fedora 23
tmpfile weakness #35

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

lttng-ust-2.6.2/libringbuffer/shm.c

Context:

The highlighted line of code below is the trigger point of this particular Fedora 23 tmpfile weakness.

 	 * increased safety against this scenario.
	 */
	sigfillset(&all_sigs);
	ret = pthread_sigmask(SIG_BLOCK, &all_sigs, &orig_sigs);
	if (ret == -1) {
		PERROR("pthread_sigmask");
		goto error_pthread_sigmask;
	}
	sigblocked = 1;

	/*
	 * Allocate shm, and immediately unlink its shm oject, keeping
	 * only the file descriptor as a reference to the object. If it
	 * already exists (caused by short race window during which the
	 * global object exists in a concurrent shm_open), simply retry.
	 * We specifically do _not_ use the / at the beginning of the
	 * pathname so that some OS implementations can keep it local to
	 * the process (POSIX leaves this implementation-defined).
	 */
	do {
		/*
		 * Using mktemp filename with O_CREAT | O_EXCL open
		 * flags.
		 */
		(void) mktemp(tmp_name);
		if (tmp_name[0] == '\0') {
			PERROR("mktemp");
			goto error_shm_open;
		}
		shmfd = shm_open(tmp_name,
				 O_CREAT | O_EXCL | O_RDWR, 0700);
	} while (shmfd < 0 && (errno == EEXIST || errno == EACCES));
	if (shmfd < 0) {
		PERROR("shm_open");
		goto error_shm_open;
	}
	ret = shm_unlink(tmp_name);
	if (ret < 0 && errno != ENOENT) {
		PERROR("shm_unlink");
		goto error_shm_release;
	}
	sigblocked = 0;
	ret = pthread_sigmask(SIG_SETMASK, &orig_sigs, NULL);
	if (ret == -1) {
		PERROR("pthread_sigmask");
		goto error_sigmask_release;
	}
	ret = zero_file(shmfd, memory_map_size);
	if (ret) {
		PERROR("zero_file"); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.