From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id CBA77A04DE; Wed, 27 Nov 2019 03:19:46 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id E68F51BE82; Wed, 27 Nov 2019 03:19:45 +0100 (CET) Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by dpdk.org (Postfix) with ESMTP id 2FE661BDAC; Wed, 27 Nov 2019 03:19:43 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Nov 2019 18:19:42 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,247,1571727600"; d="scan'208";a="217290585" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by fmsmga001.fm.intel.com with ESMTP; 26 Nov 2019 18:19:41 -0800 Received: from fmsmsx152.amr.corp.intel.com (10.18.125.5) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 26 Nov 2019 18:19:41 -0800 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by FMSMSX152.amr.corp.intel.com (10.18.125.5) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 26 Nov 2019 18:19:41 -0800 Received: from shsmsx101.ccr.corp.intel.com ([169.254.1.213]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.149]) with mapi id 14.03.0439.000; Wed, 27 Nov 2019 10:19:39 +0800 From: "Yu, Jin" To: "Richardson, Bruce" CC: Maxime Coquelin , "Bie, Tiwei" , "Wang, Zhihong" , "dev@dpdk.org" , "stable@dpdk.org" Thread-Topic: [dpdk-dev] [PATCH] vhost: fix insecure temporary file Thread-Index: AQHVpCxUctgYvVLuskSvlCdRKoPnFqecsiuAgAGWYTA= Date: Wed, 27 Nov 2019 02:19:39 +0000 Message-ID: References: <20191126151900.70915-1-jin.yu@intel.com> <20191126100021.GC1622@bricha3-MOBL.ger.corp.intel.com> In-Reply-To: <20191126100021.GC1622@bricha3-MOBL.ger.corp.intel.com> Accept-Language: zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYzk3MDMzZWItZTBhMC00ODM1LTk3YmEtMGEzMTcyODg0Y2YyIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiTE1JRUxLN2F3VlwvQkFhZThYTzNEQXlwYm5VMkZPRlI5ZlBqam1zTkNXZVdVa0E2aHlmb3l1OG1iSXNOd25SUEIifQ== x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH] vhost: fix insecure temporary file X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" > -----Original Message----- > From: Bruce Richardson > Sent: Tuesday, November 26, 2019 6:00 PM > To: Yu, Jin > Cc: Maxime Coquelin ; Bie, Tiwei > ; Wang, Zhihong ; > dev@dpdk.org; stable@dpdk.org > Subject: Re: [dpdk-dev] [PATCH] vhost: fix insecure temporary file >=20 > On Tue, Nov 26, 2019 at 11:19:00PM +0800, Jin Yu wrote: > > When using mkstemp(), remember to safely set the umask before to > > restrict the resulting temporary file permissions to only the owner. > > > > Coverity issue: 350367 > > Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing") > > Cc: stable@dpdk.org > > > > Signed-off-by: Jin Yu > > --- > > lib/librte_vhost/vhost_user.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/lib/librte_vhost/vhost_user.c > > b/lib/librte_vhost/vhost_user.c index 0cfb8b792..1a68e23e3 100644 > > --- a/lib/librte_vhost/vhost_user.c > > +++ b/lib/librte_vhost/vhost_user.c > > @@ -1342,6 +1342,7 @@ inflight_mem_alloc(const char *name, size_t size, > int *fd) > > RTE_SET_USED(name); > > #endif > > if (mfd =3D=3D -1) { > > + mode_t mask =3D umask(0600); > > mfd =3D mkstemp(fname); >=20 > Setting the umask is unnecessary, as if you read the man page for mkstemp= : >=20 > "The file is created with permissions 0600, that is, read plus write for = owner > only." >=20 > I am aware that coverity flags this as a potential issue, but if you foll= ow the > link from the coverity issue to CWE-377 on cwe.mitre.org, you can find th= e > following at the end of the "Notes" section: >=20 > "Finally, mkstemp() is a reasonably safe way create temporary files. It w= ill > attempt to create and open a unique file based on a filename template > provided by the user combined with a series of randomly generated > characters. If it is unable to create such a file, it will fail and retur= n -1. On > modern systems the file is opened using mode 0600, which means the file > will be secure from tampering unless the user explicitly changes its acce= ss > permissions. However, mkstemp() still suffers from the use of predictable= file > names and can leave an application vulnerable to denial of service attack= s if > an attacker causes mkstemp() to fail by predicting and pre-creating the > filenames to be used." >=20 > So it seems that for creating temporary files, mkstemp() is probably the = best > function we can use. Therefore, I recommend not trying to patch this issu= e > and just mark the issue as "ignore" in coverity. Yes. I agree with you. I just thought we must fix the coverity issue. So I = add the umask. I would prefer to mark this issue as "ignore" in coverity. >=20 > Regards, > /Bruce