alpine 3.7
tmpfile weakness #41

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

pcc/src/pcc-20171006/mip/optim2.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 tmpfile weakness.

 					pip->ip_node->n_left->n_label=newlabel;
					break ;
				  case pred_falltrough:
					if (bb->first->type == IP_DEFLAB) { 
						label = bb->first->ip_lbl; 
						BDEBUG(("falltrough label %d\n", label));
					} else {
						comperr("BBlock has no label?") ;
					}

					/* 
					 * add a jump to us. We _will_ be, or already have, added code in between.
					 * The code is created in the wrong order and switched at the insert, thus
					 * comming out correctly
					 */

					ip = ipnode(mkunode(GOTO, mklnode(ICON, label, 0, INT), 0, INT));
					DLIST_INSERT_AFTER((bbparent->last), ip, qelem);

					/* Add the code to the end, add a jump to us. */
					SLIST_FOREACH(phi,&bb->phi,phielem) {
						if (phi->intmpregno[i]>0) {
							n_type=phi->n_type;
							ip = ipnode(mkbinode(ASSIGN,
								mktemp(phi->newtmpregno, n_type),
								mktemp(phi->intmpregno[i],n_type),
								n_type));

							BDEBUG(("(%p, %d -> %d) ", ip, phi->intmpregno[i], phi->newtmpregno));
							DLIST_INSERT_AFTER((bbparent->last), ip, qelem);
						}
					}
					break ;
				default:
					comperr("assumption blown, complex is %d\n", complex) ;
				}
				BDEBUG(("\n"));
				i++;
			}
			break;
		}
	}
}

    
/*
 * Remove unreachable nodes in the CFG.
 */ 

void 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.