From 0a5a024dc84a81a34dff585028ce177a530e76ea Mon Sep 17 00:00:00 2001 From: backslashxx <118538522+backslashxx@users.noreply.github.com> Date: Thu, 12 Jun 2025 14:30:52 +0800 Subject: [PATCH] kernel: throne_tracker: avoid cross-fs traversal using s_magic check (#2633) Skip directories that does NOT have the same magic as /data/app. This is to avoid scanning incfs and any other stacked filesystems. While this is way dumber, it's way cheaper. no kern_path(), no missable path_put(), no ref handling. This supercedes `throne_tracker: avoid cross fs access (https://github.com/tiann/KernelSU/pull/2626)` - upstream https://github.com/tiann/KernelSU/commit/0b6998b474ed00610bbf2d6679f853cef07af3b8 Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com> --- kernel/throne_tracker.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/kernel/throne_tracker.c b/kernel/throne_tracker.c index f47b13b3..54662a73 100644 --- a/kernel/throne_tracker.c +++ b/kernel/throne_tracker.c @@ -217,7 +217,8 @@ void search_manager(const char *path, int depth, struct list_head *uid_data) int i, stop = 0; struct list_head data_path_list; INIT_LIST_HEAD(&data_path_list); - + unsigned long data_app_magic = 0; + // Initialize APK cache list struct apk_path_hash *pos, *n; list_for_each_entry(pos, &apk_path_hash_list, list) { @@ -248,6 +249,24 @@ void search_manager(const char *path, int depth, struct list_head *uid_data) pr_err("Failed to open directory: %s, err: %ld\n", pos->dirpath, PTR_ERR(file)); goto skip_iterate; } + + // grab magic on first folder, which is /data/app + if (!data_app_magic) { + if (file->f_inode->i_sb->s_magic) { + data_app_magic = file->f_inode->i_sb->s_magic; + pr_info("%s: dir: %s got magic! 0x%lx\n", __func__, pos->dirpath, data_app_magic); + } else { + filp_close(file, NULL); + goto skip_iterate; + } + } + + if (file->f_inode->i_sb->s_magic != data_app_magic) { + pr_info("%s: skip: %s magic: 0x%lx expected: 0x%lx\n", __func__, pos->dirpath, + file->f_inode->i_sb->s_magic, data_app_magic); + filp_close(file, NULL); + goto skip_iterate; + } iterate_dir(file, &ctx.ctx); filp_close(file, NULL);