Add locking to protect cred modifications in escape_to_root

This commit introduces locking to ensure safe access and modification of the `cred` structure within the `escape_to_root` function. Signed-off-by: SsageParuders <qinqingqing1025@gmail.com>"
tiann · Dec 26, 2024 · 9d3666c · 9d3666c
1 parent f195fb8
commit 9d3666c
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/kernel/core_hook.c b/kernel/core_hook.c
@@ -128,10 +128,16 @@ void escape_to_root(void)
 {
 	struct cred *cred;
 
-	cred = (struct cred *)__task_cred(current);
+	rcu_read_lock();
+
+	do {
+		cred = (struct cred *)__task_cred((current));
+		BUG_ON(!cred);
+	} while (!get_cred_rcu(cred));
 
 	if (cred->euid.val == 0) {
 		pr_warn("Already root, don't escape!\n");
+		rcu_read_unlock();
 		return;
 	}
 	struct root_profile *profile = ksu_get_root_profile(cred->uid.val);
@@ -165,14 +171,16 @@ void escape_to_root(void)
 	memcpy(&cred->cap_ambient, &profile->capabilities.effective,
 	       sizeof(cred->cap_ambient));
 
+	setup_groups(profile, cred);
+
+	rcu_read_unlock();
+
 	// Refer to kernel/seccomp.c: seccomp_set_mode_strict
 	// When disabling Seccomp, ensure that current->sighand->siglock is held during the operation.
 	spin_lock_irq(&current->sighand->siglock);
 	disable_seccomp();
 	spin_unlock_irq(&current->sighand->siglock);
 
-	setup_groups(profile, cred);
-
 	setup_selinux(profile->selinux_domain);
 }