From e8787b5cfd75906055c1af6e2241cbeb63b41142 Mon Sep 17 00:00:00 2001 From: canyie Date: Wed, 3 Aug 2022 00:22:44 +0800 Subject: [PATCH] Fix UB when remote process died If remote process died, `xreadlink` fails and leaves `buf` uninitialized. Then the daemon calls `str_ends`, creates a temp `std::string_view` with the uninitialized buffer and undefined behavior occurs. --- native/src/zygisk/entry.cpp | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/native/src/zygisk/entry.cpp b/native/src/zygisk/entry.cpp index b156bb315..5733178f1 100644 --- a/native/src/zygisk/entry.cpp +++ b/native/src/zygisk/entry.cpp @@ -320,7 +320,11 @@ static void get_process_info(int client, const sock_cred *cred) { if (should_load_modules(flags)) { char buf[256]; - get_exe(cred->pid, buf, sizeof(buf)); + if (!get_exe(cred->pid, buf, sizeof(buf))) { + LOGW("zygisk: remote process %d probably died, abort\n", cred->pid); + send_fd(client, -1); + return; + } vector fds = get_module_fds(str_ends(buf, "64")); send_fds(client, fds.data(), fds.size()); } @@ -386,8 +390,11 @@ void zygisk_handler(int client, const sock_cred *cred) { send_log_pipe(client); break; case ZygiskRequest::CONNECT_COMPANION: - get_exe(cred->pid, buf, sizeof(buf)); - connect_companion(client, str_ends(buf, "64")); + if (get_exe(cred->pid, buf, sizeof(buf))) { + connect_companion(client, str_ends(buf, "64")); + } else { + LOGW("zygisk: remote process %d probably died, abort\n", cred->pid); + } break; case ZygiskRequest::GET_MODDIR: get_moddir(client);