Page History

...

If not properly performed, checking for the existence of symbolic links can lead to race conditions.

This rule is a specific instance of rule FIO45-C. Avoid TOCTOU race conditions while accessing files.

Noncompliant Code Example

The POSIX lstat() function collects information about a symbolic link rather than its target. This noncompliant code example uses the lstat() function to collect information about the file, checks the st_mode field to determine if the file is a symbolic link, and then opens the file if it is not a symbolic link.:

char *filename = /* file name */;
char *userbuf = /* user data */;
unsigned int userlen = /* length of userbuf string */;

struct stat lstat_info;
int fd;
/* ... */
if (lstat(filename, &lstat_info) == -1) {
  /* Handle error */
}

if (!S_ISLNK(lstat_info.st_mode)) {
   fd = open(filename, O_RDWR);
   if (fd == -1) {
       /* Handle error */
   }
}
if (write(fd, userbuf, userlen) < userlen) {
  /* Handle error */
}

This code contains a time-of-check, time-of-use (TOCTOU) race condition between the call to lstat() and the subsequent call to open() because both functions operate on a file name that can be manipulated asynchronously to the execution of the program. (See FIO01-C. Be careful using functions that use file names for identification.)

Compliant Solution (POSIX.1-2008 or newer)

This compliant solution eliminates the race condition by using O_NOFOLLOW to cause open() to fail if passed a symbolic link, avoiding the TOCTOU by not having a separate "check" and "use":

char *filename = /* file name */;
char *userbuf = /* user data */;
unsigned int userlen = /* length of userbuf string */;

int fd = open(filename, O_RDWR|O_NOFOLLOW);
if (fd == -1) {
  /* Handle error */
}
if (write(fd, userbuf, userlen) < userlen) {
  /* Handle error */
}

Compliant Solution (POSIX.1-2001 or older)

This compliant solution eliminates the race condition by

1. Calling calling lstat() on the file name.
2. calling Calling open() to open the file.
3. calling Calling fstat() on the file descriptor returned by open().
4. comparing Comparing the file information returned by the calls to lstat() and fstat() to ensure that the files are the same.

...

Comparing i-nodes, using the st_ino fields, and devices, using the st_dev fields, ensures that the file passed to lstat() is the same as the file passed to fstat(). (See FIO05-C. Identify files using multiple file attributes.)

Risk Assessment

TOCTOU race condition vulnerabilities can be exploited to gain elevated privileges.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

ISO/IEC 9899:2011 Section 7.21, "Input/output <stdio.h>"

MITRE CWE: CWE-363, "Race Condition Enabling Link Following"

MITRE CWE: CWE-365, "Race Condition in Switch"

...

Key here (explains table format and definitions)

Taxonomy	Taxonomy item	Relationship
CWE 2.11	CWE-363, Race condition enabling link following	2017-07-07: CERT: Exact

CERT-CWE Mapping Notes

Key here for mapping notes

CWE-764 and POS51-C/POS35-C

Independent( CWE-764, POS51-C, POS35-C)

CWE-764 is about semaphores, or objects capable of being locked multiple times. Deadlock arises from multiple locks being acquired in a cyclic order, and generally does not arise from semaphores or recursive mutexes.

Bibliography

...

...

...

...

...

Image Modified Image Modified Image Modified