kernel: refactor CMD_GET_FULL_VERSION to safely initialize version string (#220)

Use strscpy()/strlcpy() to populate the version buffer in CMD_GET_FULL_VERSION instead of relying on uninitialized memory. This ensures the returned string is null-terminated and avoids exposing garbage data to user space. Signed-off-by: schqiushui <orochi9999@gmail.com>
2025-06-27 00:23:12 +08:00
parent 8e192aaead
commit d0cb0cf25a
3 changed files with 37 additions and 32 deletions
--- a/kernel/core_hook.c
+++ b/kernel/core_hook.c
@@ -55,8 +55,6 @@
 #include "kpm/kpm.h"
 #endif

-char ksu_version_id[KSU_MAX_VERSION_NAME] = KSU_VERSION;
-
 #ifdef CONFIG_KSU_SUSFS
 bool susfs_is_allow_su(void)
 {
@@ -410,6 +408,21 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		return 0;
 	}

+	// Allow root manager to get full version strings
+	if (arg2 == CMD_GET_FULL_VERSION) {
+		char ksu_version_full[KSU_FULL_VERSION_STRING] = {0};
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
+		strscpy(ksu_version_full, KSU_VERSION_FULL, KSU_FULL_VERSION_STRING);
+#else
+		strlcpy(ksu_version_full, KSU_VERSION_FULL, KSU_FULL_VERSION_STRING);
+#endif
+		if (copy_to_user((void __user *)arg3, ksu_version_full, KSU_FULL_VERSION_STRING)) {
+			pr_err("prctl reply error, cmd: %lu\n", arg2);
+			return -EFAULT;
+		}
+		return 0;
+	}
+
 	if (arg2 == CMD_REPORT_EVENT) {
 		if (!from_root) {
 			return 0;
@@ -512,14 +525,6 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		return 0;
 	}

-	if (arg2 == CMD_GET_FULL_VERSION) {
-		if (copy_to_user(arg3, &ksu_version_id, KSU_MAX_VERSION_NAME)) {
-			pr_err("prctl reply error, cmd: %lu\n", arg2);
-		}
-
-		return 0;
-	}
-
 #ifdef CONFIG_KPM
 	// ADD: 添加KPM模块控制
 	if(sukisu_is_kpm_control_code(arg2)) {