argon2: make sure the lock file is a regular file

canonical · Jan 17, 2025 · 0e6e386 · 0e6e386
1 parent a264de8
commit 0e6e386
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/argon2_out_of_process_support_sync.go b/argon2_out_of_process_support_sync.go
@@ -160,6 +160,11 @@ func acquireArgon2OutOfProcessHandlerSystemLock(timeout time.Duration) (release
 			return nil, fmt.Errorf("cannot obtain lock file info from open descriptor: %w", err)
 		}
 
+		// Make sure we have opened a regular file
+		if lockFileSt.Mode&syscall.S_IFMT != syscall.S_IFREG {
+			return nil, errors.New("opened lock file is not a regular file")
+		}
+
 		// Attempt to acquire an exclusive, non-blocking, advisory lock.
 		if err := unix.Flock(int(lockFile.Fd()), unix.LOCK_EX|unix.LOCK_NB); err != nil {
 			// We failed to acquire the lock.

diff --git a/argon2_out_of_process_support_sync_test.go b/argon2_out_of_process_support_sync_test.go
@@ -21,6 +21,7 @@ package secboot_test
 
 import (
 	"errors"
+	"fmt"
 	"os"
 	"path/filepath"
 	"syscall"
@@ -180,3 +181,10 @@ func (s *argon2OutOfProcessSupportSyncSuite) TestAcquireAndReleaseArgon2OutOfPro
 	_, err = os.Stat(s.lockPath)
 	c.Check(os.IsNotExist(err), testutil.IsTrue)
 }
+
+func (s *argon2OutOfProcessSupportSyncSuite) TestAcquireArgon2OutOfProcessHandlerSystemLockErrorDir(c *C) {
+	os.Mkdir(s.lockPath, 0755)
+
+	_, err := AcquireArgon2OutOfProcessHandlerSystemLock(0)
+	c.Assert(err, ErrorMatches, fmt.Sprintf("cannot open lock file for writing: open %s: is a directory", s.lockPath))
+}