[PATCH v3] tools/power/x86/intel-speed-select: Harden daemon pidfile open

Next message: Luka Gejak: "Re: [PATCH] staging: rtl8723bs: remove multiple blank lines in core/"
Previous message: bot+bpf-ci: "Re: [PATCH bpf v3 2/2] bpf, xdp: move offload check into dev_xdp_install()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: unknownbbqrx

Date: Sat Apr 25 2026 - 07:31:17 EST

From: Ali Ahmet MEMIS <dev@xxxxxxxxxxxxxxx>

Avoid symlink-based pidfile clobbering by opening the pidfile with O_NOFOLLOW and validating it with fstat() before locking/writing.

The daemon currently uses a fixed pidfile path under /tmp. A local unprivileged user can pre-create a symlink at that path and cause a root-run daemon instance to write into an attacker-chosen file.

Signed-off-by: Ali Ahmet MEMIS <dev@xxxxxxxxxxxxxxx>
---
tools/power/x86/intel-speed-select/isst-daemon.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/tools/power/x86/intel-speed-select/isst-daemon.c b/tools/power/x86/intel-speed-select/isst-daemon.c
index 66df21b2b..acedb7432 100644
--- a/tools/power/x86/intel-speed-select/isst-daemon.c
+++ b/tools/power/x86/intel-speed-select/isst-daemon.c
@@ -148,6 +148,7 @@ static void daemonize(char *rundir, char *pidfile)
{
int pid, sid, i;
char str[10];
+ struct stat st;
struct sigaction sig_actions;
sigset_t sig_set;
int ret;
@@ -200,11 +201,17 @@ static void daemonize(char *rundir, char *pidfile)
if (ret == -1)
exit(EXIT_FAILURE);

- pid_file_handle = open(pidfile, O_RDWR | O_CREAT, 0600);
+ pid_file_handle = open(pidfile, O_RDWR | O_CREAT | O_NOFOLLOW, 0600);
if (pid_file_handle == -1) {
/* Couldn't open lock file */
exit(1);
}
+
+ if (fstat(pid_file_handle, &st) == -1)
+ exit(1);
+
+ if (!S_ISREG(st.st_mode))
+ exit(1);
/* Try to lock file */
#ifdef LOCKF_SUPPORT
if (lockf(pid_file_handle, F_TLOCK, 0) == -1) {

base-commit: 2e68039281932e6dc37718a1ea7cbb8e2cda42e6
--
2.53.0