JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.2p0 | CONFIDENTIAL | CodeSecure Inc |
A File System Race Condition vulnerability occurs when a program calls a function that checks a named file and then later calls a function that uses the same named file. The source code assumes the file is the same at both times, when in fact another process may have changed the file between the 'check' and 'use'. For example, an attacker could replace the original file with a link to a file containing confidential data.
| Class Name | File System Race Condition | |||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Significance | security | |||||||||||||||||||||||||||||||||||||||||||||
| Mnemonic | IO.RACE | |||||||||||||||||||||||||||||||||||||||||||||
| Categories |
|
|||||||||||||||||||||||||||||||||||||||||||||
| Availability | Available for C and C++. |
|||||||||||||||||||||||||||||||||||||||||||||
| Enabling | Checks for this warning class are enabled by
default. To disable them, add the following WARNING_FILTER rule to the
project configuration file.
WARNING_FILTER += discard class="File System Race Condition" |
CodeSonar ships with library models that allow it to recognize a large number of functions that take a file name or directory name argument. Some examples are shown in the table below. If a file/directory name is passed to one of these functions (the check) and later the same name is passed to another of these functions (the use), a warning will be issued.
If you have created a custom library model for some function f() in terms of one of these existing models, calls to f() will also be capable of triggering File System Race Condition warnings.
| Functions that can trigger warnings include... | |
|---|---|
| gcc Builtins | __builtin_execl(), __builtin_execv(), |
| libc | chmod(), open(), stat() |
| Win32 | CanShareFolderW(), PathMakeUniqueName(), freopen_s() |
TOCTTOU vulnerabilities in source code provide a window of opportunity for attackers to manipulate the file system in order to gain unauthorized access. For example, the following use of unlink before open is vulnerable to attack:
Japanese (ja)
#include <fcntl.h>
#include <unistd.h>
void tocttou(const void *secret, size_t secret_size){
int fdesc;
/* choose a filename for recording sensitive data */
char *fname = "myfile.txt";
/* unlink to ensure that fname isn't already in use by someone else */
unlink(fname);
/* DANGER */
/* open the file and write the data to it */
fdesc = open(fname, O_CREAT|O_RDWR); /* 'File System Race Condition' warning issued here */
if (fdesc < 0){return;}
(void) write(fdesc, secret, secret_size);
(void) close(fdesc);
}
In the interval marked /* DANGER */ an adversary could create a file named myfile.txt, thus obtaining ownership of the file and access to its contents. To cause further problems, they could symlink myfile.txt to /etc/passwd, causing the original program to corrupt the system password file by writing secret on top of it.
Many TOCTTOU vulnerabilities arise because attackers can take advantage of the software's use of named files. This can often be avoided by referring to file descriptors or file streams rather than to file names.
The following configuration file parameters affect checks for this warning class.
To report problems with this documentation, please visit https://support.codesecure.com/.