From a261bab075eeca06c98522ee860e8d19962149f0 Mon Sep 17 00:00:00 2001
From: Leah Rowe <leah@libreboot.org>
Date: Mon, 16 Mar 2026 16:19:27 +0000
Subject: util/nvmutil: more secure tmpdir()

use stat instead of access (race conditions)

Signed-off-by: Leah Rowe <leah@libreboot.org>
---
 util/nvmutil/nvmutil.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'util/nvmutil')

diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c
index 25953de5..96948f09 100644
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -3088,15 +3088,18 @@ static char *
 x_c_tmpdir(void)
 {
 	char *t;
+	struct stat st;
 
 	t = getenv("TMPDIR");
-	if (t && *t)
-		return t;
+	if (t && *t) {
+		if (stat(t, &st) == 0 && S_ISDIR(st.st_mode))
+			return t;
+	}
 
-	if (access("/tmp", W_OK) == 0)
+	if (stat("/tmp", &st) == 0 && S_ISDIR(st.st_mode))
 		return "/tmp";
 
-	if (access("/var/tmp", W_OK) == 0)
+	if (stat("/var/tmp", &st) == 0 && S_ISDIR(st.st_mode))
 		return "/var/tmp";
 
 	return ".";
-- 
cgit v1.2.1