Skip to content
This repository has been archived by the owner on Apr 14, 2023. It is now read-only.

RootTicket verification error #18

Closed
asdfugil opened this issue Mar 4, 2022 · 12 comments
Closed

RootTicket verification error #18

asdfugil opened this issue Mar 4, 2022 · 12 comments

Comments

@asdfugil
Copy link

asdfugil commented Mar 4, 2022
edited
Loading

I cannot seem to restore the device:

┌──(nick㉿kali)-[~]
└─$ idevicerestore -P -d --erase --restore-mode -i 0x1122334455667788 iPhone11,8,iPhone12,1_14.0_18A5351d_Restore.ipsw -T root_ticket.der
Using ApTicket found at root_ticket.der length 8931
progress: 0 0.000000
idevice_event_cb: device 1122334455667788 (udid: 00008030-1122334455667788) connected in restore mode
progress: 0 0.100000
Found device in Restore mode
INFO: device serial number is C39ZRMDEN72J
restore_get_irecv_device: Found model N104DEV
progress: 0 0.200000
Identified device as n104ap, iPhone12,1
progress: 0 0.600000
Extracting BuildManifest from IPSW
progress: 0 0.800000
Product Version: 14.0
Product Build: 18A5351d Major: 18
Device supports Image4: true
ERROR: Unable to find any build identities

idevicerestore commit 38595f0b7dac3d53033f93e9893d9be49996ba95 with patch applied
iOS version: 14.0
VM is kali linux rolling (minimal)
root_ticket.der made from ticket.shsh2 in xnu-qemu-arm64-tools
Device appears to enter restore mode successfully

Additionally, the patch does not apply for configure.ac
I ended up adding AC_SEARCH_LIBS([pthread_create], [pthread]) to configure.ac myself and then remove that hunk of the patch.

Linux boot command:

${HOME}/qemu-t8030/build/qemu-system-x86_64 -smp 1 -m 768 \
-machine q35 \
-device virtio-vga,xres=640,yres=480 \
-enable-kvm \
-cpu qemu64 \
-usb \
-device usb-ehci,id=ehci \
-device usb-tcp-remote,bus=ehci.0 \
-drive file=${HOME}/vm_images/kali.qcow2 \
-net user,hostfwd=tcp::8122-:22 \
-net nic \
-monitor telnet:127.0.0.1:1236,server,nowait

iOS boot command:

${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=038-44135-124.dmg.trustcache.out \
-kernel kernelcache.research.iphone12b \
-dtb DeviceTree.n104ap.im4p \
-append "debug=0x14e kextlog=0xffff serial=3 -v" \
-initrd 038-44135-124.dmg \
-cpu max -smp 4 \
-m 2G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait

Nick Chan
@TrungNguyen1909
Copy link
Owner

The iOS command is still missing some stuff...

Check Auto boot

@asdfugil
Copy link
Author

asdfugil commented Mar 4, 2022

adding ticket-filename=root_ticket.der to machine properties does not help (this is the only thing missing as far as I know)

@TrungNguyen1909
Copy link
Owner

TrungNguyen1909 commented Mar 4, 2022
edited
Loading

Yeah, I'm guessing that idevicerestore changed.

FYI, I'm using commit dfa05a8c417e785799a0d8ea0f9a58ed89a13085

But I will get the latest upstream and try to fix it.

@asdfugil
Copy link
Author

asdfugil commented Mar 4, 2022
edited
Loading

Using that commit and applying the patch does seem to fix the problem, but:

I am getting verification error at RootTicket

Sending RootTicket now...
Done sending RootTicket
Got status message
Status: Verification Error

The root_ticket.der passed to the iOS emulator identical to the ticket passed to idevicerestore

Full log:

