From 0a13055e9bdd3e4a422afa683cedad6a7194b4c2 Mon Sep 17 00:00:00 2001 From: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com> Date: Sun, 5 Oct 2025 18:59:12 +0800 Subject: [PATCH] KernelSU: Attempted to fix new prctl side channel detection - A more aggressive prctl side channel is already implemented by cimb octo app and this is found by backslashxx (https://github.com/backslashxx/) - The fix is easy same as the one implemented for sus_su by checking the TIF_PROC_UMOUNTED bit in current->thread_info.flags in the very beginning of ksu_handle_prctl() - Also we need make sure to explicitly check for ksu manager uid in ksu_handle_setuid() before checking for normal user app since ksu maanger app uid is excluded in allow_list_arr which ksu_uid_should_umount(manager_uid) will always return true Co-authored-by: simonpunk --- kernel/core_hook.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/kernel/core_hook.c b/kernel/core_hook.c index 32eb7d5c..588ddb96 100644 --- a/kernel/core_hook.c +++ b/kernel/core_hook.c @@ -78,7 +78,7 @@ extern bool susfs_is_log_enabled __read_mostly; static bool susfs_is_umount_for_zygote_system_process_enabled = false; static bool susfs_is_umount_for_zygote_iso_service_enabled = false; extern bool susfs_hide_sus_mnts_for_all_procs; -//extern void susfs_reorder_mnt_id(void); +extern void susfs_reorder_mnt_id(void); #endif // #ifdef CONFIG_KSU_SUSFS_SUS_MOUNT #ifdef CONFIG_KSU_SUSFS_AUTO_ADD_SUS_BIND_MOUNT extern bool susfs_is_auto_add_sus_bind_mount_enabled; @@ -494,6 +494,15 @@ static void init_uid_scanner(void) int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { + +#ifdef CONFIG_KSU_SUSFS + // - We straight up check if process is supposed to be umounted, return 0 if so + // - This is to prevent side channel attack as much as possible + if (likely(susfs_is_current_proc_umounted())) { + return 0; + } +#endif + // if success, we modify the arg5 as result! u32 *result = (u32 *)arg5; u32 reply_ok = KERNEL_SU_OPTION; @@ -1523,6 +1532,15 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old) goto do_umount; } + // - Since ksu maanger app uid is excluded in allow_list_arr, so ksu_uid_should_umount(manager_uid) + // will always return true, that's why we need to explicitly check if new_uid.val belongs to + // ksu manager + if (ksu_is_manager_uid_valid() && + (new_uid.val % 1000000 == ksu_get_manager_uid())) // % 1000000 in case it is private space uid + { + return 0; + } + // Check if spawned process is normal user app and needs to be umounted if (likely(is_zygote_normal_app_uid(new_uid.val) && ksu_uid_should_umount(new_uid.val))) { goto do_umount;