Skip to content

kernel: core_hook: skip private space recrowning #2807

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

kernel: core_hook: skip private space recrowning #2807

wants to merge 1 commit into from

Conversation

backslashxx
Copy link
Contributor

No description provided.

@backslashxx
Copy link
Contributor Author

backslashxx commented Oct 17, 2025
edited
Loading

this is actually one of the culprits on that prctl detection that zimperium does.
this is probably enough for 5.10+ devices. (since they are modern ones and fast anyway)

detection is done by comparing a 0xdeadbeef call to a non-0xdeadbeef after calling near misses / branch pre-training.

@aviraxp
Copy link
Collaborator

aviraxp commented Oct 17, 2025

I think it is fine. Actually after moving package parsing to /data/user, we can remove the speical hack.

@backslashxx
Copy link
Contributor Author

backslashxx commented Oct 17, 2025
edited
Loading

on mine I actually had to precheck is_allow_su but this is due to me supporting ultra legacy
these garbages are slow that I can see the time differences easy.

kernel: core_hook: harden prctl handler

@tiann
Copy link
Owner

tiann commented Oct 18, 2025

How about removing lines 265 to 270?

@backslashxx
Copy link
Contributor Author

backslashxx commented Oct 18, 2025
edited
Loading

well, you will lose 'manager on private space' feature, atleast with the current throne tracker

the actual issue is on here

KernelSU/kernel/core_hook.c

Lines 256 to 257 in 1364710

if (KERNEL_SU_OPTION != option) {
return 0;

this creates a fast path + slow path

you call it with 0xdeadbeef and its slower.

but this is not noticeable on newer devices
what aggravates is though is those three uid checks and division behind it before it hits !from_root and !from_manager check

for full mitigation something like this

int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
		     unsigned long arg4, unsigned long arg5)
{
	// if success, we modify the arg5 as result!
	u32 *result = (u32 *)arg5;
	u32 reply_ok = KERNEL_SU_OPTION;
	uid_t current_uid_val = current_uid().val;

	if (current_uid_val < 100000)
		goto skip_multiuser;

	// TODO: find it in throne tracker!
	uid_t manager_uid = ksu_get_manager_uid();
	if (current_uid_val != manager_uid &&
	    current_uid_val % 100000 == manager_uid) {
		ksu_set_manager_uid(current_uid_val);
	}

skip_multiuser:
	bool from_root = !current_uid_val;
	bool from_manager = is_manager();

	barrier();
	if (!from_root && !from_manager) {
		// only root or manager can access this interface
		return 0;
	}
	
	if (KERNEL_SU_OPTION != option) {
		return 0;
	}

you keep private space support and gate magic check behind uid check

@backslashxx backslashxx deleted the prctl branch October 19, 2025 04:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@backslashxx @aviraxp @tiann