From 066002a253311c55ccab29157ded6e73f460aa33 Mon Sep 17 00:00:00 2001
From: Sangchul Lee <sc11.lee@samsung.com>
Date: Mon, 14 Jan 2019 18:53:43 +0900
Subject: Check for symbolic link vulnerability

Verfiy the absolute path by using realpath() and
unlink it if it seems to be unexpected symbolic link.

[Version] 0.12.34
[Issue Type] Security vulnerability

Change-Id: I82d85f1b2d3c218985f59463461dfc005ade5ccf
Signed-off-by: Sangchul Lee <sc11.lee@samsung.com>
---
 mm_sound_bootsound.c       | 28 ++++++++++++++++++++++++++++
 mm_sound_focus_private.c   | 32 ++++++++++++++++++++++++++++++++
 packaging/libmm-sound.spec |  2 +-
 3 files changed, 61 insertions(+), 1 deletion(-)

diff --git a/mm_sound_bootsound.c b/mm_sound_bootsound.c
index a505231..9e69244 100644
--- a/mm_sound_bootsound.c
+++ b/mm_sound_bootsound.c
@@ -25,6 +25,7 @@
 #include <pthread.h>
 #include <fcntl.h>
 #include <vconf.h>
+#include <stdlib.h>
 
 #include <semaphore.h>
 
@@ -61,6 +62,32 @@ do { \
 	} \
 } while (0)
 
+static void unlink_if_symbolic_link(const char *path)
+{
+	int ret = 0;
+	char *resolved_path = NULL;
+
+	if (path == NULL)
+		return;
+
+	/* return if it does not exist */
+	if ((ret = access(path, F_OK)))
+		return;
+
+	if ((resolved_path = realpath(path, NULL))) {
+		/* assume that the path paramether is an absolute path */
+		if (strcmp(path, resolved_path)) {
+			debug_warning("unexpected symbolic link!, unlink the symbolic link(%s) to the resolved path(%s)", path, resolved_path);
+			unlink(path);
+		}
+		free(resolved_path);
+	} else {
+		char str_error[256];
+		strerror_r(errno, str_error, sizeof(str_error));
+		debug_warning("failed to realpath() for path:%s, err:%s", path, str_error);
+	}
+}
+
 EXPORT_API
 int mm_sound_boot_ready(int timeout_sec)
 {
@@ -117,6 +144,7 @@ int mm_sound_boot_play_sound(char* path)
 	close(fd);
 	fd = -1;
 
+	unlink_if_symbolic_link(KEYTONE_PATH);
 	/* Open PIPE */
 	fd = open(KEYTONE_PATH, O_WRONLY | O_NONBLOCK);
 	if (fd == -1) {
diff --git a/mm_sound_focus_private.c b/mm_sound_focus_private.c
index 98b06a7..b087839 100644
--- a/mm_sound_focus_private.c
+++ b/mm_sound_focus_private.c
@@ -28,6 +28,7 @@
 #include <fcntl.h>
 #include <sys/stat.h>
 #include <unistd.h>
+#include <stdlib.h>
 
 #include <mm_debug.h>
 #include <mm_error.h>
@@ -35,6 +36,32 @@
 
 focus_sound_info_t g_focus_sound_handle[FOCUS_HANDLE_MAX];
 
+static void unlink_if_symbolic_link(const char *path)
+{
+	int ret = 0;
+	char *resolved_path = NULL;
+
+	if (path == NULL)
+		return;
+
+	/* return if it does not exist */
+	if ((ret = access(path, F_OK)))
+		return;
+
+	if ((resolved_path = realpath(path, NULL))) {
+		/* assume that the path paramether is an absolute path */
+		if (strcmp(path, resolved_path)) {
+			debug_warning("unexpected symbolic link!, unlink the symbolic link(%s) to the resolved path(%s)", path, resolved_path);
+			unlink(path);
+		}
+		free(resolved_path);
+	} else {
+		char str_error[256];
+		strerror_r(errno, str_error, sizeof(str_error));
+		debug_warning("failed to realpath() for path:%s, err:%s", path, str_error);
+	}
+}
+
 static gpointer _focus_thread_func(gpointer data)
 {
 	unsigned int thread_id = (unsigned int)pthread_self();
@@ -137,6 +164,8 @@ static gboolean _focus_callback_handler(gpointer user_data)
 			int tmpfd = -1;
 			unsigned int buf = 0;
 			char *filename2 = g_strdup_printf("/tmp/FOCUS.%d.%dr", focus_handle->focus_pid, cb_data.handle);
+
+			unlink_if_symbolic_link(filename2);
 			tmpfd = open(filename2, O_WRONLY | O_NONBLOCK);
 			if (tmpfd < 0) {
 				char str_error[256];
@@ -224,6 +253,8 @@ SKIP_CB_AND_RET:
 			int tmpfd = -1;
 			int buf = -1;
 			char *filename2 = g_strdup_printf("/tmp/FOCUS.%d.%d.wchr", focus_handle->focus_pid, cb_data.handle);
+
+			unlink_if_symbolic_link(filename2);
 			tmpfd = open(filename2, O_WRONLY | O_NONBLOCK);
 			if (tmpfd < 0) {
 				char str_error[256];
@@ -296,6 +327,7 @@ static void _focus_open_callback(int index, bool is_for_watching)
 								g_focus_sound_handle[index].focus_pid,
 								g_focus_sound_handle[index].handle);
 	}
+	unlink_if_symbolic_link(filename);
 	pre_mask = umask(0);
 	if (mknod(filename, S_IFIFO|0666, 0))
 		debug_error("mknod() failure, errno(%d)", errno);
diff --git a/packaging/libmm-sound.spec b/packaging/libmm-sound.spec
index 32e868b..83a5314 100644
--- a/packaging/libmm-sound.spec
+++ b/packaging/libmm-sound.spec
@@ -1,6 +1,6 @@
 Name:       libmm-sound
 Summary:    MMSound Package contains client lib and sound_server binary
-Version:    0.12.33
+Version:    0.12.34
 Release:    0
 Group:      System/Libraries
 License:    Apache-2.0
-- 
cgit v1.2.3