mtd-utils: Fix various TOCTOU issues

This patch restructures various code parts that follow the pattern
of "stat(x, &sb) ... makes_sense(&sb) ... open(x)".

Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>

diff --git a/jffsX-utils/mkfs.jffs2.c b/jffsX-utils/mkfs.jffs2.c
index f46cc224440ad3910aa96962a0d1e6b7b1e79071..9cc5eaf2538c3b67bda137218006de99a7c37f54 100644 (file)
--- a/jffsX-utils/mkfs.jffs2.c
+++ b/jffsX-utils/mkfs.jffs2.c
@@ -1772,9 +1772,7 @@ int main(int argc, char **argv)
                }
                out_fd = 1;
        }
-       if (lstat(rootdir, &sb)) {
-               sys_errmsg_die("%s", rootdir);
-       }
+
        if (chdir(rootdir))
                sys_errmsg_die("%s", rootdir);
 

diff --git a/lib/libmtd_legacy.c b/lib/libmtd_legacy.c
index 2b7f65ff81b24e1b1fc967d7399f93e89fb875c6..4eb4a70919c478bec26f45e82bd13c1ef33709ef 100644 (file)
--- a/lib/libmtd_legacy.c
+++ b/lib/libmtd_legacy.c
@@ -221,18 +221,21 @@ int legacy_get_mtd_oobavail(const char *node)
        struct nand_ecclayout_user usrlay;
        int fd, ret;
 
-       if (stat(node, &st))
+       fd = open(node, O_RDONLY);
+       if (fd == -1)
                return sys_errmsg("cannot open \"%s\"", node);
 
+       if (fstat(fd, &st)) {
+               ret = sys_errmsg("cannot open \"%s\"", node);
+               goto out_close;
+       }
+
        if (!S_ISCHR(st.st_mode)) {
                errno = EINVAL;
-               return errmsg("\"%s\" is not a character device", node);
+               ret = errmsg("\"%s\" is not a character device", node);
+               goto out_close;
        }
 
-       fd = open(node, O_RDONLY);
-       if (fd == -1)
-               return sys_errmsg("cannot open \"%s\"", node);
-
        ret = ioctl(fd, ECCGETLAYOUT, &usrlay);
        if (ret < 0) {
                if (errno == EOPNOTSUPP)
@@ -273,15 +276,24 @@ int legacy_get_dev_info(const char *node, struct mtd_dev_info *mtd)
        loff_t offs = 0;
        struct proc_parse_info pi;
 
-       if (stat(node, &st)) {
+       fd = open(node, O_RDONLY);
+       if (fd == -1) {
                sys_errmsg("cannot open \"%s\"", node);
                if (errno == ENOENT)
                        normsg("MTD subsystem is old and does not support "
                               "sysfs, so MTD character device nodes have "
                               "to exist");
+               return -1;
+       }
+
+       if (fstat(fd, &st)) {
+               sys_errmsg("cannot stat \"%s\"", node);
+               close(fd);
+               return -1;
        }
 
        if (!S_ISCHR(st.st_mode)) {
+               close(fd);
                errno = EINVAL;
                return errmsg("\"%s\" is not a character device", node);
        }
@@ -291,6 +303,7 @@ int legacy_get_dev_info(const char *node, struct mtd_dev_info *mtd)
        mtd->minor = minor(st.st_rdev);
 
        if (mtd->major != MTD_DEV_MAJOR) {
+               close(fd);
                errno = EINVAL;
                return errmsg("\"%s\" has major number %d, MTD devices have "
                              "major %d", node, mtd->major, MTD_DEV_MAJOR);
@@ -298,10 +311,6 @@ int legacy_get_dev_info(const char *node, struct mtd_dev_info *mtd)
 
        mtd->mtd_num = mtd->minor / 2;
 
-       fd = open(node, O_RDONLY);
-       if (fd == -1)
-               return sys_errmsg("cannot open \"%s\"", node);
-
        if (ioctl(fd, MEMGETINFO, &ui)) {
                sys_errmsg("MEMGETINFO ioctl request failed");
                goto out_close;

diff --git a/misc-utils/ftl_check.c b/misc-utils/ftl_check.c
index 5a0415538ad8b899ea1351d853716cc981418d39..5b2dae57530dc4d585f67ed6ddab92a26a941e53 100644 (file)
--- a/misc-utils/ftl_check.c
+++ b/misc-utils/ftl_check.c
@@ -206,18 +206,20 @@ int main(int argc, char *argv[])
                exit(errflg > 0 ? 0 : EXIT_FAILURE);
        }
 
-       if (stat(argv[optind], &buf) != 0) {
+       fd = open(argv[optind], O_RDONLY);
+       if (fd == -1) {
+               perror("open failed");
+               exit(EXIT_FAILURE);
+       }
+       if (fstat(fd, &buf) != 0) {
                perror("status check failed");
+               close(fd);
                exit(EXIT_FAILURE);
        }
        if (!(buf.st_mode & S_IFCHR)) {
                fprintf(stderr, "%s is not a character special device\n",
                                argv[optind]);
-               exit(EXIT_FAILURE);
-       }
-       fd = open(argv[optind], O_RDONLY);
-       if (fd == -1) {
-               perror("open failed");
+               close(fd);
                exit(EXIT_FAILURE);
        }
 

diff --git a/misc-utils/ftl_format.c b/misc-utils/ftl_format.c
index bf3c8f23aee3c99a70e3432cc90360758c9c09c1..34d436c6d6857dde9710bcf2e46e1a79c7409cdc 100644 (file)
--- a/misc-utils/ftl_format.c
+++ b/misc-utils/ftl_format.c
@@ -312,18 +312,20 @@ int main(int argc, char *argv[])
                exit(errflg > 0 ? EXIT_SUCCESS : EXIT_FAILURE);
        }
 
-       if (stat(argv[optind], &buf) != 0) {
+       fd = open(argv[optind], O_RDWR);
+       if (fd == -1) {
+               perror("open failed");
+               exit(EXIT_FAILURE);
+       }
+       if (fstat(fd, &buf) != 0) {
                perror("status check failed");
+               close(fd);
                exit(EXIT_FAILURE);
        }
        if (!(buf.st_mode & S_IFCHR)) {
                fprintf(stderr, "%s is not a character special device\n",
                                argv[optind]);
-               exit(EXIT_FAILURE);
-       }
-       fd = open(argv[optind], O_RDWR);
-       if (fd == -1) {
-               perror("open failed");
+               close(fd);
                exit(EXIT_FAILURE);
        }