[LTP] [PATCH v2] tst_tmpdir: Fix buffer overflow in tst_tmpdir.c
Wei Gao
wegao@suse.com
Tue Nov 25 05:36:22 CET 2025
On Thu, Nov 13, 2025 at 03:38:08PM +0100, Cyril Hrubis wrote:
> Hi!
> > Using sprintf without length checking in tst_tmpdir may lead to buffer overflow.
> > So in this patch use openat() instead of open().
> >
> > Fixes: https://github.com/linux-test-project/ltp/issues/1241
> > Suggested-by: Cyril Hrubis <chrubis@suse.cz>
> > Signed-off-by: Wei Gao <wegao@suse.com>
>
> > } else {
> > - if (unlink(obj) < 0) {
> > + if (unlinkat(dir_fd, obj, 0) < 0) {
> > if (errmsg != NULL) {
> > - sprintf(err_msg,
> > - "unlink(%s) failed; errno=%d: %s", obj,
> > + snprintf(err_msg, sizeof(err_msg),
> > + "unlinkat(%s) failed; errno=%d: %s", obj,
> > errno, tst_strerrno(errno));
> > *errmsg = err_msg;
> > }
> > @@ -305,7 +339,7 @@ void tst_tmpdir(void)
> > tst_resm(TERRNO, "%s: chdir(%s) failed", __func__, TESTDIR);
> >
> > /* Try to remove the directory */
> > - if (rmobj(TESTDIR, &errmsg) == -1) {
> > + if (rmobjat(0, TESTDIR, &errmsg) == -1) {
> > tst_resm(TWARN, "%s: rmobj(%s) failed: %s",
> > __func__, TESTDIR, errmsg);
> > }
> > @@ -343,7 +377,7 @@ void tst_rmdir(void)
> > /*
> > * Attempt to remove the "TESTDIR" directory, using rmobj().
> > */
> > - if (rmobj(TESTDIR, &errmsg) == -1) {
> > + if (rmobjat(0, TESTDIR, &errmsg) == -1) {
> > tst_resm(TWARN, "%s: rmobj(%s) failed: %s",
> > __func__, TESTDIR, errmsg);
> > }
>
> We should pass AT_FDCWD to the two rmobjat() here since it's possible to
> pass relative path in the TMPDIR environment variable. Otherwise the
> code will not work with e.g. TMPDIR="." ./test_foo
>
My test show we never support TMPDIR=".", following error will show:
tst_tmpdir.c:135: TBROK: You must specify an absolute pathname for environment variable TMPDIR
I guess we need another patch enable this.
> --
> Cyril Hrubis
> chrubis@suse.cz
More information about the ltp
mailing list