projects / platform / core / system / swap-manager.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 18962c9)
Fix SVACE issues 85/213485/2
authorVyacheslav Cherkashin <v.cherkashin@samsung.com>
Thu, 5 Sep 2019 14:49:36 +0000 (17:49 +0300)
committerVyacheslav Cherkashin <v.cherkashin@samsung.com>
Thu, 5 Sep 2019 18:02:04 +0000 (21:02 +0300)
- remove the buffer overflow risk when using realpath()
- fix setting UNIX permissions when calling open()

Change-Id: Ief656a705cf2f4b4c786447ec7ae1e08d5c59fa7
Signed-off-by: Vyacheslav Cherkashin <v.cherkashin@samsung.com>
daemon/da_debug.c patch | blob | history
daemon/da_inst.c patch | blob | history
daemon/da_protocol.c patch | blob | history
daemon/utils.c patch | blob | history

diff --git a/daemon/da_debug.c b/daemon/da_debug.c
index 5ccacb4bb1ba7b1290fcc0d13bcbb1e848d7b957..e58599864416e81b2fb09e3bd4835f915ce9a8b9 100644 (file)
--- a/daemon/da_debug.c
+++ b/daemon/da_debug.c
@@ -91,7 +91,7 @@ int initialize_log(void)
                     DEBUG_LOGFILE, errno);
 
        fd = open(DEBUG_LOGFILE, O_WRONLY | O_CREAT | O_TRUNC, 0777);
-       fd_null = open("/dev/null", O_WRONLY | O_CREAT | O_TRUNC, 0777);
+       fd_null = open("/dev/null", O_WRONLY);
 
        if (fd != -1 && fd_null != -1) {
                if (close_on_exec_dup(fd_null, 1) != 0 ||
diff --git a/daemon/da_inst.c b/daemon/da_inst.c
index 3fedba63e0adbe73a9f68dc2450ed8363d4e1fd0..b3b8ac35348cad17681658998f88eeabaa33140b 100644 (file)
--- a/daemon/da_inst.c
+++ b/daemon/da_inst.c
@@ -708,10 +708,9 @@ static void generate_target_bins(struct user_space_inst_t *us_inst,
 
        struct lib_list_t *lib = us_inst->lib_inst_list;
        struct app_list_t *app = us_inst->app_inst_list;
-       char *p, *resolved;
+       char *p;
        uint32_t total_maps_count = 0;
        uint32_t total_len = sizeof(total_maps_count) + sizeof(*lib_maps_message);
-       char real_path_buf[PATH_MAX];
 
        /* Add preload type size */
        total_len += sizeof(uint8_t);
@@ -727,15 +726,16 @@ static void generate_target_bins(struct user_space_inst_t *us_inst,
        }
 
        while (app != NULL) {
-               p = app->app->exe_path;
-               resolved = realpath((const char *)p, real_path_buf);
+               const char *exe_path = app->app->exe_path;
+               char *resolved = realpath(exe_path, NULL);
                if (resolved != NULL) {
                        /* Add to total_len entry size: path length, path itself with \0 */
-                       total_len += sizeof(uint32_t) + strlen(real_path_buf) + 1;
+                       total_len += sizeof(uint32_t) + strlen(resolved) + 1;
                        total_maps_count++;
                        LOGI("app #%u <%s>\n", total_maps_count, resolved);
+                       free(resolved);
                } else {
-                       LOGE("cannot resolve bin path <%s>\n", p);
+                       LOGE("cannot resolve bin path <%s>\n", exe_path);
                }
 
                app = (struct app_list_t *)app->next;
@@ -764,9 +764,11 @@ static void generate_target_bins(struct user_space_inst_t *us_inst,
 
        app = us_inst->app_inst_list;
        while (app != NULL) {
-               resolved = realpath(app->app->exe_path, real_path_buf);
-               if (resolved != NULL)
-                       pack_path_with_len(p, real_path_buf);
+               char *resolved = realpath(app->app->exe_path, NULL);
+               if (resolved != NULL) {
+                       pack_path_with_len(p, resolved);
+                       free(resolved);
+               }
                app = (struct app_list_t *)app->next;
        }
 
@@ -797,8 +799,7 @@ static int add_bins_to_preload(struct user_space_inst_t *us_inst)
        struct lib_list_t *lib = us_inst->lib_inst_list;
        struct app_list_t *app = us_inst->app_inst_list;
        uint32_t total_maps_count = 0;
-       char real_path_buf[PATH_MAX];
-       char *resolved, *p;
+       char *p;
        FILE *preload_p;
 
        preload_p = fopen(PRELOAD_ADD_BIN, "w");
@@ -817,13 +818,14 @@ static int add_bins_to_preload(struct user_space_inst_t *us_inst)
        }
 
        while (app != NULL) {
-               resolved = realpath((const char *)app->app->exe_path, real_path_buf);
+               char *resolved = realpath(app->app->exe_path, NULL);
                if (resolved != NULL) {
                        total_maps_count++;
                        fwrite(resolved, strlen(resolved) + 1, 1, preload_p);
                        fflush(preload_p);
 
