SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 79

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 80

changes.mady.by.user Arthur Hicken

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: update parasoft

...

TOCTOU race condition vulnerabilities can be exploited to gain elevated privileges.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

POS35-C

high

likely

medium

P18

L1

Tool

Version

Checker

Description

Compass/ROSE

 

 



Can detect some violations of this rule. In particular, it ensures that calls to open() that are preceded by a call to lstat() are also followed by a call to fstat().

Coverity
Include Page
Coverity_V
Coverity_V

TOCTOU

Implemented
Klocwork
Include Page
Klocwork_V
Klocwork_V
SV.TOCTOU.FILE_ACCESS
 

Parasoft C/C++test
Include Page
c:
Parasoft_V
c:
Parasoft_V
SECURITY-19
Partially implemented; use of lstat
, BD-TRS-SYMLINKImplemented
Polyspace Bug FinderR2016aFile access between time of check and use (TOCTOU)

File or folder might change state due to access race

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CWE 2.11CWE-363, Race condition enabling link following2017-07-07: CERT: Exact

Key here for mapping notes

...

CWE-764 is about semaphores, or objects capable of being locked multiple times. Deadlock arises from multiple locks being acquired in a cyclic order, and generally does not arise from semaphores or recursive mutexes.

[Dowd 2006]Chapter 9, "UNIX 1: Privileges and Files"
[ISO/IEC 9899:2011]Section 7.21, "Input/output <stdio.h>"
[Open Group 2004]lstat()
fstat()
open()
[Seacord 2013]Chapter 8, "File I/O"

...


...