On 9/25/25 01:38, VMware PSIRT wrote:
[...]
[...] However, as you can see we are performing
realpath() check after we completed the open() but before we read
anything from the file. So, there is no use of pathname after realpath()
call here.
That does not close the race window.
An attacker can rename() a directory out of the way, plant a symlink
while you open() the file, then rename() the directory back into place
between your open() and realpath() calls.
While double-checking the man page to be sure that rename(2) will do
that, I found the renameat2(2) call with the RENAME_EXCHANGE flag, with
an example of swapping a symlink and a non-empty directory... this
appears to be a supported use...
-- Jacob
