File names on many operating systems, including Windows and UNIX, may be used to access special files, which are actually devices. Reserved MS-DOS device names include AUX, CON, PRN, COM1, and LPT1. Device files on UNIX systems are used to apply access rights and to direct operations on the files to the appropriate device drivers.

Performing operations on device files that are intended for ordinary character or binary files can result in crashes and denial-of-service attacks. For example, when Windows attempts to interpret the device name as a file resource, it performs an invalid resource access that usually results in a crash [Howard 2002].

Device files in UNIX can be a security risk when an attacker can access them in an unauthorized way. For example, if attackers can read or write to the /dev/kmem device, they may be able to alter their priority, UID, or other attributes of their process or simply crash the system. Similarly, access to disk devices, tape devices, network devices, and terminals being used by other processes can lead to problems [Garfinkel 1996].

On Linux, it is possible to lock certain applications by attempting to open devices rather than files. Consider the following example:

/dev/mouse
/dev/console
/dev/tty0
/dev/zero

A Web browser that failed to check for these devices would allow an attacker to create a website with image tags such as <IMG src="file:///dev/mouse"> that would lock the user's mouse.

Noncompliant Code Example

In this noncompliant code example, the user can specify a locked device or a FIFO (first-in, first-out) file name, causing the program to hang on the call to fopen():

#include <stdio.h>
 
void func(const char *file_name) {
  FILE *file;
  if ((file = fopen(file_name, "wb")) == NULL) {
    /* Handle error */
  }

  /* Operate on the file */

  fclose(file);
}

Compliant Solution (POSIX)

POSIX defines the O_NONBLOCK flag to open(), which ensures that delayed operations on a file do not hang the program [IEEE Std 1003.1:2013].

When opening a FIFO with O_RDONLY or O_WRONLY set:

When opening a block special or character special file that supports non-blocking opens:

Otherwise, the behavior of O_NONBLOCK is unspecified.

Once the file is open, programmers can use the POSIX lstat() and fstat() functions to obtain information about a file and the S_ISREG() macro to determine if the file is a regular file. 

Because the behavior of O_NONBLOCK on subsequent calls to read() or write() is unspecified, it is advisable to disable the flag after it has been determined that the file in question is not a special device.

When available (Linux 2.1.126+, FreeBSD, Solaris 10, POSIX.1-2008), the O_NOFOLLOW should also be used. (See POS01-C. Check for the existence of links when dealing with files.) When O_NOFOLLOW is not available, symbolic link checks should use the method from POS35-C. Avoid race conditions while checking for the existence of a symbolic link.

#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#ifdef O_NOFOLLOW
  #define OPEN_FLAGS O_NOFOLLOW | O_NONBLOCK
#else
  #define OPEN_FLAGS O_NONBLOCK
#endif

void func(const char *file_name) {
  struct stat orig_st;
  struct stat open_st;
  int fd;
  int flags;

  if ((lstat(file_name, &orig_st) != 0) ||
      (!S_ISREG(orig_st.st_mode))) {
    /* Handle error */
  }

  /* A TOCTOU race condition exists here; see below */

  fd = open(file_name, OPEN_FLAGS | O_WRONLY);
  if (fd == -1) {
    /* Handle error */
  }

  if (fstat(fd, &open_st) != 0) {
    /* Handle error */
  }

  if ((orig_st.st_mode != open_st.st_mode) ||
      (orig_st.st_ino  != open_st.st_ino) ||
      (orig_st.st_dev  != open_st.st_dev)) {
    /* The file was tampered with */
  }

  /* 
   * Optional: drop the O_NONBLOCK now that we are sure
   * this is a good file.
   */
  if ((flags = fcntl(fd, F_GETFL)) == -1) {
    /* Handle error */
  }

  if (fcntl(fd, F_SETFL, flags & ~O_NONBLOCK) != 0) {
    /* Handle error */
  }

  /* Operate on the file */

  close(fd);
}

This code contains an intractable TOCTOU (time-of-check, time-of-use) race condition under which an attacker can alter the file referenced by file_name following the call to lstat() but before the call to open(). The switch will be discovered after the file is opened, but opening the file cannot be prevented in the case where this action itself causes undesired behavior.

Essentially, an attacker can switch out a file for one of the file types shown in the following table with the specified effect.

File Types and Effects

Type

Note on Effect

Another regular file

The fstat() verification fails.

FIFO

Either open() returns -1 and sets errno to ENXIO, or open() succeeds and the fstat() verification fails.

Symbolic link

open() returns -1 if O_NOFOLLOW is available; otherwise, the fstat() verification fails.

