三种root的修补方式
system/core/adb/abd.c
adbd漏洞,请看abd.c的第917行
/* then switch user and group to "shell" */
if (setgid(AID_SHELL) != 0) {
exit(1);
}
if (setuid(AID_SHELL) != 0) {
exit(1);
}
版本:1.6 r1 至2.2.3 r2.1
udev漏洞也被修复了,会检查消息的来源的gid和uid
system/core/libcutils/uevent.c
ssize_t n = recvmsg(device_fd, &hdr, 0);
if (n <= 0) {
break;
}
if ((snl.nl_groups != 1) || (snl.nl_pid != 0)) {
/* ignoring non-kernel netlink multicast message */
continue;
}
struct cmsghdr * cmsg = CMSG_FIRSTHDR(&hdr);
if (cmsg == NULL || cmsg->cmsg_type != SCM_CREDENTIALS) {
/* no sender credentials received, ignore message */
continue;
}
struct ucred * cred = (struct ucred *)CMSG_DATA(cmsg);
if (cred->uid != 0) {
/* message from non-root user, ignore */
continue;
}
if(n >= UEVENT_MSG_LEN) /* overflow -- discard */
continue;
/system/core/libsysutils/src/FrameworkListener.cpp
FrameworkListener漏洞修复,会判断长度,若超过,则跳转。
if (q >= qlimit)
goto overflow;
*q = *p++;
if (!quote && *q == ' ') {
*q = '\0';
if (argc >= CMD_ARGS_MAX)
goto overflow;
argv[argc++] = strdup(tmp);
memset(tmp, 0, sizeof(tmp));
q = tmp;
continue;
}
版本:2.0.1r1 至2.3.7r1