kernel: copy filename ourself instead of getname
This commit is contained in:
weishu
@@ -20,6 +20,12 @@
|
|||||||
#define SU_PATH "/system/bin/su"
|
#define SU_PATH "/system/bin/su"
|
||||||
#define SH_PATH "/system/bin/sh"
|
#define SH_PATH "/system/bin/sh"
|
||||||
|
|
||||||
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
|
||||||
|
#define ksu_strncpy_from_user_nofault strncpy_from_user_nofault
|
||||||
|
#else
|
||||||
|
#define ksu_strncpy_from_user_nofault strncpy_from_unsafe_user
|
||||||
|
#endif
|
||||||
|
|
||||||
extern void escape_to_root();
|
extern void escape_to_root();
|
||||||
|
|
||||||
static void __user *userspace_stack_buffer(const void *d, size_t len)
|
static void __user *userspace_stack_buffer(const void *d, size_t len)
|
||||||
@@ -41,32 +47,27 @@ static char __user *sh_user_path(void)
|
|||||||
int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
|
int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
|
||||||
int *flags)
|
int *flags)
|
||||||
{
|
{
|
||||||
struct filename *filename;
|
|
||||||
const char su[] = SU_PATH;
|
const char su[] = SU_PATH;
|
||||||
|
|
||||||
if (!ksu_is_allow_uid(current_uid().val)) {
|
if (!ksu_is_allow_uid(current_uid().val)) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
filename = getname(*filename_user);
|
char path[sizeof(su)];
|
||||||
|
memset(path, 0, sizeof(path));
|
||||||
|
ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path));
|
||||||
|
|
||||||
if (IS_ERR(filename)) {
|
if (unlikely(!memcmp(path, su, sizeof(su)))) {
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
if (unlikely(!memcmp(filename->name, su, sizeof(su)))) {
|
|
||||||
pr_info("faccessat su->sh!\n");
|
pr_info("faccessat su->sh!\n");
|
||||||
*filename_user = sh_user_path();
|
*filename_user = sh_user_path();
|
||||||
}
|
}
|
||||||
|
|
||||||
putname(filename);
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)
|
int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)
|
||||||
{
|
{
|
||||||
// const char sh[] = SH_PATH;
|
// const char sh[] = SH_PATH;
|
||||||
struct filename *filename;
|
|
||||||
const char su[] = SU_PATH;
|
const char su[] = SU_PATH;
|
||||||
|
|
||||||
if (!ksu_is_allow_uid(current_uid().val)) {
|
if (!ksu_is_allow_uid(current_uid().val)) {
|
||||||
@@ -77,18 +78,15 @@ int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
filename = getname(*filename_user);
|
char path[sizeof(su)];
|
||||||
|
memset(path, 0, sizeof(path));
|
||||||
|
ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path));
|
||||||
|
|
||||||
if (IS_ERR(filename)) {
|
if (unlikely(!memcmp(path, su, sizeof(su)))) {
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
if (unlikely(!memcmp(filename->name, su, sizeof(su)))) {
|
|
||||||
pr_info("newfstatat su->sh!\n");
|
pr_info("newfstatat su->sh!\n");
|
||||||
*filename_user = sh_user_path();
|
*filename_user = sh_user_path();
|
||||||
}
|
}
|
||||||
|
|
||||||
putname(filename);
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user