: {
+                            const char* chr = "false";
+                            value.insert(value.begin(), chr, chr + strlen(chr));
+                            goto finishReadAttr;
+                        }
+                        case DATA_BOOLEAN_TRUE: {
+                            const char* chr = "true";
+                            value.insert(value.begin(), chr, chr + strlen(chr));
+                            goto finishReadAttr;
+                        }
+                        case DATA_STRING:
+                        case DATA_BYTES_HEX:
+                        case DATA_BYTES_BASE64: {
+                            value = readString();
+                            goto finishReadAttr;
+                        }
+                        case DATA_STRING_INTERNED: {
+                            value = readInternedString();
+                            goto finishReadAttr;
+                        }
+                        case DATA_INT:
+                        case DATA_INT_HEX:
+                        case DATA_FLOAT: {
+                            value = readFromCurPos(4);
+                            goto finishReadAttr;
+                        }
+                        case DATA_LONG:
+                        case DATA_LONG_HEX:
+                        case DATA_DOUBLE: {
+                            value = readFromCurPos(8);
+                            goto finishReadAttr;
+                        }
+                    }
+
+                    finishReadAttr:
+                    elementStack.back()->pushAttribute(
+                        attrName, std::make_shared<XMLAttribute>(tType, value));
+                    continue;
+                }
+                case TOKEN_START_DOCUMENT: {
+                    docOpen = true;
+                    continue;
+                }
+                case TOKEN_END_DOCUMENT: {
+                    docOpen = false;
+                    continue;
+                }
+                case TOKEN_START_TAG: {
+                    auto tagName = readInternedString();
+                    addElementToStack(std::make_shared<XMLElement>(tagName));
+                    continue;
+                }
+                case TOKEN_END_TAG: {
+                    auto tagName = readInternedString();
+                    auto lastTagName = elementStack.back()->mTagName.data();
+                    if (strcmp(tagName.data(), lastTagName) != 0) {
+                        std::cerr << "Mismatching tags " << tagName.data() << " - " << lastTagName << std::endl;
+                    }
+
+                    if (elementStack.size() == 1) {
+                        root = std::move(elementStack.back());
+                        docOpen = false;
+                        rootClosed = true;
+                        goto breakLoopSuccess;
+                    }
+
+                    elementStack.pop_back();
+                    continue;
+                }
+                case TOKEN_TEXT:
+                case TOKEN_CDSECT:
+                case TOKEN_PROCESSING_INSTRUCTION:
+                case TOKEN_COMMENT:
+                case TOKEN_DOCDECL:
+                case TOKEN_IGNORABLE_WHITESPACE: {
+                    auto readVal = readString();
+                    elementStack.back()->textSections.emplace_back(
+                        std::make_shared<XMLAttribute>(tType, readVal));
+                    continue;
+                }
+                default:
+                    std::cerr << "Unimplemented type " << (tType >> 4) << " " << dType << std::endl;
+                    return false;
+            }
+
+            breakLoopSuccess:
+            return true;
+        }
+    }
+
+    std::shared_ptr<XMLElement> root;
+
+    private:
+    int curPos = 0;
+	std::vector<char> mInput;
+    std::vector<std::vector<char>> internedStrings;
+    std::vector<std::shared_ptr<XMLElement>> elementStack;
+	bool docOpen = false, rootClosed = false;
+    const std::vector<char> emptyString;
+
+    std::vector<char> readFromCurPos(int len) {
+		// std::cout << "Reading " << len << " bytes of data from " << curPos << std::endl;
+		std::vector ret(mInput.begin() + curPos, mInput.begin() + curPos + len);
+		curPos += len;
+		return ret;
+	}
+
+    bool isAbx() {
+		// maybe empty?
+		if (mInput.size() < 5) return false;
+
+		curPos = 0;
+		std::vector<char> headerV = readFromCurPos(4);
+		const char* header = reinterpret_cast<const char*>(headerV.data());
+		return memcmp(header, startMagic, 4) == 0;
+	}
+
+	char readByte() {
+		return readFromCurPos(1)[0];
+	}
+
+    short readShort() {
+		std::vector<char> off = readFromCurPos(2);
+        return ((unsigned short) off[0] << 8) | ((unsigned char) off[1]);
+	}
+
+    std::vector<char> readString() {
+		short len = readShort();
+		if (len < 1) {
+			return emptyString;
+		}
+
+		auto ret = readFromCurPos(len);
+        ret.emplace_back(0);
+        return ret;
+	}
+
+    std::vector<char> readInternedString() {
+		short idx = readShort();
+        if (idx < 0) {
+            std::vector<char> str = readString();
+            internedStrings.emplace_back(str);
+			return str;
+        }
+
+        auto internedStr = internedStrings.begin();
+		std::advance(internedStr, idx);
+		return *internedStr;
+    }
+
+    void addElementToStack(std::shared_ptr<XMLElement> element) {
+        if (elementStack.size() > 0) {
+            auto lastElement = elementStack.back().get();
+            lastElement->subElements.emplace_back(element);
+        }
+
+        elementStack.emplace_back(element);
+    }
+};

daemon/src/main/jni/abx_utils/const.h

@@ -0,0 +1,36 @@
+#pragma once
+
+/*
+ * This decoder is made by frknkrc44.
+ *
+ * Thanks DanGLES3 and fatalcoder524 to find memory leaks.
+ */
+
+const char startMagic[4] = { 'A', 'B', 'X', '\0' };
+
+static const short TOKEN_START_DOCUMENT = 0;
+static const short TOKEN_END_DOCUMENT = 1;
+static const short TOKEN_START_TAG = 2;
+static const short TOKEN_END_TAG = 3;
+static const short TOKEN_TEXT = 4;
+static const short TOKEN_CDSECT = 5;
+// static const short TOKEN_ENTITY_REF = 6;
+static const short TOKEN_IGNORABLE_WHITESPACE = 7;
+static const short TOKEN_PROCESSING_INSTRUCTION = 8;
+static const short TOKEN_COMMENT = 9;
+static const short TOKEN_DOCDECL = 10;
+static const short TOKEN_ATTRIBUTE = 15;
+
+static const short DATA_NULL = 1 << 4;
+static const short DATA_STRING = 2 << 4;
+static const short DATA_STRING_INTERNED = 3 << 4;
+static const short DATA_BYTES_HEX = 4 << 4;
+static const short DATA_BYTES_BASE64 = 5 << 4;
+static const short DATA_INT = 6 << 4;
+static const short DATA_INT_HEX = 7 << 4;
+static const short DATA_LONG = 8 << 4;
+static const short DATA_LONG_HEX = 9 << 4;
+static const short DATA_FLOAT = 10 << 4;
+static const short DATA_DOUBLE = 11 << 4;
+static const short DATA_BOOLEAN_TRUE = 12 << 4;
+static const short DATA_BOOLEAN_FALSE = 13 << 4;

daemon/src/main/jni/abx_utils/xml_attribute.hpp

@@ -0,0 +1,17 @@
+#include <vector>
+
+/*
+ * This decoder is made by frknkrc44.
+ *
+ * Thanks DanGLES3 and fatalcoder524 to find memory leaks.
+ */
+
+class XMLAttribute {
+ public:
+	std::vector<char> mValue;
+	int mDataType;
+	XMLAttribute(int dataType, std::vector<char> value) {
+		mDataType = dataType;
+		mValue.insert(mValue.begin(), value.begin(), value.end());
+	}
+};