SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 82

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 83

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Performing operations on device files that are intended for ordinary character or binary files can result in crashes and denial-of-service attacks. For example, when Windows attempts to interpret the device name as a file resource, it performs an invalid resource access that usually results in a crash [Howard 2002].

Device files in UNIX can be a security risk when an attacker can access them in an unauthorized way. For instance, if attackers can read or write to the /dev/kmem device, they may be able to alter their priority, UID, or other attributes of their process or simply crash the system. Similarly, access to disk devices, tape devices, network devices, and terminals being used by other processes all can lead to problems [Garfinkel 1996].

On Linux, it is possible to lock certain applications by attempting to open devices rather than files. Consider the following example:

...

POSIX defines the O_NONBLOCK flag to open(), which ensures that delayed operations on a file do not hang the program [Open Group 2004].

When opening a FIFO with O_RDONLY or O_WRONLY set:

  • If O_NONBLOCK is set, an open() for reading-only shall return without delay. An open() for writing-only shall return an error if no process currently has the file open for reading.
  • If O_NONBLOCK is clear, an open() for reading-only shall block the calling thread until a thread opens the file for writing. An open() for writing-only shall block the calling thread until a thread opens the file for reading.

When opening a block special or character special file that supports non-blocking opens:

  • If O_NONBLOCK is set, the open() function shall return without blocking for the device to be ready or available. Subsequent behavior of the device is device-specific.
  • If O_NONBLOCK is clear, the open() function shall block the calling thread until the device is ready or available before returning.

Otherwise, the behavior of O_NONBLOCK is unspecified.

Once the file is open, programmers can use the POSIX lstat() and fstat() functions to obtain information about a named file and the S_ISREG() macro to determine if the file is a regular file. (See FIO05-C. Identify files using multiple file attributes.)

Because the behavior of O_NONBLOCK on subsequent calls to read() or write() is unspecified, it is advisable to disable the flag after it has been determined that the file in question is not a special device.

When available (Linux 2.1.126+, FreeBSD, Solaris 10, POSIX.1-2008), the O_NOFOLLOW should also be used. (See POS01-C. Check for the existence of links when dealing with files.) When O_NOFOLLOW is not available, symbolic link checks should use the method from VOID POS35-C. Avoid race conditions while checking for the existence of a symbolic link.

Code Block
bgColor#ccccff
langc
#ifdef O_NOFOLLOW
  #define OPEN_FLAGS O_NOFOLLOW | O_NONBLOCK
#else
  #define OPEN_FLAGS O_NONBLOCK
#endif

/* ... */

struct stat orig_st;
struct stat open_st;
int fd;
int flags;
char *file_name;

/* initialize file_name */

if (!fgets(file_name, sizeof(file_name), stdin)) {
  /* Handle error */
}

if ((lstat(file_name, &orig_st) != 0)
 || (!S_ISREG(orig_st.st_mode)))
{
  /* Handle error */
}

/* A TOCTOU race condition exists here, see below */

fd = open(file_name, OPEN_FLAGS | O_WRONLY);
if (fd == -1) {
  /* Handle error */
}

if (fstat(fd, &open_st) != 0) {
  /* Handle error */
}

if ((orig_st.st_mode != open_st.st_mode) ||
    (orig_st.st_ino  != open_st.st_ino) ||
    (orig_st.st_dev  != open_st.st_dev)) {
  /* file was tampered with */
}

/* Optional: drop the O_NONBLOCK now that we are sure
 * this is a good file */
if ((flags = fcntl(fd, F_GETFL)) == -1) {
  /* Handle error */
}

if (fcntl(fd, F_SETFL, flags & ~O_NONBLOCK) != 0) {
  /* Handle error */
}

/* Operate on file */

close(fd);

...

This TOCTOU race condition can be prevented if the effected files are maintained in a secure directory. (See FIO15-C. Ensure that file operations are performed in a secure directory.)

Compliant Solution (Windows)

...

ISO/IEC 9899:2011 Section 7.21.4, "Operations on files"

Sources

[Garfinkel 1996] Section 5.6, "Device files"
[Howard 2002] Chapter 11, "Canonical Representation Issues"
[Open Group 2004] open()

...