alpine 3.7
tmpfile weakness #42

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

pcc/src/pcc-20171006/mip/optim2.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 tmpfile weakness.

 							     mktemp(phi->newtmpregno, n_type),
							     mktemp(phi->intmpregno[i],n_type),
							     n_type));
							BDEBUG(("(%p, %d -> %d) ", ip, phi->intmpregno[i], phi->newtmpregno));
				
							DLIST_INSERT_BEFORE((bbparent->last), ip, qelem);
						}
					}
					break ;
				  case pred_cond:
					/* Here, we need a jump pad */
					newlabel=getlab2();
			
					ip = tmpalloc(sizeof(struct interpass));
					ip->type = IP_DEFLAB;
					/* Line number?? ip->lineno; */
					ip->ip_lbl = newlabel;
					DLIST_INSERT_BEFORE((bb->first), ip, qelem);

					SLIST_FOREACH(phi,&bb->phi,phielem) {
						if (phi->intmpregno[i]>0) {
							n_type=phi->n_type;
							ip = ipnode(mkbinode(ASSIGN,
							     mktemp(phi->newtmpregno, n_type),
							     mktemp(phi->intmpregno[i],n_type),
							     n_type));

							BDEBUG(("(%p, %d -> %d) ", ip, phi->intmpregno[i], phi->newtmpregno));
							DLIST_INSERT_BEFORE((bb->first), ip, qelem);
						}
					}
					/* add a jump to us */
					ip = ipnode(mkunode(GOTO, mklnode(ICON, label, 0, INT), 0, INT));
					DLIST_INSERT_BEFORE((bb->first), ip, qelem);
					setlval(pip->ip_node->n_right,newlabel);
					if (!logop(pip->ip_node->n_left->n_op))
						comperr("SSA not logop");
					pip->ip_node->n_left->n_label=newlabel;
					break ;
				  case pred_falltrough:
					if (bb->first->type == IP_DEFLAB) { 
						label = bb->first->ip_lbl; 
						BDEBUG(("falltrough label %d\n", label));
					} else {
						comperr("BBlock has no label?") ;
					}

					/* 
					 * add a jump to us. We _will_ be, or already have, added code in between.
					 * The code is created in the wrong order and switched at the insert, thus 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.