eden-emu/SDL
19
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix TOCTOU race condition

Browse source 
Separately checking the state of a file before operating on it may allow
an attacker to modify the file between the two operations. (CWE-367)
Fix by using fstat() instead of stat().
This commit is contained in:
Mingjie Shen 2024-03-08 17:20:29 -05:00 committed by Sam Lantinga
parent cde793b0f5
commit 19b3ddac2f
3 changed files with 23 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/audio/SDL_audiodev.c
View file

@ -48,9 +48,9 @@
static void test_device(const SDL_bool iscapture, const char *fname, int flags, SDL_bool (*test)(int fd)) static void test_device(const SDL_bool iscapture, const char *fname, int flags, SDL_bool (*test)(int fd))
{ {
struct stat sb; struct stat sb;
if ((stat(fname, &sb) == 0) && (S_ISCHR(sb.st_mode))) {
const int audio_fd = open(fname, flags | O_CLOEXEC, 0); const int audio_fd = open(fname, flags | O_CLOEXEC, 0);
if (audio_fd >= 0) { if (audio_fd >= 0) {
if ((fstat(audio_fd, &sb) == 0) && (S_ISCHR(sb.st_mode))) {
const SDL_bool okay = test(audio_fd); const SDL_bool okay = test(audio_fd);
close(audio_fd); close(audio_fd);
if (okay) { if (okay) {
@ -65,6 +65,8 @@ static void test_device(const SDL_bool iscapture, const char *fname, int flags,
*/ */
SDL_AddAudioDevice(iscapture, fname, NULL, (void *)(uintptr_t)dummyhandle); SDL_AddAudioDevice(iscapture, fname, NULL, (void *)(uintptr_t)dummyhandle);
} }
} else {
close(audio_fd);
} }
} }
} }

18
src/haptic/linux/SDL_syshaptic.c
View file

@ -240,24 +240,26 @@ static int MaybeAddDevice(const char *path)
return -1; return -1;
} }
/* check to see if file exists */ /* try to open */
if (stat(path, &sb) != 0) { fd = open(path, O_RDWR | O_CLOEXEC, 0);
if (fd < 0) {
return -1;
}
/* get file status */
if (fstat(fd, &sb) != 0) {
close(fd);
return -1; return -1;
} }
/* check for duplicates */ /* check for duplicates */
for (item = SDL_hapticlist; item; item = item->next) { for (item = SDL_hapticlist; item; item = item->next) {
if (item->dev_num == sb.st_rdev) { if (item->dev_num == sb.st_rdev) {
close(fd);
return -1; /* duplicate. */ return -1; /* duplicate. */
} }
} }
/* try to open */
fd = open(path, O_RDWR | O_CLOEXEC, 0);
if (fd < 0) {
return -1;
}
#ifdef DEBUG_INPUT_EVENTS #ifdef DEBUG_INPUT_EVENTS
printf("Checking %s\n", path); printf("Checking %s\n", path);
#endif #endif

15
src/joystick/linux/SDL_sysjoystick.c
View file

@ -417,7 +417,13 @@ static void MaybeAddDevice(const char *path)
return; return;
} }
if (stat(path, &sb) == -1) { fd = open(path, O_RDONLY | O_CLOEXEC, 0);
if (fd < 0) {
return;
}
if (fstat(fd, &sb) == -1) {
close(fd);
return; return;
} }
@ -435,11 +441,6 @@ static void MaybeAddDevice(const char *path)
} }
} }
fd = open(path, O_RDONLY | O_CLOEXEC, 0);
if (fd < 0) {
goto done;
}
#ifdef DEBUG_INPUT_EVENTS #ifdef DEBUG_INPUT_EVENTS
SDL_Log("Checking %s\n", path); SDL_Log("Checking %s\n", path);
#endif #endif
@ -507,9 +508,7 @@ static void MaybeAddDevice(const char *path)
} }
done: done:
if (fd >= 0) {
close(fd); close(fd);
}
SDL_UnlockJoysticks(); SDL_UnlockJoysticks();
} }