Patch eap.o memory leak (#8566)

* Patch eap.o memory leak WiFi Enterprise option can leak up to 3 allocations per connect/disconnect cycle: anonymous Identity, password, and some unidentified allocation. This solution patches eap.o from libwpa2 to call a special 2 part wrapper instead of vPortFree for cleanup. Corrected typos and adjusted tabs in script. Added script eval_fix_sdks.sh to aid in evaluating similarity between patch sections of .o files being patched across different SDKs. * Add some dev debug code and improve comments * Patch eap.o memory leak WiFi Enterprise option can leak up to 3 allocations per connect/disconnect cycle: anonymous Identity, password, and some unidentified allocation. This solution patches eap.o from libwpa2 to call a special 2 part wrapper instead of vPortFree for cleanup. Corrected typos and adjusted tabs in script. Added script eval_fix_sdks.sh to aid in evaluating similarity between patch sections of .o files being patched across different SDKs. * Add some dev debug code and improve comments
2025-06-12 01:53:07 +03:00 · 2022-06-02 14:48:28 -07:00
parent 5f2af1945b
commit 9e2103f27e
12 changed files with 317 additions and 5 deletions
--- a/tools/sdk/lib/NONOSDK221/libwpa2.a
+++ b/tools/sdk/lib/NONOSDK221/libwpa2.a
--- a/tools/sdk/lib/NONOSDK22x_190313/libwpa2.a
+++ b/tools/sdk/lib/NONOSDK22x_190313/libwpa2.a
--- a/tools/sdk/lib/NONOSDK22x_190703/libwpa2.a
+++ b/tools/sdk/lib/NONOSDK22x_190703/libwpa2.a
--- a/tools/sdk/lib/NONOSDK22x_191024/libwpa2.a
+++ b/tools/sdk/lib/NONOSDK22x_191024/libwpa2.a
--- a/tools/sdk/lib/NONOSDK22x_191105/libwpa2.a
+++ b/tools/sdk/lib/NONOSDK22x_191105/libwpa2.a
--- a/tools/sdk/lib/NONOSDK22x_191122/libwpa2.a
+++ b/tools/sdk/lib/NONOSDK22x_191122/libwpa2.a
--- a/tools/sdk/lib/NONOSDK3V0/libwpa2.a
+++ b/tools/sdk/lib/NONOSDK3V0/libwpa2.a
--- a/tools/sdk/lib/eval_fix_sdks.sh
+++ b/tools/sdk/lib/eval_fix_sdks.sh
@ -0,0 +1,117 @@
+#!/bin/bash
+# set -e
+
+add_path_ifexist() {
+  if [[ -d $1 ]]; then
+    export PATH=$( realpath $1 ):$PATH
+    return 0
+  fi
+  return 1
+}
+
+if ! which xtensa-lx106-elf-ar | grep "tools/xtensa-lx106-elf/bin" >>/dev/null; then
+  add_path_ifexist "../../../xtensa-lx106-elf/bin" || add_path_ifexist "../../xtensa-lx106-elf/bin"
+fi
+
+help_msg() {
+  cat <<EOF
+Try:
+  eval_fix_sdks.sh --analyze
+or
+  eval_fix_sdks.sh --patch
+
+EOF
+}
+
+list_sdks() {
+  cat <<EOF
+NONOSDK22x_190313
+NONOSDK22x_190703
+NONOSDK22x_191024
+NONOSDK22x_191105
+NONOSDK22x_191122
+NONOSDK221
+NONOSDK3V0
+EOF
+}
+
+remove_ifexist() {
+  [[ -f $1 ]] && rm $1
+}
+
+cleanup() {
+  remove_ifexist old.txt
+  remove_ifexist old2.txt
+  remove_ifexist new.txt
+  for sdk in `list_sdks`; do
+    remove_ifexist $sdk/eap.o
+  done
+}
+
+unasm() {
+  xtensa-lx106-elf-objdump -d $*
+}
+
+analyze() {
+  cleanup
+
+  for sdk in `list_sdks`; do
+    pushd $sdk
+    xtensa-lx106-elf-ar x libwpa2.a eap.o
+    popd
+  done
+  echo ""
+
+  find . -name eap.o -exec md5sum {} \; | sort
+  echo ""
+
+  unset prev_sdk
+  for sdk in `list_sdks`; do
+    unasm -j ".text.eap_peer_config_deinit" ${sdk}/eap.o >new.txt
+    if [[ -f old.txt ]]; then
+      echo "eap_peer_config_deinit: diff $prev_sdk $sdk"
+      diff old.txt new.txt
+      echo ""
+    fi
+    mv new.txt old.txt
+    prev_sdk=${sdk}
+  done
+
+  unset prev_sdk
+  for sdk in `list_sdks`; do
+    unasm -j ".text.wpa2_sm_rx_eapol" ${sdk}/eap.o >new.txt
+    if [[ -f old2.txt ]]; then
+      echo "wpa2_sm_rx_eapol: diff $prev_sdk $sdk"
+      diff old2.txt new.txt
+      echo ""
+    fi
+    mv new.txt old2.txt
+    prev_sdk=${sdk}
+  done
+
+  # Find offsets for patching vPortFree with z2EapFree
+  for sdk in `list_sdks`; do
+    echo -en "\n${sdk}/eap.o:\n  "
+    grep --byte-offset --only-matching --text vPortFree ${sdk}/eap.o
+  done
+
+  cleanup
+}
+
+
+patch_all() {
+  for sdk in `list_sdks`; do
+    pushd $sdk
+    ../fix_sdk_libs.sh
+    popd
+  done
+}
+
+if [[ "${1}" == "--analyze" ]]; then
+  analyze
+elif [[ "${1}" == "--patch" ]]; then
+  patch_all
+else
+  help_msg
+fi
+exit 0
--- a/tools/sdk/lib/fix_sdk_libs.sh
+++ b/tools/sdk/lib/fix_sdk_libs.sh
@ -1,7 +1,19 @@
 #!/bin/bash
 set -e

