Monday, August 10, 2015

Fix for Stagefright in Cyanogenmod 9.1 for Xperia Ray

Having recently gone from the stock Sony ROM to CM 9.1 I found the Stagefright stuff a good excuse to start hacking Cyanogenmod.
Long story short - I've backported the fixes for the Stagefright vulnerabilities to the cm9.1 branch and built a private ROM for my Ray out of that.

It works acceptably well on my device and while I'm quite sure the CM9.1 libstagefright code contains many horrors that might have been fixed along the long way from Android 4.0.4, at least now I should be relatively safe should a massive exploit be unleashed:
I'll try to push the changes upstream. In the meantime, here's the ROM (sha1sum: 54ae08ffb080767336faa430d7ad0a14558d6ad5).

Wednesday, August 5, 2015

More breakage:
hajma@c:~/android/system-ics$ brunch urushi
host C++: libdvm <= dalvik/vm/native/dalvik_system_Zygote.cpp
host C++: libdvm <= dalvik/vm/native/java_lang_Class.cpp
host C++: libdvm <= dalvik/vm/native/java_lang_Double.cpp
host C++: libdvm <= dalvik/vm/native/java_lang_Float.cpp
dalvik/vm/native/dalvik_system_Zygote.cpp: In function ‘int setrlimitsFromArray(ArrayObject*)’:
dalvik/vm/native/dalvik_system_Zygote.cpp:199:19: error: aggregate ‘setrlimitsFromArray(ArrayObject*)::rlimit rlim’ has incomplete type and cannot be defined
     struct rlimit rlim;
                   ^
dalvik/vm/native/dalvik_system_Zygote.cpp:222:43: error: ‘setrlimit’ was not declared in this scope
         err = setrlimit(contents[0], &rlim);
                                           ^
build/core/binary.mk:347: recipe for target 'out/host/linux-x86/obj/SHARED_LIBRARIES/libdvm_intermediates/native/dalvik_system_Zygote.o' failed
make: *** [out/host/linux-x86/obj/SHARED_LIBRARIES/libdvm_intermediates/native/dalvik_system_Zygote.o] Error 1
make: *** Waiting for unfinished jobs....
hajma@c:~/android/system-ics$
and a fix:
diff --git a/vm/native/dalvik_system_Zygote.cpp b/vm/native/dalvik_system_Zygote.cpp
index 8224656..648bd58 100644
--- a/vm/native/dalvik_system_Zygote.cpp
+++ b/vm/native/dalvik_system_Zygote.cpp
@@ -21,7 +21,7 @@
 #include "native/InternalNativePriv.h"
 
 #include 
-#if (__GNUC__ == 4 && __GNUC_MINOR__ == 7)
+#if (__GNUC__ == 4 && __GNUC_MINOR__ >= 7)
 #include 
 #endif
 #include 

Tuesday, August 4, 2015

my next breakage is due to Debian Jessie having fresher and pickier version of make:

hajma@chrastavec:~/android/system-ics$ brunch urushi
including vendor/cm/vendorsetup.sh
Looking for dependencies

============================================
PLATFORM_VERSION_CODENAME=REL
PLATFORM_VERSION=4.0.4
TARGET_PRODUCT=cm_urushi
TARGET_BUILD_VARIANT=userdebug
TARGET_BUILD_TYPE=release
TARGET_BUILD_APPS=
TARGET_ARCH=arm
TARGET_ARCH_VARIANT=armv7-a-neon
HOST_ARCH=x86
HOST_OS=linux
HOST_BUILD_TYPE=release
BUILD_ID=IMM76L
============================================

