Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

rhel 6
race weakness #493


Weakness Breakdown


A race condition exists when parallel code accesses shared data without proper coordination. An attack that uses a race-condition weakness takes advantage of the unsafe data access to manipulate how one of the parallel sections of code reacts. Even though each process runs as intended, the outcome is unexpected. For example, consider a bank service that depends on an encryption key that it reads from a known location. An independent cryptography service is responsible for generating the key and placing it where the bank is expected to read it in a timely manner. If the bank and cryptography services do not coordinate with each other, then the bank may read a blank encryption key before cryptography writes the key to the location. This can effectively turn off all encryption for the bank without either service, or the administrator, knowing that something has gone wrong.

Warning code(s):

This accepts filename arguments; if an attacker can move those files or change the link content, a race condition results. Also, it does not terminate with ASCII NUL..

File Name:



The highlighted line of code below is the trigger point of this particular Red Hat Enterprise Linux 6 race weakness.

 # define SHLIB_COMPAT(lib, introduced, obsoleted) 0
# define versioned_symbol(lib, local, symbol, version) extern int dummy
# define compat_symbol(lib, local, symbol, version)
# define weak_alias(local, symbol)
# define __canonicalize_file_name canonicalize_file_name
# define __realpath realpath
# include "pathmax.h"
# include "malloca.h"
    /* When building the relocatable program wrapper, use the system's getcwd
       function, not the gnulib override, otherwise we would get a link error.
#   undef getcwd
#  endif
#  ifdef VMS
    /* We want the directory in Unix syntax, not in VMS syntax.  */
#   define __getcwd(buf, max) getcwd (buf, max, 0)
#  else
#   define __getcwd getcwd
#  endif
# else
#  define __getcwd(buf, max) getwd (buf)
# endif
# define __readlink readlink
# define __set_errno(e) errno = (e)
#  ifdef SYMLOOP_MAX
#  else
#   define MAXSYMLINKS 20
#  endif
# endif


/* Return the canonical absolute name of file NAME.  A canonical name
   does not contain any ".", ".." components nor any repeated path
   separators ('/') or symlinks.  All path components must exist.  If
   RESOLVED is null, the result is malloc'd; otherwise, if the
   canonical name is PATH_MAX chars or more, returns null with 'errno'
   set to ENAMETOOLONG; if the name fits in fewer than PATH_MAX chars,
   returns the name in RESOLVED.  If the name cannot be resolved and
   RESOLVED is non-NULL, it contains the path of the first component
   that cannot be resolved.  If the path can be resolved, RESOLVED
   holds the same value as the value returned.  */ 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.