Skip to content

/curl

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

access + mkdir: a time-of-check, time-of-use race condition #2739

Closed
bagder opened this issue Jul 12, 2018 · 6 comments

Comments

Assignees
No one assigned
Labels
cmdline tool help wanted
Projects
None yet
Milestone
No milestone
3 participants
@bagder @RootUp @jay
@bagder
Copy link
Member

commented Jul 12, 2018

Detected by Coverity.

curl-7.60.0/src/tool_dirhie.c:142: fs_check_call: Calling function "access" to
perform check on "dirbuildup".
curl-7.60.0/src/tool_dirhie.c:143: toctou: Calling function "mkdir" that uses
"dirbuildup" after a check function. This can cause a time-of-check, time-of-use
race condition.
#  141|         }
#  142|         if(access(dirbuildup, F_OK) == -1) {
#  143|->         if(-1 == mkdir(dirbuildup, (mode_t)0000750)) {
#  144|             show_dir_errno(errors, dirbuildup);
#  145|             result = CURLE_WRITE_ERROR;

@bagder bagder added the cmdline tool label Jul 12, 2018

@bagder

This comment has been minimized.

Sign in to view
Copy link
Member Author

commented Jul 12, 2018

The question is what a decent fix would be. I'm thinking:

  1. call mkdir() unconditionally
  2. if mkdir fails, check if the name exists as a directory, if it's not, fail
  3. if it is a directory, continue

Then, if the mkdir() fails for another reason but the path is a directory, that's still fine.
@RootUp

This comment has been minimized.

Sign in to view
Copy link

commented Jul 12, 2018

Thanks @bagder
@jay

This comment has been minimized.

Sign in to view
Copy link
Member

commented Jul 12, 2018

yes easiest way i think is check EEXIST

diff --git a/src/tool_dirhie.c b/src/tool_dirhie.c
index a01f9dc..5755823 100644
--- a/src/tool_dirhie.c
+++ b/src/tool_dirhie.c
@@ -139,12 +139,10 @@ CURLcode create_dir_hierarchy(const char *outfile, FILE *e
         else
           snprintf(dirbuildup, outlen, "%s%s", DIR_CHAR, tempdir);
       }
-      if(access(dirbuildup, F_OK) == -1) {
-        if(-1 == mkdir(dirbuildup, (mode_t)0000750)) {
-          show_dir_errno(errors, dirbuildup);
-          result = CURLE_WRITE_ERROR;
-          break; /* get out of loop */
-        }
+      if(-1 == mkdir(dirbuildup, (mode_t)0000750) && errno != EEXIST) {
+        show_dir_errno(errors, dirbuildup);
+        result = CURLE_WRITE_ERROR;
+        break; /* get out of loop */
       }
     }
     tempdir = tempdir2;

@bagder bagder added the help wanted label Jul 24, 2018

@RootUp

This comment has been minimized.

Sign in to view
Copy link

commented Aug 12, 2018

Hey @bagder
@jay patch works for me this can help, to resolve this issue.
@bagder

This comment has been minimized.

Sign in to view
Copy link
Member Author

commented Aug 12, 2018

Right, so someone needs to make a PR out of it...

@RootUp RootUp referenced this issue Aug 12, 2018

Closed

time-of-check, time-of-use race condition #2870

@RootUp

This comment has been minimized.

Sign in to view
Copy link

commented Aug 12, 2018

Thanks @jay for the patch, I made a PR for same.
Request @bagder to please have a look on it and suggest are we good to land :)

bagder added a commit that referenced this issue Aug 24, 2018

@bagder
curl: fix time-of-check, time-of-use race in dir creation 
Detected by Coverity
Fixes #2739
Verified
This commit was signed with a verified signature.
bagder Daniel Stenberg
GPG key ID: 5CC908FDB71E12C2 Learn about signing commits
Loading status checks…
eb1592e

@bagder bagder referenced this issue Aug 24, 2018

Closed

curl: fix time-of-check, time-of-use race in dir creation #2912

@bagder bagder closed this in f16bed0 Aug 25, 2018

falconindy added a commit to falconindy/curl that referenced this issue Sep 10, 2018

@bagder @falconindy
curl: fix time-of-check, time-of-use race in dir creation 
Patch-by: Jay Satiro
Detected by Coverity
Fixes curl#2739
Closes curl#2912
04b2f4f

@lock lock bot locked as resolved and limited conversation to collaborators Nov 23, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.