build/core/main.mk:43: ********************************************************************************
build/core/main.mk:44: *  You are using version 4.0 of make.
build/core/main.mk:45: *  Android can only be built by versions 3.81 and 3.82.
build/core/main.mk:46: *  see http://source.android.com/source/download.html
build/core/main.mk:47: ********************************************************************************
============================================
PLATFORM_VERSION_CODENAME=REL
PLATFORM_VERSION=4.0.4
TARGET_PRODUCT=cm_urushi
TARGET_BUILD_VARIANT=userdebug
TARGET_BUILD_TYPE=release
TARGET_BUILD_APPS=
TARGET_ARCH=arm
TARGET_ARCH_VARIANT=armv7-a-neon
HOST_ARCH=x86
HOST_OS=linux
HOST_BUILD_TYPE=release
BUILD_ID=IMM76L
============================================
Checking build tools versions...
build/core/prebuilt.mk:143: *** recipe commences before first target.  Stop. 

Fortunately, the Firefox OS folks hit it too and have a patch.
The next step is to get the closed binaries. The script device/semc/urushi/extract-files.sh does that by downloading them from the phone via adb. I no longer have Sony firmware in my phone so there's no need to connect the phone when the Cyanogenmod zip I used to flash it has the same contents, right? The below patch changes the source to the zip:
hajma@c:~/android/system-ics/device/semc/urushi$ git diff ./extract-files.sh 
diff --git a/extract-files.sh b/extract-files.sh
index f3aaa2c..192ea96 100755
--- a/extract-files.sh
+++ b/extract-files.sh
@@ -5,10 +5,11 @@ DEVICE=urushi
 
 BASE=../../../vendor/$VENDOR/$DEVICE/proprietary
 
-while getopts ":nh" options
+while getopts ":nzh" options
 do
   case $options in
     n ) NC=1 ;;
+    z ) FROMZIP=1;;
     h ) echo "Usage: `basename $0` [OPTIONS] "
         echo "  -n  No clenup"
         echo "  -h  Show this help"
@@ -27,7 +28,11 @@ for FILE in `cat proprietary-files.txt | grep -v ^# | grep -v ^$`; do
     if [ ! -d $BASE/$DIR ]; then
         mkdir -p $BASE/$DIR
     fi
-    adb pull /system/$FILE $BASE/$FILE
+    if [ "$FROMZIP" = "1" ]; then
+        unzip $2 system/$FILE -d $BASE
+    else
+        adb pull /system/$FILE $BASE/$FILE
+    fi
 done
 