┌──(nick㉿kali)-[~]
└─$ idevicerestore -P -d --erase --restore-mode -i 0x1122334455667788 iPhone11,8,iPhone12,1_14.0_18A5351d_Restore.ipsw -T root_ticket.der     
Using ApTicket found at root_ticket.der length 8931
progress: 0 0.000000
idevice_event_cb: device 1122334455667788 (udid: 00008030-1122334455667788) connected in restore mode
progress: 0 0.100000
Found device in Restore mode
INFO: device serial number is C39ZRMDEN72J
restore_get_irecv_device: Found model N104DEV
progress: 0 0.200000
Identified device as n104ap, iPhone12,1
progress: 0 0.600000
Extracting BuildManifest from IPSW
progress: 0 0.800000
Product Version: 14.0
Product Build: 18A5351d Major: 18
Device supports Image4: true
Variant: Developer Erase Install (IPSW)
This restore will erase your device data.
################################ [ WARNING ] #################################
# You are about to perform an *ERASE* restore. ALL DATA on the target device #
# will be IRREVERSIBLY DESTROYED. If you want to update your device without  #
# erasing the user data, hit CTRL+C now and restart without -e or --erase    #
# command line switch.                                                       #
# If you want to continue with the ERASE, please type YES and press ENTER.   #
##############################################################################
> YES
progress: 1 0.000000
Checking IPSW for required components...
All required components found in IPSW
Using cached filesystem from 'iPhone11,8,iPhone12,1_14.0_18A5351d_Restore/038-44337-083.dmg'
progress: 1 0.200000
progress: 1 0.250000
progress: 1 0.300000
progress: 1 0.500000
progress: 1 0.700000
progress: 1 0.900000
About to restore device... 
restore_is_current_device: Connected to com.apple.mobile.restored, version 15
Connecting now...
Connected to com.apple.mobile.restored, version 15
Device 00008030-1122334455667788 has successfully entered restore mode
Hardware Information:
BoardID: 4
ChipID: 32816
UniqueChipID: 1234605616436508552
ProductionMode: true
Starting FDR listener thread
Connecting to FDR client at port 1082
About to do ctrl handshake
FDR sending 89 bytes:
common.c:printing 287 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>BeginCtrl</string>
        <key>CtrlProtoVersion</key>
        <integer>2</integer>
</dict>
</plist>
FDR Sent 89 bytes
FDR Received 105 bytes
common.c:printing 334 bytes plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Command</key>
        <string>BeginCtrl</string>
        <key>CtrlProtoVersion</key>
        <integer>2</integer>
        <key>ConnPort</key>
        <integer>49166</integer>
</dict>
</plist>
Ctrl handshake done (ConnPort = 49166)
progress: 1 1.000000
FDR 0x56512c168ca0 waiting for message...
About to send RootTicket...
Sending RootTicket now...
Done sending RootTicket
Got status message
Status: Verification Error
Log is available:
[05:06:21.0301-GMT]{4>7} CHECKPOINT NOTICE: Image4 device: AP nonce clearable
entering ramrod_clear_ap_nonce
[05:06:21.0332-GMT]{4>7} CHECKPOINT NOTICE: AP nonce consumed
[05:06:21.0341-GMT]{4>7} CHECKPOINT NOTICE: Pre-existing NVRAM variable: restore-outcome=initial_monitor_no_return
[05:06:21.0354-GMT]{4>7} CHECKPOINT ANOMALY: [check_collection]auto-boot(does_not_exist)
[05:06:21.0356-GMT]{4>7} CHECKPOINT PROGRESS: START (unknown) -> (initial_engine_no_return)
[05:06:21.0356-GMT]{4>7} CHECKPOINT NOTICE: NVRAM access available on initial check
restore-anomalies = {0x00000000:[check_collection]auto-boot(does_not_exist)}
restore-outcome = initial_engine_no_return
executing /usr/sbin/nvram restore-outcome=initial_engine_no_return