                        LOGI("app #%u <%s>\n", total_maps_count, resolved);
+                       free(resolved);
                }
 
                app = (struct app_list_t *)app->next;
@@ -905,7 +907,6 @@ static int add_procs(struct user_space_inst_t *us_inst,
 {
        struct app_list_t *app = us_inst->app_inst_list;
        uint32_t total_maps_count = 0;
-       char real_path_buf[PATH_MAX];
        char *to_write;
        FILE *file;
 
@@ -924,8 +925,7 @@ static int add_procs(struct user_space_inst_t *us_inst,
                                break;
                        }
 
-                       to_write = realpath((const char *)app->app->exe_path,
-                                           real_path_buf);
+                       to_write = realpath(app->app->exe_path, NULL);
                        if (to_write != NULL) {
                                total_maps_count++;
                                fwrite(to_write, strlen(to_write) + 1, 1, file);
@@ -933,6 +933,7 @@ static int add_procs(struct user_space_inst_t *us_inst,
 
                                LOGI("app #%u <%s>\n", total_maps_count,
                                     to_write);
+                               free(to_write);
                        }
                        fclose(file);
                        break;
diff --git a/daemon/da_protocol.c b/daemon/da_protocol.c
index d68adb486ce19564882089768b3008a8ec511f74..4606fbb1e93df0f73e97807aee776cd20a383b19 100644 (file)
--- a/daemon/da_protocol.c
+++ b/daemon/da_protocol.c
@@ -1315,8 +1315,7 @@ send_ack:
 int process_msg_get_real_path(struct msg_buf_t *msg)
 {
        const char *file_path = NULL;
-       char buf[PATH_MAX];
-       char *resolved_path;
+       char *resolved_path = NULL;
        enum ErrorCode err_code = ERR_UNKNOWN;
        uint32_t response_len = 0;
 
@@ -1329,7 +1328,7 @@ int process_msg_get_real_path(struct msg_buf_t *msg)
        }
 
        /* resolve file path */
-       resolved_path = realpath(file_path, buf);
+       resolved_path = realpath(file_path, NULL);
        LOGI("NMSG_GET_REAL_PATH resolved path <%s>\n", resolved_path);
        if (resolved_path == NULL) {
                LOGE("NMSG_GET_REAL_PATH error: cannot resolve path <%s>\n",
@@ -1350,11 +1349,13 @@ int process_msg_get_real_path(struct msg_buf_t *msg)
        goto send_ack;
 
 send_fail:
+       free(resolved_path);
+       resolved_path = NULL;
        response_len = 0;
-       resolved_path = "";
+
 send_ack:
-       /* success */
        sendACKToHost(NMSG_GET_REAL_PATH, err_code, resolved_path, response_len);
+       free(resolved_path);
 
        return -(err_code != ERR_NO);
 }
diff --git a/daemon/utils.c b/daemon/utils.c
index 83c44ba7909d707a79fa65ae2701cd753c8b2e16..58119071abaa12b594324caef36405027d2345d3 100644 (file)
--- a/daemon/utils.c
+++ b/daemon/utils.c
@@ -161,7 +161,7 @@ int change_user(const char *username)
        return 0;
 }
 
-static char *dereference_tizen_exe_path(const char *path, char *resolved);
+static char *dereference_tizen_exe_path(const char *path);
 
 int is_same_app_process(char* appPath, int pid)
 {
@@ -171,8 +171,6 @@ int is_same_app_process(char* appPath, int pid)
        char buf[BUFFER_MAX];
        char cmdPath[PATH_MAX];
        char tPath[PATH_MAX];
-       char buf_res[PATH_MAX];
-       char tPath_res[PATH_MAX];
 
        strncpy(tPath, appPath, PATH_MAX - 1);
        tlen = strlen(tPath);
@@ -198,30 +196,41 @@ int is_same_app_process(char* appPath, int pid)
                        buf[tlen - 4] = '\0';
                }
 
-               dereference_tizen_exe_path(buf, buf_res);
-               dereference_tizen_exe_path(tPath, tPath_res);
+               char *buf_res = dereference_tizen_exe_path(buf);
+               if (buf_res == NULL)
+                       goto out;
+
+               char *tPath_res = dereference_tizen_exe_path(tPath);
+               if (tPath_res == NULL)
+                       goto free_buf_res;
 
                if(strcmp(buf_res, tPath_res) == 0)
                        ret = 1;
-               else
-                       ret = 0;
+
+               free(tPath_res);
+free_buf_res:
+               free(buf_res);
        }
-       fclose(fp);
 
+out:
+       fclose(fp);
        return ret;
 }
 
-static char *dereference_tizen_exe_path(const char *path, char *resolved)
+/*
+ * Returns a pointer to allocated buffer or NULL.
+ * The caller should deallocate this buffer using free()
+ */
+static char *dereference_tizen_exe_path(const char *path)
 {
        char *res = NULL;
        char tmp_path[PATH_MAX];
 
-       resolved[0] = 0;
        //try resolve <path>.exe
        snprintf(tmp_path, sizeof(tmp_path), "%s.exe", path);
-       if ((res = realpath(tmp_path, resolved)) == NULL) {
+       if ((res = realpath(tmp_path, NULL)) == NULL) {
                //try to resolve path <path>
-               res = realpath(path, resolved);
+               res = realpath(path, NULL);
        }
 
        return res;
Domain: SDK / Dynamic Analysis;