Headline
CVE-2020-13696: xawtv3.git - xawtv 3.x
An issue was discovered in LinuxTV xawtv before 3.107. The function dev_open() in v4l-conf.c does not perform sufficient checks to prevent an unprivileged caller of the program from opening unintended filesystem paths. This allows a local attacker with access to the v4l-conf setuid-root program to test for the existence of arbitrary files and to trigger an open on arbitrary files with mode O_RDWR. To achieve this, relative path components need to be added to the device path, as demonstrated by a v4l-conf -c /dev/…/root/.bash_history command.
Let’s avoid open the file if it doesn’t exist or it is not a file of the right type. Signed-off-by: Mauro Carvalho Chehab [email protected]
@@ -141,20 +141,23 @@ dev_open(const char *device, int major)
exit(1);
}
- /* open & check v4l device */
- if (-1 == (fd = open(device,O_RDWR))) {
- fprintf(stderr, "can’t open %s: %s\n", device, strerror(errno));
+ /* First check if the device is really a devnode of the right type */
+ if (-1 == stat(device, &stb)) {
+ fprintf(stderr, "stat(%s): %s\n", device, strerror(errno));
exit(1);
}
- if (-1 == fstat(fd,&stb)) {
- fprintf(stderr, "fstat(%s): %s\n", device, strerror(errno));
- exit(1);
- }
if (!S_ISCHR(stb.st_mode) || (major(stb.st_rdev) != major)) {
fprintf(stderr, "%s: wrong device\n", device);
exit(1);
}
+ /* Then open it */
+ if (-1 == (fd = open(device,O_RDWR))) {
+ fprintf(stderr, "can’t open %s: %s\n", device, strerror(errno));
+ exit(1);
+ }
return fd;
}