time of check, time of use issue with SWC_LAUNCH_REQUEST_OPEN_DEVICE
coypoop opened this issue · 1 comments
coypoop commented
This is under the assumption that launch and libswc are separate processes for privilege separation (I am not sure if this is true)
- libswc makes request SWC_LAUNCH_REQUEST_OPEN_DEVICE with (say) a valid DRM_MAJOR
- stat(...) is used to check it's DRM_MAJOR
- libswc quickly swaps the pathname for another file
- open(...) is now done on something that isn't a DRM_MAJOR, and maybe can be abused.
using open THEN fstat eliminates the TOCTOU issue (if this is a security check).
michaelforney commented
Should be fixed now. Thanks for reporting the issue!