android/SukiSU-Ultra
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

kernel: Fixed potential null pointer issue with current->mm in kernel version 5.10

Browse Source 
When calling get_full_comm() within system call hooks, current->mm may be null (prctl). A fallback mechanism for current->comm must be added beforehand to prevent null pointer dereferences when accessing mm->arg_start/arg_end.

Signed-off-by: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com>
This commit is contained in:
ShirkNeko
2025-10-27 21:54:20 +08:00
parent a21b18c5de
commit ee781cf959
4 changed files with 105 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
kernel/manual_su.c
View File

@@ -118,9 +118,12 @@ static char* ksu_generate_auth_token(void)
token_buffer[i] = '0' + (rand_byte % 10);
}
}
token_buffer[KSU_TOKEN_LENGTH] = '\0';
strncpy(auth_tokens[token_count].token, token_buffer, KSU_TOKEN_LENGTH + 1);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
strscpy(auth_tokens[token_count].token, token_buffer, KSU_TOKEN_LENGTH + 1);
#else
strlcpy(auth_tokens[token_count].token, token_buffer, KSU_TOKEN_LENGTH + 1);
#endif
auth_tokens[token_count].expire_time = jiffies + KSU_TOKEN_EXPIRE_TIME * HZ;
auth_tokens[token_count].used = false;
token_count++;
@@ -198,8 +201,13 @@ static int handle_token_generation(struct manual_su_request *request)
pr_err("manual_su: failed to generate token\n");
return -ENOMEM;
}
strncpy(request->token_buffer, new_token, KSU_TOKEN_LENGTH + 1);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
strscpy(request->token_buffer, new_token, KSU_TOKEN_LENGTH + 1);
#else
strlcpy(request->token_buffer, new_token, KSU_TOKEN_LENGTH + 1);
#endif
pr_info("manual_su: auth token generated successfully\n");
return 0;
}
@@ -208,6 +216,16 @@ static int handle_escalation_request(struct manual_su_request *request)
{
uid_t target_uid = request->target_uid;
pid_t target_pid = request->target_pid;
struct task_struct *tsk;
rcu_read_lock();
tsk = pid_task(find_vpid(target_pid), PIDTYPE_PID);
if (!tsk || ksu_task_is_dead(tsk)) {
rcu_read_unlock();
pr_err("cmd_su: PID %d is invalid or dead\n", target_pid);
return -ESRCH;
}
rcu_read_unlock();
if (current_uid().val == 0 || is_manager() || ksu_is_allow_uid(current_uid().val))
goto allowed;