Special device

Usually the fstat() verification fails on st_mode. This can still be a problem if the device is one for which just opening (or closing) it causes something to happen. If st_mode compares equal, then the device is one that, after opening, appears to be a regular file. It would then fail the fstat() verification on st_dev and st_ino (unless it happens to be the same file, as can happen with /dev/fd/* on Solaris, but this would not be a problem).

This TOCTOU race condition can be prevented if the affected files are maintained in a secure directory. (See FIO15-C. Ensure that file operations are performed in a secure directory.)

Noncompliant Code Example (Windows)

This noncompliant code example uses the GetFileType() API: 

#include <Windows.h>
 
void func(const TCHAR *file_name) {
  HANDLE hFile = CreateFile(
    file_name,
    GENERIC_READ | GENERIC_WRITE, 0, 
    NULL, OPEN_EXISTING,
    FILE_ATTRIBUTE_NORMAL, NULL
  );
  if (hFile == INVALID_HANDLE_VALUE) {
    /* Handle error */
  } else if (GetFileType(hFile) != FILE_TYPE_DISK) {
    /* Handle error */
    CloseHandle(hFile);
  } else {
    /* Operate on the file */
    CloseHandle(hFile);
  }
}

Although it may be tempting to use the Win32 GetFileType() function, it is a dangerous API to use in this case. If the file name given identifies a named pipe, and that pipe is currently blocking on a read request, the call to GetFileType() will block until the read request completes. An attacker can then effectively launch a denial-of-service attack on the application. Furthermore, the act of opening a file handle may cause further action to be taken, such as line states being set to their default voltage when opening a serial device.

Compliant Solution (Windows)

Microsoft documents a list of reserved identifiers that represent devices and have a device namespace to be used specifically by devices [MSDN]. The isReservedName() function in this compliant solution can be used to determine if a specified path refers to a device.  Care must be taken to avoid a TOCTOU race condition when first testing a pathname using the isReservedName() function and then later operating on that pathname.

#include <ctype.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
 
static bool isReservedName(const char *path) {
  /* This list of reserved names comes from MSDN */
  static const char *reserved[] = { 
    "nul", "con", "prn", "aux", "com1", "com2", "com3",
    "com4", "com5", "com6", "com7", "com8", "com9",
    "lpt1", "lpt2", "lpt3", "lpt4", "lpt5", "lpt6",
    "lpt7", "lpt8", "lpt9" 
  };
  char *lower;
  char *temp;
  bool ret = false;
  
  /*
   * First, check to see if this is a device namespace, which
   * always starts with \\.\, because device namespaces are not
   * legal file paths.
   */
  if (!path || 0 == strncmp(path, "\\\\.\\", 4)) {
    return true;
  }
 
  /*
   * Because Windows uses a case-insensitive file system, operate
   * on a lowercase version of the given filename. Note: this
   * ignores globalization issues and assumes ASCII
   * characters.
   */
  lower = (char *)malloc(strlen(path) + 1);
  if (!lower) {
    return false;
  }
  
  temp = lower;
  while (*path) {
    *lower++ = tolower(*path++);
  }
  lower = temp;
 
  /* Compare against the list of ancient reserved names */
  for (size_t i = 0; !ret &&
       i < sizeof(reserved) / sizeof(*reserved); ++i) {    
    if (0 == strcmp(lower, reserved[i])) {
      ret = true;
    }
  }
 
  free(lower);
  return ret;
} 

Risk Assessment

Allowing operations that are appropriate only for files to be performed on devices can result in denial-of-service attacks or more serious exploits depending on the platform.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO32-C

Medium

Unlikely

Medium

P4

L3

Automated Detection

Tool

Version

Checker

Description

Compass/ROSE

 

 

Could detect some violations of this rule. This rule applies only to untrusted file name strings, and ROSE cannot tell which strings are trusted and which are not. The best heuristic is to note if there is any verification of the file name before or after the fopen() call. If there is any verification, then the file opening should be preceded by an lstat() call and succeeded by an fstat() call. Although that does not enforce the rule completely, it does indicate that the coder is aware of the lstat-fopen-fstat idiom

Fortify SCA

5.0

 

 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C Secure Coding StandardFIO05-C. Identify files using multiple file attributes
FIO15-C. Ensure that file operations are performed in a secure directory
POS01-C. Check for the existence of links when dealing with files
POS35-C. Avoid race conditions while checking for the existence of a symbolic link
CERT C++ Secure Coding StandardFIO32-CPP. Do not perform operations on devices that are only appropriate for files
CERT Oracle Secure Coding Standard for JavaFIO00-J. Do not operate on files in shared directories
MITRE CWECWE-67, Failure to handle Windows device names

Bibliography

[Garfinkel 1996]Section 5.6, "Device Files"
[Howard 2002]Chapter 11, "Canonical Representation Issues"
[IEEE Std 1003.1:2013]XSH, System Interfaces, open