kernel: Fixed potential null pointer issue with current->mm in kernel version 5.10

When calling get_full_comm() within system call hooks, current->mm may be null (prctl). A fallback mechanism for current->comm must be added beforehand to prevent null pointer dereferences when accessing mm->arg_start/arg_end.

Signed-off-by: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com>

kernel/manual_su.c

@@ -119,9 +119,12 @@ static char* ksu_generate_auth_token(void)
             token_buffer[i] = '0' + (rand_byte % 10);
         }
     }
-    token_buffer[KSU_TOKEN_LENGTH] = '\0';
     
-    strncpy(auth_tokens[token_count].token, token_buffer, KSU_TOKEN_LENGTH + 1);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
+		strscpy(auth_tokens[token_count].token, token_buffer, KSU_TOKEN_LENGTH + 1);
+#else
+		strlcpy(auth_tokens[token_count].token, token_buffer, KSU_TOKEN_LENGTH + 1);
+#endif
     auth_tokens[token_count].expire_time = jiffies + KSU_TOKEN_EXPIRE_TIME * HZ;
     auth_tokens[token_count].used = false;
     token_count++;
@@ -200,7 +203,12 @@ static int handle_token_generation(struct manual_su_request *request)
         return -ENOMEM;
     }
 
-    strncpy(request->token_buffer, new_token, KSU_TOKEN_LENGTH + 1);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
+		strscpy(request->token_buffer, new_token, KSU_TOKEN_LENGTH + 1);
+#else
+		strlcpy(request->token_buffer, new_token, KSU_TOKEN_LENGTH + 1);
+#endif
+
     pr_info("manual_su: auth token generated successfully\n");
     return 0;
 }
@@ -209,6 +217,16 @@ static int handle_escalation_request(struct manual_su_request *request)
 {
     uid_t target_uid = request->target_uid;
     pid_t target_pid = request->target_pid;
+    struct task_struct *tsk;
+    
+    rcu_read_lock();
+    tsk = pid_task(find_vpid(target_pid), PIDTYPE_PID);
+    if (!tsk || ksu_task_is_dead(tsk)) {
+        rcu_read_unlock();
+        pr_err("cmd_su: PID %d is invalid or dead\n", target_pid);
+        return -ESRCH;
+    }
+    rcu_read_unlock();
     
     if (current_uid().val == 0 || is_manager() || ksu_is_allow_uid(current_uid().val))
         goto allowed;

kernel/manual_su.h

@@ -9,6 +9,8 @@
 #define mmap_lock mmap_sem
 #endif
 
+#define ksu_task_is_dead(t) ((t)->exit_state != 0)
+
 #define MAX_PENDING 16
 #define REMOVE_DELAY_CALLS 150
 #define MAX_TOKENS 10

kernel/sucompat.c

@@ -192,8 +192,10 @@ int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
 	
 #if __SULOG_GATE
 	ksu_sulog_report_syscall(current_uid().val, NULL, "execve", filename->name);
+#ifndef CONFIG_KSU_SUSFS_SUS_SU
 	bool is_allowed = ksu_is_allow_uid(current_uid().val);
 #endif
+#endif
 
 #ifndef CONFIG_KSU_SUSFS_SUS_SU
 

kernel/sulog.c

@@ -9,6 +9,7 @@
 #include <linux/workqueue.h>
 #include <linux/cred.h>
 #include <linux/sched.h>
+#include <linux/mm.h>
 #include <linux/mutex.h>
 #include <linux/spinlock.h>
 #include <linux/crc32.h>
@@ -42,48 +43,48 @@ static void get_timestamp(char *buf, size_t len)
 		 tm.tm_hour, tm.tm_min, tm.tm_sec);
 }
 
-static void get_full_comm(char *comm_buf, size_t buf_len)
+static void ksu_get_cmdline(char *full_comm, const char *comm, size_t buf_len)
 {
-	struct mm_struct *mm;
+	char *kbuf;
-	char *cmdline = NULL;
-	unsigned long arg_start, arg_end;
-	int len;
 
-	mm = get_task_mm(current);
+	if (!full_comm || buf_len <= 0)
-	if (mm) {
+		return;
-		arg_start = mm->arg_start;
-		arg_end = mm->arg_end;
 
-		if (arg_end > arg_start) {
+	if (comm && strlen(comm) > 0) {
-			len = arg_end - arg_start;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
-			if (len > 0 && len < buf_len) {
+		strscpy(full_comm, comm, buf_len);
-				cmdline = kmalloc(len + 1, GFP_ATOMIC);
+#else
-				if (cmdline) {
+		strlcpy(full_comm, comm, buf_len);
-					if (ksu_copy_from_user_retry(cmdline, (void __user *)arg_start, len) == 0) {
+#endif
-						cmdline[len] = '\0';
-						char *space = strchr(cmdline, ' ');
-						if (space) *space = '\0';
-						
-						char *slash = strrchr(cmdline, '/');
-						if (slash && *(slash + 1)) {
-							strncpy(comm_buf, slash + 1, buf_len - 1);
 	} else {
-							strncpy(comm_buf, cmdline, buf_len - 1);
+		kbuf = kmalloc(buf_len, GFP_ATOMIC);
-						}
+		if (!kbuf) {
-						comm_buf[buf_len - 1] = '\0';
+			pr_err("sulog: failed to allocate memory for kbuf\n");
-						kfree(cmdline);
-						mmput(mm);
 			return;
 		}
-					kfree(cmdline);
+
+		int n = get_cmdline(current, kbuf, buf_len);
+
+		if (n <= 0) {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
+			strscpy(full_comm, current->comm, buf_len);
+#else
+			strlcpy(full_comm, current->comm, buf_len);
+#endif
+		} else {
+			for (int i = 0; i < n; i++) {
+				if (kbuf[i] == '\0') kbuf[i] = ' ';
 			}
-			}
+			kbuf[n < buf_len ? n : buf_len - 1] = '\0';
-		}
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
-		mmput(mm);
+			strscpy(full_comm, kbuf, buf_len);
+#else
+			strlcpy(full_comm, kbuf, buf_len);
+#endif
 		}
 
