AsyncSyscall3 exploit fix

2026-02-24 00:01:39 -06:00
parent 6bb7f03a3e
commit e77a8b3636
2 changed files with 14 additions and 8 deletions
--- a/Src/Hyperion-kernel/lib/modules/Hyperion/30_userspace.kmod
+++ b/Src/Hyperion-kernel/lib/modules/Hyperion/30_userspace.kmod
@@ -21,7 +21,7 @@ local function readonly(tbl)
            error("Attempt to modify global variable '" .. k .. "'", 2)
        end,

-        __pairs = function()
+        __pairs = function(self)
            local function iter(_, key)
                local nextKey, value = next(tbl, key)
                if type(value) == "table" then
@@ -29,7 +29,7 @@ local function readonly(tbl)
                end
                return nextKey, value
            end
-            return iter, tbl, nil
+            return iter, self, nil
        end,

        __ipairs = function()
@@ -54,4 +54,4 @@ local origLoad = load

 kernel._U = readonly(kernel._G)
 kernel._U._G = kernel._U
-kernel._U.load = function(a, b, c, d) return origLoad(a, b, c, d or kernel._U) end
+kernel._U.load = function(a,b,c,d) return origLoad(a,b,c,d or kernel._U) end
--- a/Src/Hyperion-kernel/lib/modules/Hyperion/45_hypervisor.kmod
+++ b/Src/Hyperion-kernel/lib/modules/Hyperion/45_hypervisor.kmod
@@ -5,6 +5,8 @@ local sys    = {}
 local nextpid = 2
 kernel.exitMain = false

+local resumeWithTimeout = coroutine.resumeWithTimeout
+
 local function bit_is_set(num, bit)
    return math.floor(num / (2 ^ bit)) % 2 == 1
 end
@@ -206,10 +208,14 @@ function sys.kill(pid)
        return false, "Task does not exist"
    elseif task.status == "Z" then
        return false, "Task is already dead"
-    else
-        task.status = "Z"
-        return true
    end
+    local caller = kernel.currentTask
+    local ceuid  = caller and (caller.euid or caller.uid) or kernel.uid
+    if ceuid ~= 0 and task.uid ~= (caller and caller.uid or kernel.uid) then
+        return false, "EPERM"
+    end
+    task.status = "Z"
+    return true
 end

 function sys.stop(pid)
@@ -352,7 +358,7 @@ function kernel.main()
                if task.sigq and #task.sigq ~= 0 and task.sigh then
                    local coro = coroutine.create(task.sigh)
                    if kernel.config.preempt then
-                        coroutine.resumeWithTimeout(coro, task.timeSlice, table.remove(task.sigq, 1))
+                        resumeWithTimeout(coro, task.timeSlice, table.remove(task.sigq, 1))
                    else
                        coroutine.resume(coro, table.remove(task.sigq, 1))
                    end
@@ -363,7 +369,7 @@ function kernel.main()
                    local ret

                    if kernel.config.preempt then
-                        ret = { coroutine.resumeWithTimeout(task.coro, task.timeSlice, table.unpack(task.syscallReturn)) }
+                        ret = { resumeWithTimeout(task.coro, task.timeSlice, table.unpack(task.syscallReturn)) }
                    else
                        ret = { coroutine.resume(task.coro, table.unpack(task.syscallReturn)) }
                    end