mirrors/alsa-lib
1
0
Fork 0
mirror of https://github.com/alsa-project/alsa-lib.git synced 2025-10-29 05:40:25 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

ucm: fix TOCTOU race condition

Browse source 
Separately checking the state of a file before operating on it may allow
an attacker to modify the file between the two operations.
Fix by calling readlink first. If that fails, then path should not be a
symbolic link and we call open() followed by fstat(). open() with
O_NOFOLLOW will return an error if the file is a symlink.

Signed-off-by: Mingjie Shen <shen497@purdue.edu>
This commit is contained in:
Mingjie Shen 2023-11-16 15:34:30 -05:00
parent ed6b07084b
commit 9184bb0db0
1 changed files with 16 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

30
src/ucm/ucm_subs.c
View file

@ -518,30 +518,32 @@ static char *rval_sysfs(snd_use_case_mgr_t *uc_mgr ATTRIBUTE_UNUSED, const char
if (id[0] == '/')
id++;
snprintf(path, sizeof(path), "%s/%s", e, id);
if (lstat64(path, &sb) != 0)
return NULL;
if (S_ISLNK(sb.st_mode)) {
len = readlink(path, link, sizeof(link) - 1);
if (len <= 0) {
uc_error("sysfs: cannot read link '%s' (%d)", path, errno);
return NULL;
}
len = readlink(path, link, sizeof(link) - 1);
if (len > 0) {
link[len] = '\0';
e = strrchr(link, '/');
if (e)
return strdup(e + 1);
return NULL;
}
if (S_ISDIR(sb.st_mode))
return NULL;
if ((sb.st_mode & S_IRUSR) == 0)
return NULL;
fd = open(path, O_RDONLY);
fd = open(path, O_RDONLY | O_NOFOLLOW);
if (fd < 0) {
uc_error("sysfs open failed for '%s' (%d)", path, errno);
return NULL;
}
if (fstat64(fd, &sb) != 0) {
close(fd);
return NULL;
}
if (S_ISDIR(sb.st_mode)) {
close(fd);
return NULL;
}
if ((sb.st_mode & S_IRUSR) == 0) {
close(fd);
return NULL;
}
len = read(fd, path, sizeof(path)-1);
close(fd);
if (len < 0) {