From 0e6e3865f248ed3f583ff700d784f45ed438bd0a Mon Sep 17 00:00:00 2001 From: Chris Coulson Date: Fri, 17 Jan 2025 14:10:16 +0000 Subject: [PATCH] argon2: make sure the lock file is a regular file --- argon2_out_of_process_support_sync.go | 5 +++++ argon2_out_of_process_support_sync_test.go | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/argon2_out_of_process_support_sync.go b/argon2_out_of_process_support_sync.go index e24369b8..b6348cf1 100644 --- a/argon2_out_of_process_support_sync.go +++ b/argon2_out_of_process_support_sync.go @@ -160,6 +160,11 @@ func acquireArgon2OutOfProcessHandlerSystemLock(timeout time.Duration) (release return nil, fmt.Errorf("cannot obtain lock file info from open descriptor: %w", err) } + // Make sure we have opened a regular file + if lockFileSt.Mode&syscall.S_IFMT != syscall.S_IFREG { + return nil, errors.New("opened lock file is not a regular file") + } + // Attempt to acquire an exclusive, non-blocking, advisory lock. if err := unix.Flock(int(lockFile.Fd()), unix.LOCK_EX|unix.LOCK_NB); err != nil { // We failed to acquire the lock. diff --git a/argon2_out_of_process_support_sync_test.go b/argon2_out_of_process_support_sync_test.go index 8181e6da..4d299ae6 100644 --- a/argon2_out_of_process_support_sync_test.go +++ b/argon2_out_of_process_support_sync_test.go @@ -21,6 +21,7 @@ package secboot_test import ( "errors" + "fmt" "os" "path/filepath" "syscall" @@ -180,3 +181,10 @@ func (s *argon2OutOfProcessSupportSyncSuite) TestAcquireAndReleaseArgon2OutOfPro _, err = os.Stat(s.lockPath) c.Check(os.IsNotExist(err), testutil.IsTrue) } + +func (s *argon2OutOfProcessSupportSyncSuite) TestAcquireArgon2OutOfProcessHandlerSystemLockErrorDir(c *C) { + os.Mkdir(s.lockPath, 0755) + + _, err := AcquireArgon2OutOfProcessHandlerSystemLock(0) + c.Assert(err, ErrorMatches, fmt.Sprintf("cannot open lock file for writing: open %s: is a directory", s.lockPath)) +}