centos 7
tmpfile weakness #9

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

sane-backends-1.0.24/sanei/sanei_scsi.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 tmpfile weakness.

       /* DosDevIOCtl failed */
      DBG (1, "sanei_scsi_open_aspi:  Can't lock buffer. rc= %lu \n", rc);
      return 0;
    }

  /* query number of installed adapters */
  memset (PSRBlock, 0, sizeof (SRB));
  PSRBlock->cmd = SRB_Inquiry;	/* host adapter inquiry */

  PSRBlock->ha_num = 0;		/* host adapter number */

  PSRBlock->flags = 0;		/* no flags set */

  rc = DosDevIOCtl (driver_handle, 0x92, 0x02,
		    (void *) PSRBlock, sizeof (SRB), &cbParam,
		    (void *) PSRBlock, sizeof (SRB), &cbreturn);
  num_adapters = PSRBlock->u.inq.num_ha;

  DBG (1, "OS/2: installed adapters %d\n", num_adapters);
  DBG (1, "OS/2: ASPI manager is '%s'\n", PSRBlock->u.inq.aspimgr_id);
  DBG (1, "OS/2: host adapter is '%s'\n", PSRBlock->u.inq.host_id);
  DBG (1, "OS/2: unique id is    '%s'\n", PSRBlock->u.inq.unique_id);

  strcpy (tmpAspi, "asXXXXXX");
  mktemp (tmpAspi);
  DBG (2, "open_aspi: open temporary file '%s'\n", tmpAspi);
  tmp = fopen (tmpAspi, "w");
  if (!tmp)
    {				/* can't open tmp file */

      DBG (1, "open_aspi:  Can't open temporary file.\n");
      return 0;
    }

  /* scan all installed adapters */
  for (i = 0; i < num_adapters; i++)
    {
      int id;
      /* query adapter name */
      memset (PSRBlock, 0, sizeof (SRB));
      PSRBlock->cmd = SRB_Inquiry;	/* host adapter inquiry */

      PSRBlock->ha_num = i;	/* host adapter number */

      PSRBlock->flags = 0;	/* no flags set */

      rc = DosDevIOCtl (driver_handle, 0x92, 0x02,
			(void *) PSRBlock, sizeof (SRB), &cbParam,
			(void *) PSRBlock, sizeof (SRB), &cbreturn);
      DBG (1, "OS/2: adapter#%02d '%s'\n", i, PSRBlock->u.inq.host_id); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.