From 934603eb6adb2d646364132bbac7bdb30ccb97bf Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Date: Sun, 8 Nov 2020 22:21:23 -0500
Subject: [PATCH 4/5] swtpm: Switch to open() from fopen() for the pidfile
 (CVE-2020-28407)

This patch addresses CVE-2020-28407.

Use the open() call rather than the fopen() call when creating a pidfile.
Also prevent us from following symbolic links when opening the pidfile for
writing.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/swtpm/pidfile.c | 41 ++++++++++++++++++++++++++---------------
 1 file changed, 26 insertions(+), 15 deletions(-)

diff --git a/src/swtpm/pidfile.c b/src/swtpm/pidfile.c
index f9d18ad..afca5b0 100644
--- a/src/swtpm/pidfile.c
+++ b/src/swtpm/pidfile.c
@@ -37,11 +37,13 @@
 
 #include "config.h"
 
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
 #include <string.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <errno.h>
-#include <unistd.h>
 
 #include "pidfile.h"
 #include "logging.h"
@@ -77,40 +79,49 @@ int pidfile_set_fd(int newpidfilefd)
  */
 int pidfile_write(pid_t pid)
 {
-    FILE *f;
+    int fd;
+    char buffer[32];
+    ssize_t nwritten;
 
     if (g_pidfile) {
-        f = fopen(g_pidfile, "w+");
+        fd = open(g_pidfile, O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW,
+                  S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
     } else if (pidfilefd >= 0) {
-        f = fdopen(pidfilefd, "w");
-        if (f) {
-            g_pidfile = fd_to_filename(pidfilefd);
-            if (!g_pidfile)
-                goto error;
-        }
+        fd = pidfilefd;
+        g_pidfile = fd_to_filename(pidfilefd);
+        if (!g_pidfile)
+            goto error;
     } else {
         return 0;
     }
 
-    if (!f) {
+    if (fd < 0) {
         logprintf(STDERR_FILENO, "Could not open pidfile %s : %s\n",
                   g_pidfile, strerror(errno));
         goto error;
     }
 
-    if (fprintf(f, "%d", pid) < 0) {
+    if (snprintf(buffer, sizeof(buffer), "%d", pid) >= (int)sizeof(buffer)) {
+        logprintf(STDERR_FILENO, "Could not write pid to buffer\n");
+        goto error_close;
+    }
+
+    nwritten = write_full(fd, buffer, strlen(buffer));
+    if (nwritten < 0 || nwritten != (ssize_t)strlen(buffer)) {
         logprintf(STDERR_FILENO, "Could not write to pidfile : %s\n",
                   strerror(errno));
-        goto error;
+        goto error_close;
     }
 
-    fclose(f);
+    close(fd);
 
     return 0;
 
+error_close:
+    if (fd != pidfilefd)
+        close(fd);
+
 error:
-    if (f)
-        fclose(f);
     return -1;
 }
 
-- 
2.27.0