...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
void open_some_file(const char *file) {
FILE *f = fopen(file, "r");
if (NULL != f) {
/* File exists, handle error */
} else {
if (fclose(f) == EOF) {
/* Handle error */
}
f = fopen(file, "w");
if (NULL == f) {
/* Handle error */
}
/* Write to file */
if (fclose(f) == EOF) {
/* Handle error */
}
}
}
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
void open_some_file(const char *file) {
int fd = open(file, O_CREAT | O_EXCL | O_WRONLY);
if (-1 != fd) {
FILE *f = fdopen(fd, "w");
if (NULL != f) {
/* Write to file */
if (fclose(f) == EOF) {
/* Handle error */
}
} else {
if (close(fd) == -1) {
/* Handle error */
}
}
}
} |
Exceptions
FIO45-C-EX1: TOCTOU race conditions require that the vulnerable process is more privileged than the attacker; otherwise there is nothing to be gained from a successful attack. An unprivileged process is not subject to this rule.FIO45-C-EX2: Accessing a file name or path name multiple times is permitted if the file referenced resides in a secure directory. (For more information, see FIO15-C. Ensure that file operations are performed in a secure directory.)
...
This POSIX code example verifies that each subsequent file access operates on the same file. In POSIX, every file can be uniquely identified by using its device and i-node attributes. This code example checks that a file name refers to a regular file (and not a directory, symbolic link, or other special file) by invoking lstat(). This call also retrieves its device and i-node. The file is subsequently opened. Finally, the program verifies that the file that was opened is the same one (matching device and i-nodes) as the file that was confirmed as a regular file.
An attacker can still exploit this code if they have the ability to delete the benign file and create the malicious file within the race window between lstat() and open(). It is possible that the OS kernel will reuse the same device and i-node for both files. This can be mitigated by making sure that the attacker lacks the permissions to delete the benign file.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <sys/stat.h>
#include <fcntl.h>
int open_regular_file(char *filename, int flags) {
struct stat lstat_info;
struct stat fstat_info;
int f;
if (lstat(filename, &lstat_info) == -1) {
/* File does not exist, handle error */
}
if (!S_ISREG(lstat_info.st_mode)) {
/* File is not a regular file, handle error */
}
if ((f = open(filename, flags)) == -1) {
/* File has disappeared, handle error */
}
if (fstat(f, &fstat_info) == -1) {
/* Handle error */
}
if (lstat_info.st_ino != fstat_info.st_ino ||
lstat_info.st_dev != fstat_info.st_dev) {
/* Open file is not the expected regular file, handle error */
}
/* f is the expected regular open file */
return f;
} |
...
TOCTOU race conditions can result in unexpected behavior, including privilege escalation.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO45-C | High | Probable | High | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| IO.RACE | File system race condition | ||||||
| Coverity |
| TOCTOU | Implemented | ||||||
| Helix QAC |
| DF4851, DF4852, DF4853 | |||||||
| Klocwork |
| SV.TOCTOU.FILE_ACCESS | |||||||
| LDRA tool suite |
| 75 D | Partially implemented | ||||||
| Parasoft C/C++test |
| CERT_C-FIO45-a | Avoid race conditions while accessing files | ||||||
| Polyspace Bug Finder |
| CERT C: Rule FIO45-C | Checks for file |
access between time of check and use ( |
rule partially covered) |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Bibliography
| [Seacord 2013b] | Chapter 7, "Files" |
...
...