[05:06:21.0784-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0400] umask
restore-step-ids = {0x11030400:1}
restore-step-names = {0x11030400:umask}
restore-step-uptime = 7
restore-step-user-progress = -1
[05:06:21.0793-GMT]{4>7} CHECKPOINT END: MAIN:[0x0400] umask
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 7
restore-step-user-progress = -1
[05:06:21.0798-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0402] setvbuf
restore-step-ids = {0x11030402:2}
restore-step-names = {0x11030402:setvbuf}
restore-step-uptime = 7
restore-step-user-progress = -1
[05:06:21.0803-GMT]{4>7} CHECKPOINT END: MAIN:[0x0402] setvbuf
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 7
restore-step-user-progress = -1
[05:06:21.0808-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0403] kernel_logger_thread
restore-step-ids = {0x11030403:3}
restore-step-names = {0x11030403:kernel_logger_thread}
restore-step-uptime = 7
restore-step-user-progress = -1
[05:06:21.0814-GMT]{4>7} CHECKPOINT END: MAIN:[0x0403] kernel_logger_thread
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 7
restore-step-user-progress = -1
[05:06:21.0819-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0406] set_progress_0
restore-step-ids = {0x11030406:4}
restore-step-names = {0x11030406:set_progress_0}
restore-step-uptime = 7
restore-step-user-progress = -1
unable to get display list
unable to get framebuffer
No framebuffer but an internal display. Ok on bridge but weird anywhere else.
ramrod_display_set_granular_progress_forced: 0.000000
[05:06:27.0456-GMT]{4>7} CHECKPOINT END: MAIN:[0x0406] set_progress_0
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 13
restore-step-user-progress = 0
[05:06:27.0461-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0407] start_gasgauge_thread
restore-step-ids = {0x11030407:5}
restore-step-names = {0x11030407:start_gasgauge_thread}
restore-step-uptime = 13
restore-step-user-progress = 0
[05:06:27.0470-GMT]{4>7} CHECKPOINT WARNING: MAIN:[0x0407] gasgauge_start_update_thread failed: -1
[05:06:27.0472-GMT]{4>7} CHECKPOINT END: MAIN:[0x0407] start_gasgauge_thread
restore-step-ids = {}
restore-step-names = {}
restore-step-warnings = {0x11060407:{0:"gasgauge_start_update_thread failed: -1"}}
restore-step-uptime = 13
restore-step-user-progress = 0
[05:06:27.0479-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0408] listen_for_log_client
restore-step-ids = {0x11030408:6}
restore-step-names = {0x11030408:listen_for_log_client}
restore-step-uptime = 13
restore-step-user-progress = 0
[05:06:27.0490-GMT]{4>7} CHECKPOINT END: MAIN:[0x0408] listen_for_log_client
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 13
restore-step-user-progress = 0
[05:06:27.0495-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x040D] create_listen_socket
restore-step-ids = {0x1103040D:7}
restore-step-names = {0x1103040D:create_listen_socket}
restore-step-uptime = 13
restore-step-user-progress = 0
[05:06:27.0500-GMT]{4>7} CHECKPOINT END: MAIN:[0x040D] create_listen_socket
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 13
restore-step-user-progress = 0
[05:06:27.0504-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0404] update_root_mount
restore-step-ids = {0x11030404:8}
restore-step-names = {0x11030404:update_root_mount}
restore-step-uptime = 13
restore-step-user-progress = 0
[05:06:27.0534-GMT]{4>7} CHECKPOINT END: MAIN:[0x0404] update_root_mount
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 13
restore-step-user-progress = 0
[05:06:27.0539-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x0405] disable_watchdog
