alpine 3.9
tmpfile weakness #9

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

pcc/src/pcc-20180924/mip/optim2.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 tmpfile weakness.

 					label = (int)getlval(pip->ip_node->n_right);

					/* Check if parent got us here via branch */
					if (bb == p2e->labinfo.arr[label - p2e->ipp->ip_lblnum])
						complex = pred_cond ;
					else
						complex = pred_falltrough ;

				} else if (DLIST_PREV(bb, bbelem) == bbparent) {
					complex = pred_falltrough ;
				} else {
					    /* PANIC */
					comperr("Assumption blown in rem-phi") ;
				}
       
				BDEBUG((" Complex: %d ",complex)) ;

				switch (complex) {
				  case pred_goto:
					/* gotos can only go to this place. No bounce tab needed */
					SLIST_FOREACH(phi,&bb->phi,phielem) {
						if (phi->intmpregno[i]>0) {
							n_type=phi->n_type;
							ip = ipnode(mkbinode(ASSIGN,
							     mktemp(phi->newtmpregno, n_type),
							     mktemp(phi->intmpregno[i],n_type),
							     n_type));
							BDEBUG(("(%p, %d -> %d) ", ip, phi->intmpregno[i], phi->newtmpregno));
				
							DLIST_INSERT_BEFORE((bbparent->last), ip, qelem);
						}
					}
					break ;
				  case pred_cond:
					/* Here, we need a jump pad */
					newlabel=getlab2();
			
					ip = tmpalloc(sizeof(struct interpass));
					ip->type = IP_DEFLAB;
					/* Line number?? ip->lineno; */
					ip->ip_lbl = newlabel;
					DLIST_INSERT_BEFORE((bb->first), ip, qelem);

					SLIST_FOREACH(phi,&bb->phi,phielem) {
						if (phi->intmpregno[i]>0) {
							n_type=phi->n_type;
							ip = ipnode(mkbinode(ASSIGN,
							     mktemp(phi->newtmpregno, n_type),
							     mktemp(phi->intmpregno[i],n_type),
							     n_type)); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.