Enhance fdt_header validation for empty dtb

Free regex resources in plt_hook_commit
Free regex resources for registered and ignored hooks before clearing the lists.
2025-12-05 20:40:19 -08:00 · 2025-11-02 02:42:48 -08:00 · 2025-11-02 01:59:03 -08:00
2 changed files with 9 additions and 2 deletions
--- a/native/src/boot/bootimg.cpp
+++ b/native/src/boot/bootimg.cpp
@@ -279,9 +279,10 @@ static int find_dtb_offset(const uint8_t *buf, unsigned sz) {

        auto fdt_hdr = reinterpret_cast<const fdt_header *>(curr);

-        // Check that fdt_header.totalsize does not overflow kernel image size
+        // Check that fdt_header.totalsize does not overflow kernel image size or is empty dtb
+		// https://github.com/torvalds/linux/commit/7b937cc243e5b1df8780a0aa743ce800df6c68d1
        uint32_t totalsize = fdt_hdr->totalsize;
-        if (totalsize > end - curr)
+        if (totalsize > end - curr || totalsize <= 0x48)
            continue;

        // Check that fdt_header.off_dt_struct does not overflow kernel image size
--- a/native/src/core/zygisk/module.cpp
+++ b/native/src/core/zygisk/module.cpp
@@ -208,6 +208,12 @@ bool ZygiskContext::plt_hook_commit() {
    {
        mutex_guard lock(hook_info_lock);
        plt_hook_process_regex();
+        for (auto& reg: register_info) {
+            regfree(&reg.regex);
+        }
+        for (auto& ign: ignore_info) {
+            regfree(&ign.regex);
+        }
        register_info.clear();
        ignore_info.clear();
    }
Author	SHA1	Message	Date
Wang Han	c8d51b38ba	Enhance fdt_header validation for empty dtb	2025-11-02 02:42:48 -08:00
Wang Han	f741a4aeb8	Free regex resources in plt_hook_commit Free regex resources for registered and ignored hooks before clearing the lists.	2025-11-02 01:59:03 -08:00