restore-step-ids = {0x11030405:9}
restore-step-names = {0x11030405:disable_watchdog}
restore-step-uptime = 13
restore-step-user-progress = 0
[05:06:27.0547-GMT]{4>7} CHECKPOINT END: MAIN:[0x0405] disable_watchdog
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 13
restore-step-user-progress = 0
[05:06:27.0552-GMT]{4>7} CHECKPOINT BEGIN: MAIN:[0x040E] enable_usb
restore-step-ids = {0x1103040E:10}
restore-step-names = {0x1103040E:enable_usb}
restore-step-uptime = 13
restore-step-user-progress = 0
waiting for matching IOKit service: {
    IOProviderClass = AppleUSBDeviceMux;
}
[05:06:30.0657-GMT]{4>7} CHECKPOINT END: MAIN:[0x040E] enable_usb
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 16
restore-step-user-progress = 0
waiting for host to trigger start of restore [timeout of 120 seconds]
recv(9, 4) failed: connection closed
unable to read message size: -1
could not receive message
recv(9, 4) failed: connection closed
unable to read message size: -1
could not receive message
[05:06:57.0050-GMT]{4>7} CHECKPOINT BEGIN: RESTORED:[0x0600] client_protocol_version
restore-step-ids = {0x11030600:11}
restore-step-names = {0x11030600:client_protocol_version}
restore-step-uptime = 43
restore-step-user-progress = 0
client protocol version 15
[05:06:57.0058-GMT]{4>7} CHECKPOINT END: RESTORED:[0x0600] client_protocol_version
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 43
restore-step-user-progress = 0
[05:06:57.0063-GMT]{4>7} CHECKPOINT BEGIN: RESTORED:[0x0601] copy_restore_options
restore-step-ids = {0x11030601:12}
restore-step-names = {0x11030601:copy_restore_options}
restore-step-uptime = 43
restore-step-user-progress = 0
unable to open /usr/local/share/restore//options.n104.plist: No such file or directory
0: NSPOSIXErrorDomain/2: create_dictionary_from_plist: unable to open plist
unable to open /usr/local/share/restore//options.plist: No such file or directory
0: NSPOSIXErrorDomain/2: create_dictionary_from_plist: unable to open plist
*** UUID C3DF5C29-6CAF-DD6B-CB4E-337AA2EE863B ***
Restore options:
        PersonalizedDuringPreflight    => <CFBoolean 0x10260dc00 [0x10260c1b8]>{value = true}
        CreateFilesystemPartitions     => <CFBoolean 0x10260dc00 [0x10260c1b8]>{value = true}
        UUID                           => <CFString 0x12c807d90 [0x10260c1b8]>{contents = "C3DF5C29-6CAF-DD6B-CB4E-337AA2EE863B"}
[05:06:57.0086-GMT]{4>7} CHECKPOINT END: RESTORED:[0x0601] copy_restore_options
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 43
restore-step-user-progress = 0
[05:06:57.0091-GMT]{4>7} CHECKPOINT BEGIN: RESTORED:[0x0655] is_host_compatible
restore-step-ids = {0x11030655:13}
restore-step-names = {0x11030655:is_host_compatible}
restore-step-uptime = 43
restore-step-user-progress = 0
Checkpoint engine recorder path set to /mnt5
[05:06:57.0098-GMT]{4>7} CHECKPOINT END: RESTORED:[0x0655] is_host_compatible
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 43
restore-step-user-progress = 0
[05:06:57.0104-GMT]{4>7} CHECKPOINT BEGIN: RESTORED:[0x0604] set_weight_from_options
restore-step-ids = {0x11030604:14}
restore-step-names = {0x11030604:set_weight_from_options}
restore-step-uptime = 43
restore-step-user-progress = 0
[05:06:57.0114-GMT]{4>7} CHECKPOINT END: RESTORED:[0x0604] set_weight_from_options
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 43
restore-step-user-progress = 0
[05:06:57.0120-GMT]{4>7} CHECKPOINT BEGIN: RESTORED:[0x068F] libauthinstall_callback
restore-step-ids = {0x1103068F:15}
restore-step-names = {0x1103068F:libauthinstall_callback}
restore-step-uptime = 43
restore-step-user-progress = 0
