SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 119

changes.mady.by.user Unknown User (lflynn)

Saved on

compared with

New Version 120

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added Howard reference to mouse statement

...

A Web browser that failed to check for these devices would allow an attacker to create a website with image tags such as <IMG src="file:///dev/mouse"> that would lock the user's mousemouse [Howard 2002].

Noncompliant Code Example

...

Essentially, an attacker can switch out a file for one of the file types shown in the following table with the specified effect.

File Types and Effects

Type

Note on Effect

Another regular file

The fstat() verification fails.

FIFO

Either open() returns -1 and sets errno to ENXIO, or open() succeeds and the fstat() verification fails.

Symbolic link

open() returns -1 if O_NOFOLLOW is available; otherwise, the fstat() verification fails.

Special device

Usually the fstat() verification fails on st_mode. This can still be a problem if the device is one for which just opening (or closing) it causes a side effect. If st_mode compares equal, then the device is one that, after opening, appears to be a regular file. It would then fail the fstat() verification on st_dev and st_ino (unless it happens to be the same file, as can happen with /dev/fd/* on Solaris, but this would not be a problem).

 


To be compliant with this rule and to prevent this TOCTOU race condition, file_name must refer to a file in a secure directory. (See FIO15-C. Ensure that file operations are performed in a secure directory.)

...

Allowing operations that are appropriate only for regular files to be performed on devices can result in denial-of-service attacks or more serious exploits depending on the platform.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO32-C

Medium

Unlikely

Medium

P4

L3

Automated Detection

Tool

Version

Checker

Description

Compass/ROSE

 

 



Could detect some violations of this rule. This rule applies only to untrusted file name strings, and ROSE cannot tell which strings are trusted and which are not. The best heuristic is to note if there is any verification of the file name before or after the fopen() call. If there is any verification, then the file opening should be preceded by an lstat() call and succeeded by an fstat() call. Although that does not enforce the rule completely, it does indicate that the coder is aware of the lstat-fopen-fstat idiom

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C Secure Coding StandardFIO05-C. Identify files using multiple file attributesPrior to 2018-01-12: CERT: Unspecified Relationship
CERT C Secure Coding StandardFIO15-C. Ensure that file operations are performed in a secure directoryPrior to 2018-01-12: CERT: Unspecified Relationship
CERT C Secure Coding StandardPOS01-C. Check for the existence of links when dealing with filesPrior to 2018-01-12: CERT: Unspecified Relationship
CERT C Secure Coding StandardPOS35-C. Avoid race conditions while checking for the existence of a symbolic linkPrior to 2018-01-12: CERT: Unspecified Relationship
CERT Oracle Secure Coding Standard for JavaFIO00-J. Do not operate on files in shared directoriesPrior to 2018-01-12: CERT: Unspecified Relationship

CERT-CWE Mapping Notes

Key here for mapping notes

...

  • Treating device names (both trusted and untrusted) like regular files in POSIX


Bibliography

[Garfinkel 1996]Section 5.6, "Device Files"
[Howard 2002]Chapter 11, "Canonical Representation Issues"
[IEEE Std 1003.1:2013]XSH, System Interfaces, open
[MSDN]
 

...



...