-	strncpy(comm_buf, current->comm, buf_len - 1);
+		kfree(kbuf);
-	comm_buf[buf_len - 1] = '\0';
+	}
 }
 
 static bool dedup_should_print(uid_t uid, u8 type,
@@ -172,8 +173,11 @@ static void sulog_add_entry(const char *content)
 		return;
 	}
 	
-	strncpy(entry->content, content, SULOG_ENTRY_MAX_LEN - 1);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
-	entry->content[SULOG_ENTRY_MAX_LEN - 1] = '\0';
+		strscpy(entry->content, content, SULOG_ENTRY_MAX_LEN - 1);
+#else
+		strlcpy(entry->content, content, SULOG_ENTRY_MAX_LEN - 1);
+#endif
 	
 	mutex_lock(&sulog_mutex);
 	list_add_tail(&entry->list, &sulog_queue);
@@ -201,12 +205,7 @@ void ksu_sulog_report_su_grant(uid_t uid, const char *comm, const char *method)
 	
 	get_timestamp(timestamp, 32);
 	
-	if (comm && strlen(comm) > 0) {
+	ksu_get_cmdline(full_comm, comm, SULOG_COMM_LEN);
-		strncpy(full_comm, comm, SULOG_COMM_LEN - 1);
-		full_comm[SULOG_COMM_LEN - 1] = '\0';
-	} else {
-		get_full_comm(full_comm, SULOG_COMM_LEN);
-	}
 	
 	snprintf(log_buf, SULOG_ENTRY_MAX_LEN,
 		"[%s] SU_GRANT: UID=%d COMM=%s METHOD=%s PID=%d\n",
@@ -242,12 +241,7 @@ void ksu_sulog_report_su_attempt(uid_t uid, const char *comm, const char *target
 	
 	get_timestamp(timestamp, 32);
 	
-	if (comm && strlen(comm) > 0) {
+	ksu_get_cmdline(full_comm, comm, SULOG_COMM_LEN);
-		strncpy(full_comm, comm, SULOG_COMM_LEN - 1);
-		full_comm[SULOG_COMM_LEN - 1] = '\0';
-	} else {
-		get_full_comm(full_comm, SULOG_COMM_LEN);
-	}
 	
 	snprintf(log_buf, SULOG_ENTRY_MAX_LEN,
 		"[%s] SU_EXEC: UID=%d COMM=%s TARGET=%s RESULT=%s PID=%d\n",
@@ -284,12 +278,7 @@ void ksu_sulog_report_permission_check(uid_t uid, const char *comm, bool allowed
 	
 	get_timestamp(timestamp, 32);
 	
-	if (comm && strlen(comm) > 0) {
+	ksu_get_cmdline(full_comm, comm, SULOG_COMM_LEN);
-		strncpy(full_comm, comm, SULOG_COMM_LEN - 1);
-		full_comm[SULOG_COMM_LEN - 1] = '\0';
-	} else {
-		get_full_comm(full_comm, SULOG_COMM_LEN);
-	}
 	
 	snprintf(log_buf, SULOG_ENTRY_MAX_LEN,
 		"[%s] PERM_CHECK: UID=%d COMM=%s RESULT=%s PID=%d\n",
@@ -324,7 +313,8 @@ void ksu_sulog_report_manager_operation(const char *operation, uid_t manager_uid
 	}
 	
 	get_timestamp(timestamp, 32);
-	get_full_comm(full_comm, SULOG_COMM_LEN);
+
+	ksu_get_cmdline(full_comm, NULL, SULOG_COMM_LEN);
 	
 	snprintf(log_buf, SULOG_ENTRY_MAX_LEN,
 		"[%s] MANAGER_OP: OP=%s MANAGER_UID=%d TARGET_UID=%d COMM=%s PID=%d\n",
@@ -360,12 +350,8 @@ void ksu_sulog_report_syscall(uid_t uid, const char *comm,
 	}
 
 	get_timestamp(timestamp, 32);
-	if (comm && strlen(comm) > 0) {
+	
-		strncpy(full_comm, comm, SULOG_COMM_LEN - 1);
+	ksu_get_cmdline(full_comm, comm, SULOG_COMM_LEN);
-		full_comm[SULOG_COMM_LEN - 1] = '\0';
-	} else {
-		get_full_comm(full_comm, SULOG_COMM_LEN);
-	}
 
 	snprintf(log_buf, SULOG_ENTRY_MAX_LEN,
 		 "[%s] SYSCALL: UID=%d COMM=%s SYSCALL=%s ARGS=%s PID=%d\n",

kernel/sulog.h

@@ -4,11 +4,7 @@
 #include <linux/types.h>
 #include <linux/version.h>
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 245)
 #define __SULOG_GATE        1
-#else
-#define __SULOG_GATE        0
-#endif
 
 #if __SULOG_GATE
 extern struct timezone sys_tz;