SDL: Fix TOCTOU race condition

From 19b3ddac2f3fdce57ed09bfb65ce57c0f643e080 Mon Sep 17 00:00:00 2001
From: Mingjie Shen <[EMAIL REDACTED]>
Date: Fri, 8 Mar 2024 17:20:29 -0500
Subject: [PATCH] Fix TOCTOU race condition

Separately checking the state of a file before operating on it may allow
an attacker to modify the file between the two operations. (CWE-367)
Fix by using fstat() instead of stat().
---
 src/audio/SDL_audiodev.c             |  8 +++++---
 src/haptic/linux/SDL_syshaptic.c     | 18 ++++++++++--------
 src/joystick/linux/SDL_sysjoystick.c | 17 ++++++++---------
 3 files changed, 23 insertions(+), 20 deletions(-)

diff --git a/src/audio/SDL_audiodev.c b/src/audio/SDL_audiodev.c
index 7b21a1ce59a2a..46e4c4dbf2ac9 100644
--- a/src/audio/SDL_audiodev.c
+++ b/src/audio/SDL_audiodev.c
@@ -48,9 +48,9 @@
 static void test_device(const SDL_bool iscapture, const char *fname, int flags, SDL_bool (*test)(int fd))
 {
     struct stat sb;
-    if ((stat(fname, &sb) == 0) && (S_ISCHR(sb.st_mode))) {
-        const int audio_fd = open(fname, flags | O_CLOEXEC, 0);
-        if (audio_fd >= 0) {
+    const int audio_fd = open(fname, flags | O_CLOEXEC, 0);
+    if (audio_fd >= 0) {
+        if ((fstat(audio_fd, &sb) == 0) && (S_ISCHR(sb.st_mode))) {
             const SDL_bool okay = test(audio_fd);
             close(audio_fd);
             if (okay) {
@@ -65,6 +65,8 @@ static void test_device(const SDL_bool iscapture, const char *fname, int flags,
                  */
                 SDL_AddAudioDevice(iscapture, fname, NULL, (void *)(uintptr_t)dummyhandle);
             }
+        } else {
+            close(audio_fd);
         }
     }
 }
diff --git a/src/haptic/linux/SDL_syshaptic.c b/src/haptic/linux/SDL_syshaptic.c
index 4792360e2c1e9..b80a641cc3215 100644
--- a/src/haptic/linux/SDL_syshaptic.c
+++ b/src/haptic/linux/SDL_syshaptic.c
@@ -240,24 +240,26 @@ static int MaybeAddDevice(const char *path)
         return -1;
     }
 
-    /* check to see if file exists */
-    if (stat(path, &sb) != 0) {
+    /* try to open */
+    fd = open(path, O_RDWR | O_CLOEXEC, 0);
+    if (fd < 0) {
+        return -1;
+    }
+
+    /* get file status */
+    if (fstat(fd, &sb) != 0) {
+        close(fd);
         return -1;
     }
 
     /* check for duplicates */
     for (item = SDL_hapticlist; item; item = item->next) {
         if (item->dev_num == sb.st_rdev) {
+            close(fd);
             return -1; /* duplicate. */
         }
     }
 
-    /* try to open */
-    fd = open(path, O_RDWR | O_CLOEXEC, 0);
-    if (fd < 0) {
-        return -1;
-    }
-
 #ifdef DEBUG_INPUT_EVENTS
     printf("Checking %s\n", path);
 #endif
diff --git a/src/joystick/linux/SDL_sysjoystick.c b/src/joystick/linux/SDL_sysjoystick.c
index 10f074414364d..bf1304971f962 100644
--- a/src/joystick/linux/SDL_sysjoystick.c
+++ b/src/joystick/linux/SDL_sysjoystick.c
@@ -417,7 +417,13 @@ static void MaybeAddDevice(const char *path)
         return;
     }
 
-    if (stat(path, &sb) == -1) {
+    fd = open(path, O_RDONLY | O_CLOEXEC, 0);
+    if (fd < 0) {
+        return;
+    }
+
+    if (fstat(fd, &sb) == -1) {
+        close(fd);
         return;
     }
 
@@ -435,11 +441,6 @@ static void MaybeAddDevice(const char *path)
         }
     }
 
-    fd = open(path, O_RDONLY | O_CLOEXEC, 0);
-    if (fd < 0) {
-        goto done;
-    }
-
 #ifdef DEBUG_INPUT_EVENTS
     SDL_Log("Checking %s\n", path);
 #endif
@@ -507,9 +508,7 @@ static void MaybeAddDevice(const char *path)
     }
 
 done:
-    if (fd >= 0) {
-        close(fd);
-    }
+    close(fd);
     SDL_UnlockJoysticks();
 }