android/SukiSU-Ultra
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

KernelSU: Attempted to fix new prctl side channel detection

Browse Source 
- A more aggressive prctl side channel is already implemented by cimb octo app and this is found by backslashxx (https://github.com/backslashxx/)

- The fix is easy same as the one implemented for sus_su by checking the TIF_PROC_UMOUNTED bit in current->thread_info.flags in the very beginning of ksu_handle_prctl()

- Also we need make sure to explicitly check for ksu manager uid in ksu_handle_setuid() before checking for normal user app since ksu maanger app uid is excluded in allow_list_arr which ksu_uid_should_umount(manager_uid) will always return true

Co-authored-by: simonpunk <simonpunk2016@gmail.com>
This commit is contained in:
ShirkNeko
2025-10-05 18:59:12 +08:00
parent 80714f1c4c
commit 0a13055e9b
1 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
kernel/core_hook.c
View File

@@ -78,7 +78,7 @@ extern bool susfs_is_log_enabled __read_mostly;
static bool susfs_is_umount_for_zygote_system_process_enabled = false;
static bool susfs_is_umount_for_zygote_iso_service_enabled = false;
extern bool susfs_hide_sus_mnts_for_all_procs;
//extern void susfs_reorder_mnt_id(void);
extern void susfs_reorder_mnt_id(void);
#endif // #ifdef CONFIG_KSU_SUSFS_SUS_MOUNT
#ifdef CONFIG_KSU_SUSFS_AUTO_ADD_SUS_BIND_MOUNT
extern bool susfs_is_auto_add_sus_bind_mount_enabled;
@@ -494,6 +494,15 @@ static void init_uid_scanner(void)
int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5)
{
#ifdef CONFIG_KSU_SUSFS
// - We straight up check if process is supposed to be umounted, return 0 if so
// - This is to prevent side channel attack as much as possible
if (likely(susfs_is_current_proc_umounted())) {
return 0;
}
#endif
// if success, we modify the arg5 as result!
u32 *result = (u32 *)arg5;
u32 reply_ok = KERNEL_SU_OPTION;
@@ -1523,6 +1532,15 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
goto do_umount;
}
// - Since ksu maanger app uid is excluded in allow_list_arr, so ksu_uid_should_umount(manager_uid)
// will always return true, that's why we need to explicitly check if new_uid.val belongs to
// ksu manager
if (ksu_is_manager_uid_valid() &&
(new_uid.val % 1000000 == ksu_get_manager_uid())) // % 1000000 in case it is private space uid
{
return 0;
}
// Check if spawned process is normal user app and needs to be umounted
if (likely(is_zygote_normal_app_uid(new_uid.val) && ksu_uid_should_umount(new_uid.val))) {
goto do_umount;