magiskboot: Corrupted boot image! after 26.1 ???

[defkev]

Device: generic_x86_64
Android version: 10
Magisk version name: 26.4
Magisk version code: 26404

Trying to update my rooted emulator to the latest version (26.4) gives me a:

Unsupported/Unknown image format

will patching the boot image:

after some digging around i could boil the problem down to a change in magiskboot introduced in version 26.2:

generic_x86_64:/data/adb/_TEMP # ./magiskboot261 unpack /sdcard/boot.img && echo $?
Parsing boot image: [/sdcard/boot.img]                                            
HEADER_VER      [0]                                                               
KERNEL_SZ       [0]                                                               
RAMDISK_SZ      [2201088]                                                         
SECOND_SZ       [0]                                                               
EXTRA_SZ        [0]                                                               
PAGESIZE        [2048]                                                            
NAME            []                                                                
CMDLINE         []                                                                
CHECKSUM        [0000000000000000000000000000000000000000000000000000000000000000]
RAMDISK_FMT     [raw]                                                             
0                                
generic_x86_64:/data/adb/_TEMP # ./magiskboot264 unpack /sdcard/boot.img && echo $?
Parsing boot image: [/sdcard/boot.img]
HEADER_VER      [0]                   
KERNEL_SZ       [0]                   
RAMDISK_SZ      [2201088]             
SECOND_SZ       [0]                   
EXTRA_SZ        [0]                   
PAGESIZE        [2048]                
NAME            []                    
CMDLINE         []
CHECKSUM        [0000000000000000000000000000000000000000000000000000000000000000]
Corrupted boot image!
1
generic_x86_64:/data/adb/_TEMP # ./magiskboot26404 unpack /sdcard/boot.img && echo $?
Parsing boot image: [/sdcard/boot.img]
HEADER_VER      [0]
KERNEL_SZ       [0]
RAMDISK_SZ      [2201088]
SECOND_SZ       [0]
EXTRA_SZ        [0]
PAGESIZE        [2048]
NAME            []
CMDLINE         []
CHECKSUM        [0000000000000000000000000000000000000000000000000000000000000000]
Corrupted boot image!
1

boot.img attached (zipped because Github)
boot.zip

[canyie]

Maybe c97ab69

[wonkxin]

Magisk v26.1 also on my device is the last working version, see link below

#7254 (comment)

[JLJTGR]

I possibly have the same issue on a real physical device. v26.4, 27.0 do not work but v26.1 does complete successfully.

Onyx BOOX NovaAirC; Android 11

Not working output from v27.0:

- Device platform: arm64-v8a
- Installing: 27.0 (27000)
- Copying image to cache
- Unpacking boot image
Parsing boot image: [/data/user_de/0/com.topjohnwu.magisk/install/boot.img]
HEADER_VER      [2]
KERNEL_SZ       [37631059]
RAMDISK_SZ      [1149638]
SECOND_SZ       [0]
RECOV_DTBO_SZ   [0]
DTB_SZ          [658721]
OS_VERSION      [11.0.0]
OS_PATCH_LEVEL  [2020-11]
PAGESIZE        [4096]
NAME            []
CMDLINE         [console=ttyMSM0,115200n8 earlycon=msm_geni_serial,0x4a90000 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=2048 loop.max_part=7 buildvariant=user]
CHECKSUM        [7b0355fc9a15ec143c0feb8be765aac9ad03865a000000000000000000000000]
Corrupted boot image!
! Unsupported/Unknown image format
! Installation failed

Working output from v26.1:

