tools/power/x86/intel-speed-select: Harden daemon pidfile open

Avoid symlink-based pidfile clobbering by opening the pidfile with
O_NOFOLLOW and validating it with fstat() before locking/writing.

The daemon currently uses a fixed pidfile path under /tmp. A local
unprivileged user can pre-create a symlink at that path and cause a
root-run daemon instance to write into an attacker-chosen file.

Fixes: 7fd786dfbd2c ("tools/power/x86/intel-speed-select: OOB daemon mode")
Signed-off-by: Ali Ahmet MEMIS <dev@unknownbbqr.xyz>
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Cc: stable@kernel.org

diff --git a/tools/power/x86/intel-speed-select/isst-daemon.c b/tools/power/x86/intel-speed-select/isst-daemon.c
index 66df21b2b5737db6707c0158e193b9566224a46c..acedb743284946f5df7a591ed3de1e4a715d27c4 100644 (file)
--- a/tools/power/x86/intel-speed-select/isst-daemon.c
+++ b/tools/power/x86/intel-speed-select/isst-daemon.c
@@ -148,6 +148,7 @@ static void daemonize(char *rundir, char *pidfile)
 {
        int pid, sid, i;
        char str[10];
+       struct stat st;
        struct sigaction sig_actions;
        sigset_t sig_set;
        int ret;
@@ -200,11 +201,17 @@ static void daemonize(char *rundir, char *pidfile)
        if (ret == -1)
                exit(EXIT_FAILURE);
 
-       pid_file_handle = open(pidfile, O_RDWR | O_CREAT, 0600);
+       pid_file_handle = open(pidfile, O_RDWR | O_CREAT | O_NOFOLLOW, 0600);
        if (pid_file_handle == -1) {
                /* Couldn't open lock file */
                exit(1);
        }
+
+       if (fstat(pid_file_handle, &st) == -1)
+               exit(1);
+
+       if (!S_ISREG(st.st_mode))
+               exit(1);
        /* Try to lock file */
 #ifdef LOCKF_SUPPORT
        if (lockf(pid_file_handle, F_TLOCK, 0) == -1) {