diff options
| author | Leah Rowe <leah@libreboot.org> | 2026-03-18 04:49:22 +0000 |
|---|---|---|
| committer | Leah Rowe <leah@libreboot.org> | 2026-03-26 06:59:42 +0000 |
| commit | 3256c3fcb8c260283132969f93f36621e1f894f7 (patch) | |
| tree | c5fc40dbac0d29363e8bef7c8a594fc0a05b6004 /util | |
| parent | 21cd0b7a91e6f3e2471a3ffa7b90082dc6a26412 (diff) | |
nvmutil tmpdir: check world-writeable / sticky bits
must be world writeable and not have sticky bits
a bit theoretical, but we're also reading TMPDIR,
which could be anything
due to how this is called, it defaults back to /tmp
if null is returned, so itt's safe
Signed-off-by: Leah Rowe <leah@libreboot.org>
Diffstat (limited to 'util')
| -rw-r--r-- | util/nvmutil/nvmutil.c | 6 | ||||
| -rw-r--r-- | util/nvmutil/nvmutil.h | 8 |
2 files changed, 11 insertions, 3 deletions
diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c index c34d79c3..8205a1df 100644 --- a/util/nvmutil/nvmutil.c +++ b/util/nvmutil/nvmutil.c @@ -991,7 +991,7 @@ rlong(void) defined(__NetBSD__) || defined(__APPLE__) unsigned long rval; - arc4random_buf(&rval, sizeof(unsigned long); + arc4random_buf(&rval, sizeof(unsigned long)); return rval; #else @@ -3001,8 +3001,8 @@ x_c_tmpdir(void) t = getenv("TMPDIR"); if (t && *t) { - if (stat(t, &st) == 0 && S_ISDIR(st.st_mode)) - return t; + if ((st.st_mode & S_IWOTH) && !(st.st_mode & S_ISVTX)) + return NULL; } if (stat("/tmp", &st) == 0 && S_ISDIR(st.st_mode)) diff --git a/util/nvmutil/nvmutil.h b/util/nvmutil/nvmutil.h index 94ad8f62..4d8c3ab2 100644 --- a/util/nvmutil/nvmutil.h +++ b/util/nvmutil/nvmutil.h @@ -28,6 +28,14 @@ int fchmod(int fd, mode_t mode); #define OFF_RESET 1 #endif +#ifndef S_ISVTX +#define S_ISVTX 01000 +#endif + +#if defined(S_IFMT) && ((S_ISVTX & S_IFMT) != 0) +#error "Unexpected bit layout" +#endif + #ifndef MAX_ZERO_RW_RETRY #define MAX_ZERO_RW_RETRY 5 #endif |