[05:06:57.0128-GMT]{4>7} CHECKPOINT END: RESTORED:[0x068F] libauthinstall_callback
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 43
restore-step-user-progress = 0
[05:06:57.0133-GMT]{4>7} CHECKPOINT BEGIN: RESTORED:[0x0608] device_has_hoover
restore-step-ids = {0x11030608:16}
restore-step-names = {0x11030608:device_has_hoover}
restore-step-uptime = 43
restore-step-user-progress = 0
[05:06:57.0141-GMT]{4>7} CHECKPOINT END: RESTORED:[0x0608] device_has_hoover
restore-step-ids = {}
restore-step-names = {}
restore-step-uptime = 43
restore-step-user-progress = 0
[05:06:57.0145-GMT]{4>7} CHECKPOINT BEGIN: RESTORED:[0x060B] update_ticket
restore-step-ids = {0x1103060B:17}
restore-step-names = {0x1103060B:update_ticket}
restore-step-uptime = 43
restore-step-user-progress = 0
entering ramrod_ticket_update_verify
looking up boot manifest hash
device tree ticket_hash: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
crypto-hash-method found. Using SHA2-384
computed ticket_hash   : 5118EA8F39FF61D152BA7E1F92591910CDE7A2B09B867D8D58DC37E2CDC0B7C98DD296D4BF57862D143413DD17012D70
failed to update ticket: 3
0: RamrodErrorDomain/3: ramrod_ticket_update_verify: invalid ticket
unable to convert ramrod error 3
[05:06:57.0183-GMT]{4>7} CHECKPOINT FAILURE:(FAILURE:-1) RESTORED:[0x060B] update_ticket [0]D(failed to request root ticket)
restore-step-results = {0x1107060B:{0:-1}}
restore-step-codes = {0x1107060B:{0:-1}}
restore-step-domains = {0x1107060B:{0:"AMRestoreErrorDomain"}}
restore-step-error = {0x1107060B:"[0]D(failed to request root ticket)"}
restore-step-uptime = 43
restore-step-user-progress = 0
[05:06:57.0192-GMT]{4>7} CHECKPOINT NOTICE: (NVRAM set) restore-step-user-progress=0 [sync=true] (first failure)
[05:06:57.0193-GMT]{4>7} CHECKPOINT BEGIN: RESTORED:[0x067C] cleanup_boot_command
restore-step-ids = {0x1103060B:17;0x1103067C:18}
restore-step-names = {0x1103060B:update_ticket;0x1103067C:cleanup_boot_command}
restore-step-uptime = 43
restore-step-user-progress = 0
entering reset_boot_command_if_value
executing /usr/sbin/nvram -d recovery-boot-mode
recovery-boot-mode
[05:06:57.0631-GMT]{4>7} CHECKPOINT END: RESTORED:[0x067C] cleanup_boot_command
restore-step-ids = {0x1103060B:17}
restore-step-names = {0x1103060B:update_ticket}
restore-step-uptime = 43
restore-step-user-progress = 0
[05:06:57.0638-GMT]{4>7} CHECKPOINT BEGIN: RESTORED:[0x1613] cleanup_recovery_os_volume
restore-step-ids = {0x1103060B:17;0x11031613:19}
restore-step-names = {0x1103060B:update_ticket;0x11031613:cleanup_recovery_os_volume}
restore-step-uptime = 43
restore-step-user-progress = 0
[05:06:57.0643-GMT]{4>7} CHECKPOINT END: RESTORED:[0x1613] cleanup_recovery_os_volume
restore-step-ids = {0x1103060B:17}
restore-step-names = {0x1103060B:update_ticket}
restore-step-uptime = 43
restore-step-user-progress = 0
[05:06:57.0649-GMT]{4>7} CHECKPOINT BEGIN: RESTORED:[0x0647] cleanup_check_result
restore-step-ids = {0x1103060B:17;0x11030647:20}
restore-step-names = {0x1103060B:update_ticket;0x11030647:cleanup_check_result}
restore-step-uptime = 43
restore-step-user-progress = 0
[05:06:57.0655-GMT]{4>7} CHECKPOINT END: RESTORED:[0x0647] cleanup_check_result
restore-step-ids = {0x1103060B:17}
restore-step-names = {0x1103060B:update_ticket}
restore-step-uptime = 43
restore-step-user-progress = 0
[05:06:57.0660-GMT]{4>7} CHECKPOINT BEGIN: RESTORED:[0x0648] cleanup_send_final_status
restore-step-ids = {0x1103060B:17;0x11030648:21}
restore-step-names = {0x1103060B:update_ticket;0x11030648:cleanup_send_final_status}
restore-step-uptime = 43
restore-step-user-progress = 0

