nvmutil tmpdir: check world-writeable / sticky bits

must be world writeable and not have sticky bits a bit theoretical, but we're also reading TMPDIR, which could be anything due to how this is called, it defaults back to /tmp if null is returned, so itt's safe Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-25 13:29:03 +02:00 · 2026-03-18 04:49:22 +00:00
parent 4810284f12
commit ee5ff03765
2 changed files with 11 additions and 3 deletions
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -991,7 +991,7 @@ rlong(void)
    defined(__NetBSD__) || defined(__APPLE__)

 	unsigned long rval;
-	arc4random_buf(&rval, sizeof(unsigned long);
+	arc4random_buf(&rval, sizeof(unsigned long));

 	return rval;
 #else
@@ -3001,8 +3001,8 @@ x_c_tmpdir(void)

 	t = getenv("TMPDIR");
 	if (t && *t) {
-		if (stat(t, &st) == 0 && S_ISDIR(st.st_mode))
-			return t;
+		if ((st.st_mode & S_IWOTH) && !(st.st_mode & S_ISVTX))
+			return NULL;
 	}

 	if (stat("/tmp", &st) == 0 && S_ISDIR(st.st_mode))
--- a/util/nvmutil/nvmutil.h
+++ b/util/nvmutil/nvmutil.h
@@ -28,6 +28,14 @@ int fchmod(int fd, mode_t mode);
 #define OFF_RESET 1
 #endif

+#ifndef S_ISVTX
+#define S_ISVTX 01000
+#endif
+
+#if defined(S_IFMT) && ((S_ISVTX & S_IFMT) != 0)
+#error "Unexpected bit layout"
+#endif
+
 #ifndef MAX_ZERO_RW_RETRY
 #define MAX_ZERO_RW_RETRY 5
 #endif