alpine 3.6
tmpfile weakness #90

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

ocfs2-tools/src/ocfs2-tools-1.6.4/fswreck/dir.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 tmpfile weakness.

 	dcs.oldname = name;
	dcs.oldnamelen = name ? strlen(name) : 0;
	dcs.done = 0;
	dcs.reserved = inc;

	rc = ocfs2_dir_iterate(fs, dir, 0, 0, corrupt_dirent_reclen_proc, &dcs);
	if (rc)
		return rc;

	*new_reclen = dcs.reserved;

	return (dcs.done) ? 0 : OCFS2_ET_DIR_NO_SPACE;
}

static void damage_dir_content(ocfs2_filesys *fs, uint64_t dir,
				enum fsck_type type)
{
	errcode_t ret;
	uint64_t tmp_blkno, tmp_no;
	char name[OCFS2_MAX_FILENAME_LEN];
	mode_t mode;

	memset(name, 0, sizeof(name));
	sprintf(name, "testXXXXXX");
	if (!mktemp(name))
		FSWRK_COM_FATAL(progname, errno);

	switch (type) {
	case DIRENT_DOTTY_DUP:
		/* add another "." at the end of the directory */
		sprintf(name, ".");
		ret = ocfs2_link(fs, dir, name, dir, OCFS2_FT_DIR);
		if (ret)
			FSWRK_COM_FATAL(progname, ret);
		fprintf(stdout, "DIRENT_DOTTY_DUP: "
			"Corrupt directory#%"PRIu64
			", add another '.' to it.\n", dir);
		break;
	case DIRENT_NOT_DOTTY:
		/* rename the first ent from "." to "a". */
		sprintf(name, "a");
		rename_dirent(fs, dir, name, ".");
		fprintf(stdout, "DIRENT_NOT_DOTTY: "
			"Corrupt directory#%"PRIu64
			", change '.' to %s.\n", dir, name);
		break;
	case DIRENT_DOT_INODE:
		fprintf(stdout, "DIRENT_DOT_INODE: "
			"Corrupt directory#%"PRIu64
			", change dot inode to #%"PRIu64".\n", dir, (dir+10)); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.