ERROR: Unable to successfully restore device

FDR 0x56512c168ca0 timeout waiting for command
FDR 0x56512c168ca0 waiting for message...
No data to read (timeout)
FDR 0x56512c168ca0 terminating...
ERROR: Unable to restore device

@asdfugil
Copy link
Author

asdfugil commented Mar 4, 2022
edited
Loading

nvm im stupid looking at the logs qemu-system-aarch64: t8030_memory_setup: Failed to read ticket from file ticket-filename=root_ticket.der let me see if I can fix this

@asdfugil
Copy link
Author

asdfugil commented Mar 4, 2022
edited
Loading

root_ticket.der does exist, but it appears to be invalid?
I think something is broken. Also the sha256 hash of the ticket created with the provided shsh2 is f05a1cc90204de78aa6ec5f631033fed41338760d1fb7e72a75eb400d65ebbe2

@TrungNguyen1909
Copy link
Owner

qemu doesn't parse the ticket, it simply sets the boot-manifest-hash after hashing the ticket.

@asdfugil
Copy link
Author

asdfugil commented Mar 4, 2022
edited
Loading

OK, I did something wrong after all
ticket-filename=ticket-filename=/home/nick/vm_images/t8030/root_ticket.der
There are two ticket-filename=

@TrungNguyen1909
Copy link
Owner

No, there is a bug in QEMU that broke hashing somewhere...

@asdfugil asdfugil changed the title ERROR: Unable to find any build identities RootTicket verification error Mar 4, 2022
@TrungNguyen1909
Copy link
Owner

I pushed a patch

@asdfugil
Copy link
Author

asdfugil commented Mar 4, 2022

Restoring. It fixed the problem. Will not close issue until successful restore

@asdfugil
Copy link
Author

asdfugil commented Mar 4, 2022

!!!

FDR Sent 52 bytes
FDR 0x7f760c0010a0 waiting for message...
ERROR: Unable to receive message from FDR 0x7f760c0010a0 (-2). 0/2 bytes
FDR 0x7f760c0010a0 terminating...
Modifying persistent boot-args (25)
Requesting EAN Data (74)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Unmounting filesystems (29)
Got status message
Status: Restore Finished
FDR 0x561791fabe20 terminating...
Cleaning up...
DONE
progress: 6 1.000000

@asdfugil asdfugil closed this as completed Mar 4, 2022
shannon2893 pushed a commit to shannon2893/qemu-t8030 that referenced this issue Jul 25, 2022
@philmd @huth
tests/qtest/intel-hda-test: Add reproducer for issue #542
19a5452 
Include the qtest reproducer provided by Alexander Bulekov
in https://gitlab.com/qemu-project/qemu/-/issues/542.
Without the previous commit, we get:

