Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

fedora 25
tmpfile weakness #11


Weakness Breakdown


A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:



The highlighted line of code below is the trigger point of this particular Fedora 25 tmpfile weakness.

 #define N 16
ulock_t pool[N];

/* manipulating a software lock */
#define CONS(pool,value)  (((pool)<<8) | 0xE | (value))
#define POOL(l)	  	  (((*l)>>8)&0xFF)
#define LOCKPOOL(l)	  ussetlock(pool[POOL(l)])
#define UNLOCKPOOL(l)	  usunsetlock(pool[POOL(l)])
#define LOCK(l)		  ((*l) |= 1)
#define UNLOCK(l)	  ((*l) &= ~1)
#define LOCKED(l)	  ((*l) & 1)
#define VALID(l)	  ((((*l)&~0xFFFF)==0) && (((*l)&0xE)==0xE))

int _dxf_initlocks(void)
    static int been_here = 0;
    static char tmp[] = "/tmp/loXXXXXX";
    char *mktemp();
    int i;


    if (!been_here) {
	been_here = 1;
	usconfig(CONF_INITUSERS, 64);
	usptr = usinit(tmp);
	if (!usptr)
	    DXErrorReturn(ERROR_NO_MEMORY, "Can't create us block for locks");

	/* create a pool of N real locks */
	for (i=0; i<N; i++) {
	    pool[i] = usnewlock(usptr);
	    if (!pool[i])
		DXErrorReturn(ERROR_NO_MEMORY, "can't create lock pool");

    return OK;

int DXcreate_lock(lock_type *l, char *name)
    static int been_here = 0;
    int i;

    if (!been_here) {
	been_here = 1;
	if (!_dxf_initlocks()) 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.