[PATCH v2] tools/power/x86/intel-speed-select: Harden daemon pidfile open

Next message: Steve French: "[GIT PULL] smb3 client fixes"
Previous message: Josh Poimboeuf: "Re: [PATCH 04/48] objtool/klp: Ignore __UNIQUE_ID_*() PCI stub functions"
Next in thread: srinivas pandruvada: "Re: [PATCH v2] tools/power/x86/intel-speed-select: Harden daemon pidfile open"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: unknownbbqrx

Date: Thu Apr 23 2026 - 15:34:40 EST

From: ali <dev@xxxxxxxxxxxxxxx>

Avoid symlink-based pidfile clobbering by opening the pidfile with
O_NOFOLLOW and validating it with fstat() before locking/writing.

The daemon currently uses a fixed pidfile path under /tmp. A local
unprivileged user can pre-create a symlink at that path and cause a
root-run daemon instance to write into an attacker-chosen file.

Signed-off-by: ali <dev@xxxxxxxxxxxxxxx>
---
tools/power/x86/intel-speed-select/isst-daemon.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/tools/power/x86/intel-speed-select/isst-daemon.c b/tools/power/x86/intel-speed-select/isst-daemon.c
index 66df21b2b..4346b049d 100644
--- a/tools/power/x86/intel-speed-select/isst-daemon.c
+++ b/tools/power/x86/intel-speed-select/isst-daemon.c
@@ -200,11 +200,21 @@ static void daemonize(char *rundir, char *pidfile)
if (ret == -1)
exit(EXIT_FAILURE);

- pid_file_handle = open(pidfile, O_RDWR | O_CREAT, 0600);
+ pid_file_handle = open(pidfile, O_RDWR | O_CREAT | O_NOFOLLOW, 0600);
if (pid_file_handle == -1) {
/* Couldn't open lock file */
exit(1);
}
+
+ {
+ struct stat st;
+
+ if (fstat(pid_file_handle, &st) == -1)
+ exit(1);
+
+ if (!S_ISREG(st.st_mode))
+ exit(1);
+ }
/* Try to lock file */
#ifdef LOCKF_SUPPORT
if (lockf(pid_file_handle, F_TLOCK, 0) == -1) {

base-commit: 2e68039281932e6dc37718a1ea7cbb8e2cda42e6
--
2.53.0