From 7d099c46c587deaa1c8657fcdec324cc3b9d5a7e Mon Sep 17 00:00:00 2001
From: Kamalesh Babulal <kamalesh.babulal@oracle.com>
Date: Mon, 17 Jul 2023 14:38:19 +0530
Subject: [PATCH] src/api.c fix TOCTOU in cg_mkdir_p()

Fix a TOCTOU issue, reported by Coverity tool:

CID 258294 (#1 of 1): Time of check time of use (TOCTOU)42.
fs_check_call: Calling function stat to perform check on real_path

Add new switch for EROFS, to explicitly check if the file exist on
mkdir()'s error path, using a new char pointer.

Signed-off-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
---
 src/api.c | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/src/api.c b/src/api.c
index 72d44b9e..46842164 100644
--- a/src/api.c
+++ b/src/api.c
@@ -2109,8 +2109,9 @@ int cgroup_attach_task(struct cgroup *cgroup)
 int cg_mkdir_p(const char *path)
 {
 	char *real_path = NULL;
-	int stat_ret, ret = 0;
+	char *tmp_path = NULL;
 	struct stat st;
+	int ret = 0;
 	int i = 0;
 	char pos;
 
@@ -2135,7 +2136,6 @@ int cg_mkdir_p(const char *path)
 
 		/* 0775 == S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH */
 		ret = mkdir(real_path, 0775);
-		real_path[i] = pos;
 		if (ret) {
 			switch (errno) {
 			case EEXIST:
@@ -2144,19 +2144,21 @@ int cg_mkdir_p(const char *path)
 			case EPERM:
 				ret = ECGROUPNOTOWNER;
 				goto done;
-			default:
-				/* Check if path exists */
-				real_path[i] = '\0';
-				stat_ret = stat(real_path, &st);
-				real_path[i] = pos;
-				if (stat_ret == 0) {
-					ret = 0;	/* Path exists */
-					break;
-				}
+			case EROFS:
+				/*
+				 * Check if path exists, use tmp_path to
+				 * keep Coverity happy
+				 */
+				tmp_path = real_path;
+				ret = stat(tmp_path, &st);
+				if (ret == 0)
+					break;	/* Path exists */
+			default: /* fallthrough */
 				ret = ECGROUPNOTALLOWED;
 				goto done;
 			}
 		}
+		real_path[i] = pos;
 	} while (real_path[i]);
 
 done:
-- 
2.47.2