@ define TOCTOU race conditionA TOCTOU (time-of-check, time-of-use) race condition occurs when a program performs two or more accesses on a filename or path. Typically the first access is a check to verify some attribute of the file, followed by a call to use the file. An attacker can alter the file between the two accesses, causing the check to succeed but the use to fail. Worse, the use can operate on a different file than the check.
A program that performs a file operation on a filename or path twice creates a race window between the two file operations. This race window comes from the assumption that the filename refers to the same file both times. If an attacker can modify the file, remove it, or replace it with a different file, then this assumption will not hold, and the program will behave badly.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
fd*int open_real_file(char *filename, int flags) { struct stat lstat_info; struct stat fstat_info; int fd; if (lstat(filename, &lstat_info) == -1) { /* file does not exist, handle error */ } if (!S_ISLNK(lstat_info.st_mode)) { /* file is a symlink, handle error */ } fd = open(filename, flags); if (fd == -1) { /* file has disappeared, handle error */ } if (fstat(fd, &fstat_info) == -1) { /* handle error */ } if (!(lstat_info.st_ino == fstat_info.st_ino && (lstat_info.st_dev == fstat_info.st_dev) { /* open file is not non-symlink file, handle error */ } /* fd is true open file, and file was not symlink */ return fd; } |
Risk Assessment
TOCTOU race conditions can result in unexpected behavior, including privilege escalation.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO32-C | High | Probable | High | P6 | L2 |
Bibliography
| [Seacord 2013] | Chapter 7, "Files" |
...
