swtpm: Do not follow symlinks when opening lockfile (CVE-2020-28407)

This patch addresses CVE-2020-28407. Prevent us from following symliks when we open the lockfile for writing. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
stefanberger · Nov 14, 2020 · 4cc42c0 · 4cc42c0
1 parent e9c9778
commit 4cc42c0
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/swtpm/swtpm_nvfile.c b/src/swtpm/swtpm_nvfile.c
@@ -210,7 +210,7 @@ static TPM_RESULT SWTPM_NVRAM_Lock_Lockfile(const char *directory,
         return TPM_FAIL;
     }
 
-    *fd = open(lockfile, O_WRONLY|O_CREAT|O_TRUNC, 0660);
+    *fd = open(lockfile, O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW, 0660);
     if (*fd < 0) {
         logprintf(STDERR_FILENO,
                   "SWTPM_NVRAM_Lock_Lockfile: Could not open lockfile: %s\n",