承接上一篇博客
CVE-2010-EASY漏洞是android两大提权漏洞之一,它的修复方法很简单
只需要给system/core/init/devices.c文件打个补丁就可以了,具体内容如下
static int open_uevent_socket(void)
{
+ setsockopt(s, SOL_SOCKET, SO_PASSCRED, &on, sizeof(on));
//在open_uevent_socket对套接字增加一个选项 SO_PASSCRED,这样可以让套接字增加一个认证,让接收者可以知道发送者的uid和gid :-)
}
void handle_device_fd(int fd)
{
+ for(;;) {
+ char msg[UEVENT_MSG_LEN+2];
+ char cred_msg[CMSG_SPACE(sizeof(struct ucred))];
+ struct iovec iov = {msg, sizeof(msg)};
+ struct sockaddr_nl snl;
+ struct msghdr hdr = {&snl, sizeof(snl), &iov, 1, cred_msg, sizeof(cred_msg), 0};
+
+ ssize_t n = recvmsg(fd, &hdr, 0);
+ if (n <= 0) {
+ break;
+ }
- while((n = recv(fd, msg, UEVENT_MSG_LEN, 0)) > 0) {
- struct uevent uevent;
+ if ((snl.nl_groups != 1) || (snl.nl_pid != 0)) {
+ /* 如果不是内核的多播信息则抛弃 */
+ continue;
+ }
+
+ struct cmsghdr * cmsg = CMSG_FIRSTHDR(&hdr);
+ if (cmsg == NULL || cmsg->cmsg_type != SCM_CREDENTIALS) {
+ /* 如果发送者的认证没有则抛弃 */
+ continue;
+ }
+
+ struct ucred * cred = (struct ucred *)CMSG_DATA(cmsg);
+ if (cred->uid != 0) {
+ /* 消息不是来自于root用户则抛弃 */
+ continue;
+ }
}
}