-export PATH=../../../xtensa-lx106-elf/bin:$PATH
+add_path_ifexist() {
+	if [[ -d $1 ]]; then
+		export PATH=$( realpath $1 ):$PATH
+		return 0
+	fi
+	return 1
+}
+
+if ! which xtensa-lx106-elf-ar | grep "tools/xtensa-lx106-elf/bin" >>/dev/null; then
+	add_path_ifexist "../../../xtensa-lx106-elf/bin" || add_path_ifexist "../../xtensa-lx106-elf/bin"
+fi
+WORK_SPACE=${PWD}
+
 VERSION=$(basename ${PWD})

 addSymbol_system_func1() {
@ -18,14 +30,30 @@ patchFile() {
 	EXPECTED=$4
 	REPLACEWITH=$5
 	if [[ "$(dd if=$FILE bs=1 count=$LENGTH skip=$ADDRESS status=none | base64 -w0)" = "$EXPECTED" ]]; then
-		echo "Patching $1..."
+		echo "Patching  $VERSION $1 ..."
 		echo $5 | base64 -d | dd of=$FILE bs=1 count=$LENGTH seek=$ADDRESS conv=notrunc
 	elif ! [[ "$(dd if=$FILE bs=1 count=$LENGTH skip=$ADDRESS status=none | base64 -w0)" = "$REPLACEWITH" ]]; then
 		echo "PATCH FAILED!"
-		exit 0
+		echo "dd if=$FILE bs=1 count=$LENGTH skip=$ADDRESS status=none | base64 -w0"
+		dd if=$FILE bs=1 count=$LENGTH skip=$ADDRESS status=none | hexdump -C
+		dd if=$FILE bs=1 count=$LENGTH skip=$ADDRESS status=none | base64 -w0
+		echo ""
+		exit 1
 	fi
 }

+# # xtensa-lx106-elf-ar x libwpa2.a eap.o
+if [[ "--shell" == "$1" ]]; then
+	# need to poke around a bit
+	bash --rcfile <(echo ". ~/.bashrc; cd ${WORK_SPACE}")
+	exit 0
+fi
+
+if [[ ! -f libmain.a ]]; then
+	echo -e "\n\n*** Archive libmain.a is missing ***\n\n"
+	exit 1
+fi
+
 # Remove mem_manager.o from libmain.a to use custom heap implementation,
 # and time.o to fix redefinition of time-related functions:
 xtensa-lx106-elf-ar d libmain.a mem_manager.o
@ -44,15 +72,19 @@ xtensa-lx106-elf-objcopy --redefine-sym hostname=wifi_station_hostname eagle_lwi
 xtensa-lx106-elf-objcopy --redefine-sym default_hostname=wifi_station_default_hostname user_interface.o
 xtensa-lx106-elf-objcopy --redefine-sym default_hostname=wifi_station_default_hostname eagle_lwip_if.o

+
 if [[ ${VERSION} == "NONOSDK221" ]]; then
 	addSymbol_system_func1 "0x60"
 	patchFile "eap.o" "3055" "2" "wAA=" "8CA=" # WPA2-Enterprise patch which replaces a double-free with nop, see #8082
+	patchFile "eap.o" "26352" "9" "dlBvcnRGcmVl" "ejJFYXBGcmVl"   # special vPortFree to recover leaked memory
 elif [[ ${VERSION} == "NONOSDK22x"* ]]; then
 	addSymbol_system_func1 "0x54"
 	patchFile "eap.o" "3059" "2" "wAA=" "8CA=" # WPA2-Enterprise patch which replaces a double-free with nop, see #8082
+	patchFile "eap.o" "26356" "9" "dlBvcnRGcmVl" "ejJFYXBGcmVl"   # special vPortFree to recover leaked memory
 elif [[ ${VERSION} == "NONOSDK3"* ]]; then
 	addSymbol_system_func1 "0x60"
 	patchFile "eap.o" "3059" "2" "wAA=" "8CA=" # WPA2-Enterprise patch which replaces a double-free with nop, see #8082
+	patchFile "eap.o" "26356" "9" "dlBvcnRGcmVl" "ejJFYXBGcmVl"   # special vPortFree to recover leaked memory
 else
 	echo "WARN: Unknown address for system_func1() called by system_restart_local()"
 fi
@ -64,4 +96,3 @@ if [[ $(sha256sum user_interface.o | awk '{print $1}') != $uics || $(sha256sum e
 	xtensa-lx106-elf-ar r libmain.a eagle_lwip_if.o user_interface.o
 fi
 rm -f eagle_lwip_if.o user_interface.o eap.o
-