access + mkdir: a time-of-check, time-of-use race condition #2739

bagder · 2018-07-12T09:19:05Z

Detected by Coverity.

curl-7.60.0/src/tool_dirhie.c:142: fs_check_call: Calling function "access" to
perform check on "dirbuildup".
curl-7.60.0/src/tool_dirhie.c:143: toctou: Calling function "mkdir" that uses
"dirbuildup" after a check function. This can cause a time-of-check, time-of-use
race condition.
#  141|         }
#  142|         if(access(dirbuildup, F_OK) == -1) {
#  143|->         if(-1 == mkdir(dirbuildup, (mode_t)0000750)) {
#  144|             show_dir_errno(errors, dirbuildup);
#  145|             result = CURLE_WRITE_ERROR;

The text was updated successfully, but these errors were encountered:

bagder · 2018-07-12T10:11:45Z

The question is what a decent fix would be. I'm thinking:

call mkdir() unconditionally
if mkdir fails, check if the name exists as a directory, if it's not, fail
if it is a directory, continue

Then, if the mkdir() fails for another reason but the path is a directory, that's still fine.

RootUp · 2018-07-12T11:41:58Z

Thanks @bagder

jay · 2018-07-12T14:49:09Z

yes easiest way i think is check EEXIST

diff --git a/src/tool_dirhie.c b/src/tool_dirhie.c
index a01f9dc..5755823 100644
--- a/src/tool_dirhie.c
+++ b/src/tool_dirhie.c
@@ -139,12 +139,10 @@ CURLcode create_dir_hierarchy(const char *outfile, FILE *e
         else
           snprintf(dirbuildup, outlen, "%s%s", DIR_CHAR, tempdir);
       }
-      if(access(dirbuildup, F_OK) == -1) {
-        if(-1 == mkdir(dirbuildup, (mode_t)0000750)) {
-          show_dir_errno(errors, dirbuildup);
-          result = CURLE_WRITE_ERROR;
-          break; /* get out of loop */
-        }
+      if(-1 == mkdir(dirbuildup, (mode_t)0000750) && errno != EEXIST) {
+        show_dir_errno(errors, dirbuildup);
+        result = CURLE_WRITE_ERROR;
+        break; /* get out of loop */
       }
     }
     tempdir = tempdir2;

RootUp · 2018-08-12T08:04:22Z

Hey @bagder
@jay patch works for me this can help, to resolve this issue.

bagder · 2018-08-12T16:34:22Z

Right, so someone needs to make a PR out of it...

RootUp · 2018-08-12T17:13:14Z

Thanks @jay for the patch, I made a PR for same.
Request @bagder to please have a look on it and suggest are we good to land :)

Detected by Coverity Fixes #2739

Patch-by: Jay Satiro Detected by Coverity Fixes curl#2739 Closes curl#2912

bagder added the cmdline tool label Jul 12, 2018

bagder added the help wanted label Jul 24, 2018

RootUp mentioned this issue Aug 12, 2018

time-of-check, time-of-use race condition #2870

Closed

bagder mentioned this issue Aug 24, 2018

curl: fix time-of-check, time-of-use race in dir creation #2912

Closed

bagder closed this in f16bed0 Aug 25, 2018

falconindy added a commit to falconindy/curl that referenced this issue Sep 10, 2018

curl: fix time-of-check, time-of-use race in dir creation

04b2f4f

Patch-by: Jay Satiro Detected by Coverity Fixes curl#2739 Closes curl#2912

lock bot locked as resolved and limited conversation to collaborators Nov 23, 2018

curl / curl

access + mkdir: a time-of-check, time-of-use race condition #2739

access + mkdir: a time-of-check, time-of-use race condition #2739

bagder commented Jul 12, 2018

bagder commented Jul 12, 2018

RootUp commented Jul 12, 2018

jay commented Jul 12, 2018

RootUp commented Aug 12, 2018

bagder commented Aug 12, 2018

RootUp commented Aug 12, 2018

curl / curl

Sponsor curl/curl

access + mkdir: a time-of-check, time-of-use race condition #2739

access + mkdir: a time-of-check, time-of-use race condition #2739

Comments

bagder commented Jul 12, 2018

bagder commented Jul 12, 2018

RootUp commented Jul 12, 2018

jay commented Jul 12, 2018

RootUp commented Aug 12, 2018

bagder commented Aug 12, 2018

RootUp commented Aug 12, 2018