refix bti (#38)

* refix bti

---------

Co-authored-by: bmax <bmax@placeholder.com>

Author: bmax121

kernel/base/fphook.c

@@ -281,8 +281,7 @@ KP_EXPORT_SYMBOL(fp_hook_wrap);
 
 void fp_hook_unwrap(uintptr_t fp_addr, void *before, void *after)
 {
-    uint64_t origin = branch_func_addr(fp_addr);
-    fp_hook_chain_t *chain = (fp_hook_chain_t *)hook_get_mem_from_origin(origin);
+    fp_hook_chain_t *chain = (fp_hook_chain_t *)hook_get_mem_from_origin(fp_addr);
     if (!chain) return;
     for (int i = 0; i < FP_HOOK_CHAIN_NUM; i++) {
         if (chain->states[i] == CHAIN_ITEM_STATE_READY)

kernel/base/hook.c

@@ -280,8 +280,6 @@ int32_t branch_relative(uint32_t *buf, uint64_t src_addr, uint64_t dst_addr)
         buf[1] = ARM64_NOP;
         return 2;
     }
-    // todo: add bit c or bit cj here
-    // d503245f        bti     c
     return 0;
 }
 KP_EXPORT_SYMBOL(branch_relative);
@@ -292,19 +290,28 @@ int32_t branch_absolute(uint32_t *buf, uint64_t addr)
     buf[1] = 0xd61f0220; // BR X17
     buf[2] = addr & 0xFFFFFFFF;
     buf[3] = addr >> 32u;
-    // todo: add bit c or bit cj here
-    // d503245f        bti     c
     return 4;
 }
 KP_EXPORT_SYMBOL(branch_absolute);
 
+int32_t ret_absolute(uint32_t *buf, uint64_t addr)
+{
+    buf[0] = 0x58000051; // LDR X17, #8
+    buf[1] = 0xd65f0220; // RET X17
+    buf[2] = addr & 0xFFFFFFFF;
+    buf[3] = addr >> 32u;
+    return 4;
+}
+KP_EXPORT_SYMBOL(ret_absolute);
+
 int32_t branch_from_to(uint32_t *tramp_buf, uint64_t src_addr, uint64_t dst_addr)
 {
-#if 1
+#if 0
     uint32_t len = branch_relative(tramp_buf, src_addr, dst_addr);
     if (len) return len;
 #endif
-    return branch_absolute(tramp_buf, dst_addr);
+    // return branch_absolute(tramp_buf, dst_addr);
+    return ret_absolute(tramp_buf, dst_addr);
 }
 KP_EXPORT_SYMBOL(branch_from_to);
 
@@ -571,8 +578,7 @@ void hook_install(hook_t *hook)
         *((uint32_t *)hook->origin_addr + i) = hook->tramp_insts[i];
     }
     flush_icache_all();
-    // todo: this is temporary fix for bit
-    *entry = ori_prot & 0xFFFBFFFFFFFFFFFF;
+    *entry = ori_prot;
     flush_tlb_kernel_page(va);
 }
 KP_EXPORT_SYMBOL(hook_install);

kernel/include/hook.h

@@ -232,6 +232,7 @@ typedef struct _fphook_chain
 int32_t branch_from_to(uint32_t *tramp_buf, uint64_t src_addr, uint64_t dst_addr);
 int32_t branch_relative(uint32_t *buf, uint64_t src_addr, uint64_t dst_addr);
 int32_t branch_absolute(uint32_t *buf, uint64_t addr);
+int32_t ret_absolute(uint32_t *buf, uint64_t addr);
 
 #ifdef HOOK_INTO_BRANCH_FUNC
 uint64_t branch_func_addr(uint64_t addr);

kernel/patch/patch.c

@@ -46,45 +46,45 @@ void before_panic(hook_fargs12_t *args, void *udata)
 
 static void before_rest_init(hook_fargs4_t *args, void *udata)
 {
-    int err = 0;
+    int rc = 0;
     log_boot("entering init ...\n");
 
-    if ((err = linux_sybmol_len_init())) goto out;
-    log_boot("linux_sybmol_len_init done: %d\n", err);
+    if ((rc = linux_sybmol_len_init())) goto out;
+    log_boot("linux_sybmol_len_init done: %d\n", rc);
 
-    if ((err = linux_libs_symbol_init())) goto out;
-    log_boot("linux_libs_symbol_init done: %d\n", err);
+    if ((rc = linux_libs_symbol_init())) goto out;
+    log_boot("linux_libs_symbol_init done: %d\n", rc);
 
-    if ((err = linux_misc_symbol_init())) goto out;
-    log_boot("linux_misc_symbol_init done: %d\n", err);
+    if ((rc = linux_misc_symbol_init())) goto out;
+    log_boot("linux_misc_symbol_init done: %d\n", rc);
 
-    if ((err = bypass_kcfi())) goto out;
-    log_boot("bypass_kcfi done: %d\n", err);
+    if ((rc = bypass_kcfi())) goto out;
+    log_boot("bypass_kcfi done: %d\n", rc);
 
-    if ((err = syscall_init())) goto out;
-    log_boot("syscall_init done: %d\n", err);
+    if ((rc = syscall_init())) goto out;
+    log_boot("syscall_init done: %d\n", rc);
 
-    if ((err = resolve_struct())) goto out;
-    log_boot("resolve_struct done: %d\n", err);
+    if ((rc = resolve_struct())) goto out;
+    log_boot("resolve_struct done: %d\n", rc);
 
-    if ((err = task_observer())) goto out;
-    log_boot("task_observer done: %d\n", err);
+    if ((rc = task_observer())) goto out;
+    log_boot("task_observer done: %d\n", rc);
 
-    if ((err = selinux_hook_install())) goto out;
-    log_boot("selinux_hook_install done: %d\n", err);
+    if ((rc = selinux_hook_install())) goto out;
+    log_boot("selinux_hook_install done: %d\n", rc);
 
-    if ((err = module_init())) goto out;
-    log_boot("module_init done: %d\n", err);
+    if ((rc = module_init())) goto out;
+    log_boot("module_init done: %d\n", rc);
 
-    if ((err = supercall_install())) goto out;
-    log_boot("supercall_install done: %d\n", err);
+    if ((rc = supercall_install())) goto out;
+    log_boot("supercall_install done: %d\n", rc);
 
 #ifdef ANDROID
-    if ((err = kpuserd_init())) goto out;
-    log_boot("kpuserd_init done: %d\n", err);
+    if ((rc = kpuserd_init())) goto out;
+    log_boot("kpuserd_init done: %d\n", rc);
 
-    if ((err = su_compat_init())) goto out;
-    log_boot("su_compat_init done: %d\n", err);
+    if ((rc = su_compat_init())) goto out;
+    log_boot("su_compat_init done: %d\n", rc);
 #endif
 
 out:
@@ -106,7 +106,6 @@ int patch()
     int rc = 0;
 
     unsigned long panic_addr = get_preset_patch_sym()->panic;
-    logkd("panic: %llx\n", panic_addr);
     if (panic_addr) {
         hook_err_t err = hook_wrap12((void *)panic_addr, before_panic, 0, 0);
         if (err) {

version

@@ -1,3 +1,3 @@
 #define MAJOR 0
 #define MINOR 8
-#define PATCH 3
+#define PATCH 4