Uploaded image for project: 'SonarCFamily'
  1. SonarCFamily
  2. CPP-2542

Rule S5847: Accessing files should not introduce TOCTOU vulnerabilities

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.13
    • Component/s: C, C++, Objective-C, Rules
    • Labels:
      None

      Description

      Should raise when:
      1) there is a call to a function of type "check", AND
      2) the return of "check" function is verified (used in an expression of a condition), AND
      3) there is a call to a function of type "use", AND
      4) both functions shared in common "at least one same file argument (not immune to TOCTOU, see at the bottom of this ticket)": a literal, or the same variable unchanged between the call, AND
      5) both functions are in the same group (see above), AND
      6) for each function of type "use" or "check" the conditions mentioned above are respected

      Example:

      if(!access(file, W_OK)) { // 1) and 2)    ==========> Noncompliant: secondary location
          f = fopen(file, "w+"); // 3), 4), 5) and 6)    ==========> Noncompliant: main location
          operate(f);
      }
      else {
         fprintf(stderr,"Unable to open file %s.\n",file);
      }
      
      if(access(path, R_OK)) {// Noncompliant: secondary location
           rename(path, newpath); // Noncompliant: main location
      }
      
      if(access(newpath, W_OK)) {// Noncompliant: secondary location
           rename(oldpath, newpath); // Noncompliant: main location
      }
      

      In bold, the arguments "of type file" to considerer when looking for the point 4):

      • access: int access(const char *pathname, int mode);
      • creat: int creat(const char *pathname, mode_t mode);
      • stat: int stat(const char *path, struct stat *buf);
      • open: int open(const char *path, int oflag, ... );
      • fopen: FILE fopen(const char *path, const char *mode);
      • mknod: int mknod(const char *path, mode_t mode, dev_t dev);
      • rename: int rename(const char *old, const char *new);
      • link: int link(const char *path1, const char *path2);
      • symlink: int symlink(const char *path1, const char *path2);
      • mkdir: int mkdir(const char *pathname, mode_t mode);
      • chmod: int chmod(const char *path, mode_t mode);
      • chown: int chown(const char *path, uid_t owner, gid_t group);
      • truncate: int truncate(const char *path, off_t length);
      • utime: int utime(const char *filename, const struct utimbuf *times);
      • execve: int execve(const char *path, char *const argv[], char *const envp[]);
      • chdir: int chdir(const char *path);
      • mount: int mount(const char *source, const char *target, const char *filesystemtype, unsigned long mountflags, const void *data);
      • pivot_root: int pivot_root(const char *new_root, const char *put_old);
      • chroot: int chroot(const char *path);
      • unlink: int unlink(const char *path);
      • rmdir: int rmdir(const char *path);
      • file_status: file_status_t file_status ( const char * fname )
      • tor_unlink: int tor_unlink ( const char * pathname )
      • tor_fopen_cloexec: FILE* tor_fopen_cloexec (const char * path, const char * mode )
      • tor_open_cloexec: int tor_open_cloexec ( const char * path,int flags,unsigned mode )

      List of groups for the point 5):

      • Group "explicit"
        Check functions Use functions
        access creat
        stat open
          fopen
          mknod
          rename
          link
          symlink
          rename
          mkdir
          chmod
          chown
          truncate
          utime
          execve
          chdir
          mount
          pivot_root
          chroot
      • Group "Create a regular file implicitly"
        Check functions Use functions
        unlink creat
        rename open
          fopen
          mknod
      • Group "Create a directory implicitly"
        Check functions Use functions
        rmdir mkdir
        rename  
      • Group "Create a link implicitly"
        Check functions Use functions
        unlink link
        rename  
          symlink
      • Group "Check file attributes implicitly"
        Check functions Use functions
          chmod
          chown
          truncate
          utime
          open
        fopen fopen
          execve
        creat  
        rename  
        mknod  
        link  
        symlink  
      • Group "Check directory attributes implicitly"
        Check functions Use functions
        mkdir chmod
        rename chown
        link mount
        symlink utime
          chdir
          chroot
          pivot_root

      Conditions:

      • chmod: the attacker can benefit from the TOCTOU vulnerability when write permission is granted to other group, thus should raise only when first argument of chmod end with 2 or 3 or 6 or 7, eg: chmod(777)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              geoffray.adde Geoffray Adde
              Reporter:
              eric.therond Eric Therond (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: