Closed Bug 1232945 Opened 9 years ago Closed 8 years ago

[CID 222503] NSS TOCTOU

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox46 affected)

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox46 --- affected

People

(Reporter: franziskus, Unassigned)

References

Details

(Keywords: coverity, Whiteboard: CID222503) 

Possible TOCTOU in the following code between stat(file, &statbuf) and open(file, flags, mode)

hash.c:169
>	if (!file || (flags & O_TRUNC) 	|| (stat(file, &statbuf)  && (errno == ENOENT))) 
>	{
>		if (errno == ENOENT)
>			errno = 0; /* Just in case someone looks at errno */
>		new_table = 1;
>	}
>	else if(statbuf.st_mtime && statbuf.st_size == 0)
>	{
>		/* check for a zero length file and delete it
>	 	 * if it exists
>	 	 */
>		new_table = 1;
>	}
>	hashp->file_size = statbuf.st_size;
> 
>	if (file) {				 
>#if defined(_WIN32) || defined(_WINDOWS) || defined (macintosh)  || defined(XP_OS2)
>		if ((hashp->fp = DBFILE_OPEN(file, flags | O_BINARY, mode)) == -1)
>			RETURN_ERROR(errno, error1);
>#else
>		if ((hashp->fp = open(file, flags, mode)) == -1)
>			RETURN_ERROR(errno, error1);
(For context, the hash.c file in question appears to be lib/dbm/src/hash.c)

I don't think this is an issue, since the file is opened regardless of the results of the stat call. It does look like the file size is obtained in a potentially untrustworthy way, but even if that could cause problems, this requires local file system access, in which case an attacker can do much worse things in easier ways.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Group: crypto-core-security
You need to log in before you can comment on or make changes to this bug.