  $ make check-qtest-i386
  ...
  Running test tests/qtest/intel-hda-test
  AddressSanitizer:DEADLYSIGNAL
  =================================================================
  ==1580408==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc3d566fe0
      #0 0x63d297cf in address_space_translate_internal softmmu/physmem.c:356
      TrungNguyen1909#1 0x63d27260 in flatview_do_translate softmmu/physmem.c:499:15
      TrungNguyen1909#2 0x63d27af5 in flatview_translate softmmu/physmem.c:565:15
      TrungNguyen1909#3 0x63d4ce84 in flatview_write softmmu/physmem.c:2850:10
      TrungNguyen1909#4 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#5 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16
      TrungNguyen1909#6 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      TrungNguyen1909#7 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#8 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12
      TrungNguyen1909#9 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1
      TrungNguyen1909#10 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1
      TrungNguyen1909#11 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12
      TrungNguyen1909#12 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5
      TrungNguyen1909#13 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5
      TrungNguyen1909#14 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5
      TrungNguyen1909#15 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
      TrungNguyen1909#16 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5
      TrungNguyen1909#17 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9
      TrungNguyen1909#18 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5
      TrungNguyen1909#19 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5
      TrungNguyen1909#20 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#21 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16
      TrungNguyen1909#22 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23
      TrungNguyen1909#23 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12
      TrungNguyen1909#24 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#25 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16
      TrungNguyen1909#26 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      #27 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#28 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12
      TrungNguyen1909#29 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1
      TrungNguyen1909#30 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1
      TrungNguyen1909#31 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12
      TrungNguyen1909#32 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5
      TrungNguyen1909#33 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5
      TrungNguyen1909#34 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5
      TrungNguyen1909#35 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
      TrungNguyen1909#36 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5
      TrungNguyen1909#37 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9
      TrungNguyen1909#38 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5
      TrungNguyen1909#39 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5
      TrungNguyen1909#40 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#41 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16
      TrungNguyen1909#42 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23
      TrungNguyen1909#43 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12
      TrungNguyen1909#44 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#45 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16
      TrungNguyen1909#46 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      TrungNguyen1909#47 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#48 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12
      ...
  SUMMARY: AddressSanitizer: stack-overflow softmmu/physmem.c:356 in address_space_translate_internal
  ==1580408==ABORTING
  Broken pipe
  Aborted (core dumped)

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20211218160912.1591633-4-philmd@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
shannon2893 pushed a commit to shannon2893/qemu-t8030 that referenced this issue Jul 25, 2022
@philmd @huth
hw/sd/sdhci: Prohibit DMA accesses to devices
799f7f0 
The issue reported by OSS-Fuzz produces the following backtrace:

  ==447470==ERROR: AddressSanitizer: heap-buffer-overflow
  READ of size 1 at 0x61500002a080 thread T0
      #0 0x71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18
      TrungNguyen1909#1 0x7175f139 in sdhci_read hw/sd/sdhci.c:1022:19
      TrungNguyen1909#2 0x721b937b in memory_region_read_accessor softmmu/memory.c:440:11
      TrungNguyen1909#3 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#4 0x7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16
      TrungNguyen1909#5 0x7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9
      TrungNguyen1909#6 0x7212db5d in flatview_read_continue softmmu/physmem.c:2879:23
      TrungNguyen1909#7 0x7212f958 in flatview_read softmmu/physmem.c:2921:12
      TrungNguyen1909#8 0x7212f418 in address_space_read_full softmmu/physmem.c:2934:18
      TrungNguyen1909#9 0x721305a9 in address_space_rw softmmu/physmem.c:2962:16
      TrungNguyen1909#10 0x7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      TrungNguyen1909#11 0x7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#12 0x71759684 in dma_memory_read include/sysemu/dma.h:152:12
      TrungNguyen1909#13 0x7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27
      TrungNguyen1909#14 0x7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13
      TrungNguyen1909#15 0x7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9
      TrungNguyen1909#16 0x717629ee in sdhci_write hw/sd/sdhci.c:1212:9
      TrungNguyen1909#17 0x72172513 in memory_region_write_accessor softmmu/memory.c:492:5
      TrungNguyen1909#18 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#19 0x72170766 in memory_region_dispatch_write softmmu/memory.c:1504:16
      TrungNguyen1909#20 0x721419ee in flatview_write_continue softmmu/physmem.c:2812:23
      TrungNguyen1909#21 0x721301eb in flatview_write softmmu/physmem.c:2854:12
      TrungNguyen1909#22 0x7212fca8 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#23 0x721d9a53 in qtest_process_command softmmu/qtest.c:727:9

A DMA descriptor is previously filled in RAM. An I/O access to the
device (frames TrungNguyen1909#22 to TrungNguyen1909#16) start the DMA engine (frame TrungNguyen1909#13). The
engine fetch the descriptor and execute the request, which itself
accesses the SDHCI I/O registers (frame TrungNguyen1909#1 and #0), triggering a
re-entrancy issue.

