Re: TOCTOU bug in make(1)

To: tech-toolchain%netbsd.org@localhost
Subject: Re: TOCTOU bug in make(1)
From: Joerg Sonnenberger <joerg%bec.de@localhost>
Date: Thu, 6 Oct 2022 22:49:45 +0200

Am Fri, Oct 07, 2022 at 09:07:10AM +1300 schrieb Lloyd Parkes:
> 
> 
> On 7/10/22 08:43, Joerg Sonnenberger wrote:
> > Am Thu, Oct 06, 2022 at 01:19:24PM -0500 schrieb Mario Campos:
> > > I ran CodeQL, a SAST tool, against trunk. It found a TOCTOU vulnerability
> > > in the `unlink_file` function of make(1). The function is a small wrapper
> > > over unlink(2), but it first checks that the file exists using lstat(2).
> > > Although I don't see an immediate danger here, I admit I'm not
> > > very imaginative for vulnerabilities.
> > 
> > This is necessary for historic reasons because old UNIX systems allows
> > unlink(2) on directories with bad consequences.
> 
> That's a good point. Personally, I had forgotten that unlinking directories
> was a thing. We should put a comment in the code for unlink_file() about
> that.

Well, if you read the code you should start to wonder why it does the
whole lstat + check for directory dance...

Joerg

Follow-Ups:
- Re: TOCTOU bug in make(1)
  - From: Lloyd Parkes

References:
- TOCTOU bug in make(1)
  - From: Mario Campos
- Re: TOCTOU bug in make(1)
  - From: Joerg Sonnenberger
- Re: TOCTOU bug in make(1)
  - From: Lloyd Parkes

Prev by Date: Re: TOCTOU bug in make(1)
Next by Date: Re: TOCTOU bug in make(1)
Previous by Thread: Re: TOCTOU bug in make(1)
Next by Thread: Re: TOCTOU bug in make(1)
Indexes:

Home | Main Index | Thread Index | Old Index