- Device platform: arm64-v8a
- Installing: 26.1 (26100)
- Copying image to cache
- Unpacking boot image
Parsing boot image: [/data/user_de/0/com.topjohnwu.magisk/install/boot.img]
HEADER_VER      [2]
KERNEL_SZ       [37631059]
RAMDISK_SZ      [1149638]
SECOND_SZ       [0]
RECOV_DTBO_SZ   [0]
DTB_SZ          [658721]
OS_VERSION      [11.0.0]
OS_PATCH_LEVEL  [2020-11]
PAGESIZE        [4096]
NAME            []
CMDLINE         [console=ttyMSM0,115200n8 earlycon=msm_geni_serial,0x4a90000 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=2048 loop.max_part=7 buildvariant=user]
CHECKSUM        [7b0355fc9a15ec143c0feb8be765aac9ad03865a000000000000000000000000]
KERNEL_FMT      [gzip]
RAMDISK_FMT     [gzip]
- Checking ramdisk status
Loading cpio: [ramdisk.cpio]
- Stock boot image detected
- Patching ramdisk
- Pre-init storage partition device ID: metadata
Loading cpio: [ramdisk.cpio]
Add entry [init] (0750)
Create directory [overlay.d] (0750)
Create directory [overlay.d/sbin] (0750)
Add entry [overlay.d/sbin/magisk32.xz] (0644)
Add entry [overlay.d/sbin/magisk64.xz] (0644)
Add entry [overlay.d/sbin/stub.xz] (0644)
Patch with flag KEEPVERITY=[true] KEEPFORCEENCRYPT=[true]
Loading cpio: [ramdisk.cpio.orig]
Backup mismatch entry: [init] -> [.backup/init]
Record new entry: [overlay.d] -> [.backup/.rmlist]
Record new entry: [overlay.d/sbin] -> [.backup/.rmlist]
Record new entry: [overlay.d/sbin/magisk32.xz] -> [.backup/.rmlist]
Record new entry: [overlay.d/sbin/magisk64.xz] -> [.backup/.rmlist]
Record new entry: [overlay.d/sbin/stub.xz] -> [.backup/.rmlist]
Create directory [.backup] (0000)
Add entry [.backup/.magisk] (0000)
Dump cpio: [ramdisk.cpio]
Loading dtbs from [dtb]
Patch @ 03FC0ED7 [736B69705F696E697472616D667300] -> [77616E745F696E697472616D667300]
- Repacking boot image
Parsing boot image: [/data/user_de/0/com.topjohnwu.magisk/install/boot.img]
HEADER_VER      [2]
KERNEL_SZ       [37631059]
RAMDISK_SZ      [1149638]
SECOND_SZ       [0]
RECOV_DTBO_SZ   [0]
DTB_SZ          [658721]
OS_VERSION      [11.0.0]
OS_PATCH_LEVEL  [2020-11]
PAGESIZE        [4096]
NAME            []
CMDLINE         [console=ttyMSM0,115200n8 earlycon=msm_geni_serial,0x4a90000 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=2048 loop.max_part=7 buildvariant=user]
CHECKSUM        [7b0355fc9a15ec143c0feb8be765aac9ad03865a000000000000000000000000]
KERNEL_FMT      [gzip]
RAMDISK_FMT     [gzip]
Repack to boot image: [new-boot.img]
HEADER_VER      [2]
KERNEL_SZ       [37633240]
RAMDISK_SZ      [1635084]
SECOND_SZ       [0]
RECOV_DTBO_SZ   [0]
DTB_SZ          [658721]
OS_VERSION      [11.0.0]
OS_PATCH_LEVEL  [2020-11]
PAGESIZE        [4096]
NAME            []
CMDLINE         [console=ttyMSM0,115200n8 earlycon=msm_geni_serial,0x4a90000 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=2048 loop.max_part=7 buildvariant=user]
CHECKSUM        [451224e693b53b0e3423548260b9817e8bfebba4000000000000000000000000]

****************************
 Output file is written to 
 /storage/emulated/0/Download/magisk_patched-26100_cldRk.img 
****************************
cp: can't preserve ownership of 'busybox': Operation not permitted
cp: can't preserve ownership of 'magisk32': Operation not permitted
cp: can't preserve ownership of 'magisk64': Operation not permitted
cp: can't preserve ownership of 'magiskboot': Operation not permitted
cp: can't preserve ownership of 'magiskinit': Operation not permitted
cp: can't preserve ownership of 'magiskpolicy': Operation not permitted
- All done!

[canyie]

Looks this boot image only contains a header and a ramdisk. The file size does not aligned upward with the page size.
When getting the ramdisk block, off reaches to the end of the whole boot image file, and then the code aligns the offset upward with the page size, which makes it greater than the file size. Then assert_off detects off is OOB and aborts.

Magisk/native/src/boot/bootimg.cpp

Lines 318 to 322 in c97ab69

	#define get_block(name) \
	name = base_addr + off; \
	off += hdr->name##_size(); \
	off = align_to(off, hdr->page_size()); \
	assert_off();

Not sure how to properly deal with it. Simply removing the check brings back the chance of OOB access...

[canyie]

I tried this, but the assertion still fails:

#define get_block(name)                 \
name = base_addr + off;                 \
off += hdr->name##_size();              \
assert_off();                           \
off = std::max(align_to(off, hdr->page_size()), map.sz());

#define get_ignore(name)                                            \
if (hdr->name##_size()) {                                           \
    off += hdr->name##_size();                                      \
    assert_off();                                                   \
    off = std::max(align_to(off, hdr->page_size()), map.sz());      \
}