Fix by prohibit transactions from the DMA to devices. The DMA engine
is thus restricted to memories.

Reported-by: OSS-Fuzz (Issue 36391)
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/451
Message-Id: <20211215205656.488940-3-philmd@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
shannon2893 pushed a commit to shannon2893/qemu-t8030 that referenced this issue Jul 25, 2022
@philmd @huth
tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue 29225)
2780116 
Include the qtest reproducer provided by Alexander Bulekov
in https://gitlab.com/qemu-project/qemu/-/issues/451. Without
the previous commit, we get:

  $ make check-qtest-i386
  ...
  Running test qtest-i386/fuzz-sdcard-test
  ==447470==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500002a080 at pc 0x564c71766d48 bp 0x7ffc126c62b0 sp 0x7ffc126c62a8
  READ of size 1 at 0x61500002a080 thread T0
      #0 0x564c71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18
      TrungNguyen1909#1 0x564c7175f139 in sdhci_read hw/sd/sdhci.c:1022:19
      TrungNguyen1909#2 0x564c721b937b in memory_region_read_accessor softmmu/memory.c:440:11
      TrungNguyen1909#3 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#4 0x564c7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16
      TrungNguyen1909#5 0x564c7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9
      TrungNguyen1909#6 0x564c7212db5d in flatview_read_continue softmmu/physmem.c:2879:23
      TrungNguyen1909#7 0x564c7212f958 in flatview_read softmmu/physmem.c:2921:12
      TrungNguyen1909#8 0x564c7212f418 in address_space_read_full softmmu/physmem.c:2934:18
      TrungNguyen1909#9 0x564c721305a9 in address_space_rw softmmu/physmem.c:2962:16
      TrungNguyen1909#10 0x564c7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      TrungNguyen1909#11 0x564c7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#12 0x564c71759684 in dma_memory_read include/sysemu/dma.h:152:12
      TrungNguyen1909#13 0x564c7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27
      TrungNguyen1909#14 0x564c7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13
      TrungNguyen1909#15 0x564c7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9
      TrungNguyen1909#16 0x564c717629ee in sdhci_write hw/sd/sdhci.c:1212:9
      TrungNguyen1909#17 0x564c72172513 in memory_region_write_accessor softmmu/memory.c:492:5
      TrungNguyen1909#18 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#19 0x564c72170766 in memory_region_dispatch_write softmmu/memory.c:1504:16
      TrungNguyen1909#20 0x564c721419ee in flatview_write_continue softmmu/physmem.c:2812:23
      TrungNguyen1909#21 0x564c721301eb in flatview_write softmmu/physmem.c:2854:12
      TrungNguyen1909#22 0x564c7212fca8 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#23 0x564c721d9a53 in qtest_process_command softmmu/qtest.c:727:9

  0x61500002a080 is located 0 bytes to the right of 512-byte region [0x615000029e80,0x61500002a080)
  allocated by thread T0 here:
      #0 0x564c708e1737 in __interceptor_calloc (qemu-system-i386+0x1e6a737)
      TrungNguyen1909#1 0x7ff05567b5e0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x5a5e0)
      TrungNguyen1909#2 0x564c71774adb in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5

  SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:474:18 in sdhci_read_dataport
  Shadow bytes around the buggy address:
    0x0c2a7fffd3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffd3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffd3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffd3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffd400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x0c2a7fffd410:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffd420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffd430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffd440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffd450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffd460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Heap left redzone:       fa
    Freed heap region:       fd
  ==447470==ABORTING
  Broken pipe
  ERROR qtest-i386/fuzz-sdcard-test - too few tests run (expected 3, got 2)

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20211215205656.488940-4-philmd@redhat.com>
[thuth: Replaced "-m 4G" with "-m 512M"]
Signed-off-by: Thomas Huth <thuth@redhat.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TrungNguyen1909 @asdfugil