Fix: sessiond: TOCTOU error on save of session configuration
authorJérémie Galarneau <jeremie.galarneau@efficios.com>
Tue, 8 Oct 2019 18:18:31 +0000 (14:18 -0400)
committerJérémie Galarneau <jeremie.galarneau@efficios.com>
Tue, 8 Oct 2019 18:30:10 +0000 (14:30 -0400)
commit9fdd1d0698a8d86bbda738a48f66894515b0aaff
tree834cee9eeb6eec04109c6d8fa3c38a25347c9623
parent559445217735a8202a6009c00793a17cd92aed82
Fix: sessiond: TOCTOU error on save of session configuration

The session_save() function checks for the existance and access rights
on the target session configuration filename before opening it. This
results in a TOCTOU (Time of check, time of use) problem.

Defer the check and error reporting to the run_as_open() call.

1191754 Time of check time of use
An attacker could change the filename's file association or other
attributes between the check and use.  In save_session: A check occurs
on a file's attributes before the file is used in a privileged
operation, but things may have changed (CWE-367)

Reported-by: Coverity Scan
Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
src/bin/lttng-sessiond/save.c
This page took 0.030458 seconds and 4 git commands to generate.