crash-reporter: Avoid writing through symlinks.

user_collector.cc

 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "crash-reporter/user_collector.h"
 
-#include <fcntl.h>  // For creat.
 #include <grp.h>  // For struct group.
 #include <pwd.h>  // For struct passwd.
 #include <sys/types.h>  // For getpwuid_r, getgrnam_r, WEXITSTATUS.
-#include <sys/wait.h>  // For waitpid.
-#include <unistd.h>  // For execv and fork.
 
 #include <string>
 #include <vector>
 
-#include "base/eintr_wrapper.h"
 #include "base/file_util.h"
 #include "base/logging.h"
 #include "base/string_util.h"
 #include "crash-reporter/system_logging.h"
 #include "gflags/gflags.h"
 
 #pragma GCC diagnostic ignored "-Wstrict-aliasing"
 DEFINE_bool(core2md_failure_test, false, "Core2md failure test");
 DEFINE_bool(directory_failure_test, false, "Spool directory failure test");
 DEFINE_string(filter_in, "",
@@ skipping 141 matching lines @@
                                               const std::string &exec) {
   FilePath crash_path;
   logger_->LogInfo("Writing conversion problems as separate crash report.");
   if (!GetCreatedCrashDirectoryByEuid(0, &crash_path, NULL)) {
     logger_->LogError("Could not even get log directory; out of space?");
     return;
   }
   std::string dump_basename = FormatDumpBasename(exec, time(NULL), pid);
   FilePath log_path = GetCrashPath(crash_path, dump_basename, "log");
   FilePath meta_path = GetCrashPath(crash_path, dump_basename, "meta");
-  file_util::WriteFile(log_path,
-                       error_log_.data(),
-                       error_log_.length());
+  // We must use WriteNewFile instead of file_util::WriteFile as we do
+  // not want to write with root access to a symlink that an attacker
+  // might have created.
+  WriteNewFile(log_path, error_log_.data(), error_log_.length());
   AddCrashMetaData("sig", kCollectionErrorSignature);
   WriteCrashMetaData(meta_path, exec, log_path.value());
 }
 
 bool UserCollector::CopyOffProcFiles(pid_t pid,
                                      const FilePath &container_dir) {
   if (!file_util::CreateDirectory(container_dir)) {
     LogCollectionError(StringPrintf("Could not create %s",
                                     container_dir.value().c_str()));
     return false;
@@ skipping 56 matching lines @@
   if (file_util::CopyFile(stdin_path, core_path)) {
     return true;
   }
 
   LogCollectionError("Could not write core file");
   // If the file system was full, make sure we remove any remnants.
   file_util::Delete(core_path, false);
   return false;
 }
 
-int UserCollector::ForkExecAndPipe(std::vector<const char *> &arguments,
-                                   const char *output_file) {
-  // Copy off a writeable version of arguments.
-  scoped_array<char*> argv(new char *[arguments.size() + 1]);
-  int total_args_size = 0;
-  for (size_t i = 0; i < arguments.size(); ++i) {
-    if (arguments[i] == NULL) {
-      logger_->LogError("Bad parameter");
-      return -1;
-    }
-    total_args_size += strlen(arguments[i]) + 1;
-  }
-  scoped_array<char> buffer(new char[total_args_size]);
-  char *buffer_pointer = &buffer[0];
-
-  for (size_t i = 0; i < arguments.size(); ++i) {
-    argv[i] = buffer_pointer;
-    strcpy(buffer_pointer, arguments[i]);
-    buffer_pointer += strlen(arguments[i]);
-    *buffer_pointer = '\0';
-    ++buffer_pointer;
-  }
-  argv[arguments.size()] = NULL;
-
-  int pid = fork();
-  if (pid < 0) {
-    logger_->LogError("Fork failed: %d", errno);
-    return -1;
-  }
-
-  if (pid == 0) {
-    int output_handle = creat(output_file, 0700);
-    if (output_handle < 0) {
-      logger_->LogError("Could not create %s: %d", output_file, errno);
-      // Avoid exit() to avoid atexit handlers from parent.
-      _exit(127);
-    }
-    dup2(output_handle, 1);
-    dup2(output_handle, 2);
-    execv(argv[0], &argv[0]);
-    logger_->LogError("Exec failed: %d", errno);
-    _exit(127);
-  }
-
-  int status = 0;
-  if (HANDLE_EINTR(waitpid(pid, &status, 0)) < 0) {
-    logger_->LogError("Problem waiting for pid: %d", errno);
-    return -1;
-  }
-  if (!WIFEXITED(status)) {
-    logger_->LogError("Process did not exit normally: %d", status);
-    return -1;
-  }
-  return WEXITSTATUS(status);
-}
-
 bool UserCollector::RunCoreToMinidump(const FilePath &core_path,
                                       const FilePath &procfs_directory,
                                       const FilePath &minidump_path,
                                       const FilePath &temp_directory) {
   FilePath output_path = temp_directory.Append("output");
   std::vector<const char *> core2md_arguments;
   core2md_arguments.push_back(kCoreToMinidumpConverterPath);
   core2md_arguments.push_back(core_path.value().c_str());
   core2md_arguments.push_back(procfs_directory.value().c_str());
   core2md_arguments.push_back(minidump_path.value().c_str());
@@ skipping 129 matching lines @@
       if (!ConvertAndEnqueueCrash(pid, exec, &out_of_capacity)) {
         if (!out_of_capacity)
           EnqueueCollectionErrorLog(pid, exec);
         return false;
       }
     }
   }
 
   return true;
 }