plugins/micron: Fix code scanning alert

Fix the time-of-check time-of-use filesystem race condition. To use setuid() described by the JPCERT CC document as below. <https://www.jpcert.or.jp/research/2009/6_File_IO_Part3.pdf> Page 53: TOCTUC race condition measure example. To check the permission as same with access() function, Set the real user ID as the effective user ID. Then the race window closed between checking and using. Note: The example for fopen() but the fix for mkdir() and rmdir(). Signed-off-by: Tokunori Ikegami <ikegami.t@gmail.com>
ikegami-t · Feb 11, 2024 · 589ef17 · 589ef17
1 parent 83aad43
commit 589ef17
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/plugins/micron/micron-nvme.c b/plugins/micron/micron-nvme.c
@@ -311,7 +311,7 @@ static int SetupDebugDataDirectories(char *strSN, char *strFilePath,
 		j++;
 	}
 
-	if (mkdir(strMainDirName, 0777) < 0) {
+	if (setuid(getuid()) || mkdir(strMainDirName, 0777) < 0) {
 		err = -1;
 		goto exit_status;
 	}
@@ -331,7 +331,7 @@ static int SetupDebugDataDirectories(char *strSN, char *strFilePath,
 				rmdir(strOSDirName);
 			rmdir(strMainDirName);
 			err = -1;
-	}
+		}
 	}
 
 exit_status: