Merge branch 'master' into mesa-updates

Change-Id: I4cd94a58b62d8c3987e4a60c76b37894ad851e35
author: John Kehayias <john.kehayias@protonmail.com> 2024-03-31 20:46:45 -0400
committer: John Kehayias <john.kehayias@protonmail.com> 2024-03-31 20:46:45 -0400
commit: 155f23a52e626e8ac60f818937d5bb1a3ebe3184 (patch)
tree: a19317812471db31ae2a97844d6cf74e45057466 /nix/libstore/build.cc
parent: d9dee5ea2f564fa6979ae552fd9bd5ac22f86ecc (diff)
parent: 1cba1f8ce6f84c4737650401c0eb0473a45f9ff7 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index 461fcbc584..d23c0944a4 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -1382,6 +1382,23 @@ void DerivationGoal::buildDone()
                 % drvPath % statusToString(status));
         }
 
+	if (fixedOutput) {
+	    /* Replace the output, if it exists, by a fresh copy of itself to
+               make sure that there's no stale file descriptor pointing to it
+               (CVE-2024-27297).  */
+	    foreach (DerivationOutputs::iterator, i, drv.outputs) {
+		Path output = chrootRootDir + i->second.path;
+		if (pathExists(output)) {
+		    Path pivot = output + ".tmp";
+		    copyFileRecursively(output, pivot, true);
+		    int err = rename(pivot.c_str(), output.c_str());
+		    if (err != 0)
+			throw SysError(format("renaming `%1%' to `%2%'")
+				       % pivot % output);
+		}
+	    }
+	}
+
         /* Compute the FS closure of the outputs and register them as
            being valid. */
         registerOutputs();
author	John Kehayias <john.kehayias@protonmail.com>	2024-03-31 20:46:45 -0400
committer	John Kehayias <john.kehayias@protonmail.com>	2024-03-31 20:46:45 -0400
commit	155f23a52e626e8ac60f818937d5bb1a3ebe3184 (patch)
tree	a19317812471db31ae2a97844d6cf74e45057466 /nix/libstore/build.cc
parent	d9dee5ea2f564fa6979ae552fd9bd5ac22f86ecc (diff)
parent	1cba1f8ce6f84c4737650401c0eb0473a45f9ff7 (diff)