Status

RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: fkiefer, Unassigned)

Tracking

({coverity})

trunk
coverity

Firefox Tracking Flags

(firefox46 affected)

Details

(Whiteboard: CID222503)

Possible TOCTOU in the following code between stat(file, &statbuf) and open(file, flags, mode)

hash.c:169
>	if (!file || (flags & O_TRUNC) 	|| (stat(file, &statbuf)  && (errno == ENOENT))) 
>	{
>		if (errno == ENOENT)
>			errno = 0; /* Just in case someone looks at errno */
>		new_table = 1;
>	}
>	else if(statbuf.st_mtime && statbuf.st_size == 0)
>	{
>		/* check for a zero length file and delete it
>	 	 * if it exists
>	 	 */
>		new_table = 1;
>	}
>	hashp->file_size = statbuf.st_size;
> 
>	if (file) {				 
>#if defined(_WIN32) || defined(_WINDOWS) || defined (macintosh)  || defined(XP_OS2)
>		if ((hashp->fp = DBFILE_OPEN(file, flags | O_BINARY, mode)) == -1)
>			RETURN_ERROR(errno, error1);
>#else
>		if ((hashp->fp = open(file, flags, mode)) == -1)
>			RETURN_ERROR(errno, error1);
(For context, the hash.c file in question appears to be lib/dbm/src/hash.c)

I don't think this is an issue, since the file is opened regardless of the results of the stat call. It does look like the file size is obtained in a potentially untrustworthy way, but even if that could cause problems, this requires local file system access, in which case an attacker can do much worse things in easier ways.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
Group: crypto-core-security
You need to log in before you can comment on or make changes to this bug.