 ./setup-makefiles.sh
... and more breakage:
hajma@c:~/android/system-ics$ brunch urushi
...
make: *** No rule to make target 'vendor/cm/proprietary/lib/armeabi/libjackpal-androidterm4.so', needed by 'out/target/product/urushi/system/lib/libjackpal-androidterm4.so'.  Stop.
make: *** Waiting for unfinished jobs....
target thumb C: calibrator <= hardware/ti/wlan/mac80211/ti-utils/ini.c
hajma@c:~/android/system-ics$ 
The file was supposed to be delivered with get-prebuilts:
hajma@c:~/android/system-ics/vendor/cm$ ./get-prebuilts 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 3347k  100 3347k    0     0   175k      0  0:00:19  0:00:19 --:--:--  205k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   178  100   178    0     0    296      0 --:--:-- --:--:-- --:--:--   295
100  551k  100  551k    0     0   373k      0  0:00:01  0:00:01 --:--:-- 1375k
Archive:  ./proprietary/Term.apk
caution: filename not matched:  lib/armeabi/libjackpal-androidterm4.so
but the Term.apk now has a newer version:
hajma@c:~/android/system-ics/vendor/cm$ unzip -l proprietary/Term.apk |grep libjackpal-androidterm
    13532  2015-04-15 08:09   lib/armeabi/libjackpal-androidterm5.so
     5648  2015-04-15 08:09   lib/mips/libjackpal-androidterm5.so
     5240  2015-04-15 08:09   lib/x86/libjackpal-androidterm5.so
I'll have a look at updating the term later, for now I'll use the zip one:
hajma@c:~/android/system-ics/vendor/cm$ mkdir -p proprietary/lib/armeabi/
hajma@c:~/android/system-ics/vendor/cm$ unzip -j ~/Downloads/cm-9.1.0-urushi.zip -d proprietary/lib/armeabi system/lib/libjackpal-androidterm4.so
external/llvm/include/llvm/ADT/PointerUnion.h:64:39: error: comparison between ‘enum llvm::PointerLikeTypeTraits::’ and ‘enum llvm::PointerLikeTypeTraits::’ [-Werror=enum-compare]
       NumLowBitsAvailable = PT1BitsAv < PT2BitsAv ? PT1BitsAv : PT2BitsAv
while everybody on the Internet just removes -Wall from the makefile, it can be fixed in a simpler manner, as it has been workarounded before apparently:
hajma@c:~/android/system-ics/external/llvm$ git diff include/llvm/ADT/PointerUnion.h 
diff --git a/include/llvm/ADT/PointerUnion.h b/include/llvm/ADT/PointerUnion.h
index 3e3f214..6450bdb 100644
--- a/include/llvm/ADT/PointerUnion.h
+++ b/include/llvm/ADT/PointerUnion.h
@@ -54,7 +54,7 @@ namespace llvm {
     static inline void *getAsVoidPointer(void *P) { return P; }
     static inline void *getFromVoidPointer(void *P) { return P; }
     enum {
-#if (__GNUC__ == 4 && __GNUC_MINOR__ == 7)
+#if (__GNUC__ == 4 && __GNUC_MINOR__ >= 7)
       PT1BitsAv = static_cast< int >(PointerLikeTypeTraits<PT1>::NumLowBitsAvailable),
       PT2BitsAv = static_cast< int >(PointerLikeTypeTraits<PT2>::NumLowBitsAvailable),
 #else
... and more:
In file included from system/extras/ext4_utils/output_file.c:30:0:
/usr/include/zlib.h:34:19: fatal error: zconf.h: No such file or directory
 #include "zconf.h"
                   ^
compilation terminated.
The cause is ugly and the solution is uglier.
getting closer...
Boot image: out/target/product/urushi/boot.img
error: unsupported page size 131072
device/semc/msm7x30-common/custombootimg.mk:5: recipe for target 'out/target/product/urushi/boot.img' failed
make: *** [out/target/product/urushi/boot.img] Error 255
Now this is caused by a second part of a changeset missing in the cm9.1 branch ... this changeset has to be applied.

aaaand here it is:
Package complete: /home/hajma/android/system-ics/out/target/product/urushi/cm-9-20150804-UNOFFICIAL-urushi.zip
41ef84db95dc7b24f78c8d0788fc1bcd  cm-9-20150804-UNOFFICIAL-urushi.zip
I don't dare to flash this yet though ;-)
While following Cyanogenmod's steps to build CM for my Ray, the repo sync command froze. 'ps -ef --forest', the Linux' take on ptree, told me it was stuck doing 'git-remote-https github https://github.com/CyanogenMod/android_external_svox' and a quick google search took me to http://forum.cyanogenmod.org/topic/103527-cannot-repo-source-code-as-android-external-svox-repository-meets-dmca-issue/
ugh...

So, here's the first workaround:

   <project path="external/srtp" name="platform/external/srtp" remote="aosp" revision="refs/tags/android-4.0.4_r2.1" />
   <project path="external/stlport" name="CyanogenMod/android_external_stlport" />
   <project path="external/strace" name="CyanogenMod/android_external_strace" />
-  <project path="external/svox" name="CyanogenMod/android_external_svox" />
+  <project path="external/svox" name="platform/external/svox" remote="aosp" revision="refs/tags/android-4.0.4_r2.1" />
   <project path="external/tagsoup" name="CyanogenMod/android_external_tagsoup" />
   <project path="external/tcpdump" name="CyanogenMod/android_external_tcpdump" />
   <project path="external/tinyalsa" name="platform/external/tinyalsa" remote="aosp" revision="refs/tags/android-4.0.4_r2.1" />
and I also had to issue
rm external/svox/
before running sync again