NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

misc/54382: missing permissions in open(2) calls with O_CREAT

>Number:         54382
>Category:       misc
>Synopsis:       missing permissions in open(2) calls with O_CREAT
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jul 16 16:25:00 +0000 2019
>Originator:     Brooks Davis
>Release:        current
>Organization:
>Environment:
Found in FreeBSD's import of the libc tests.
>Description:
The test suite contains a large number of instances of things like:

        fd = open(path, O_RDWR | O_CREAT);

When O_CREAT is specified, the third, variadic argument is required as the permission.  If on is not passed, then depending on the ABI, either the contents of the third argument register or some arbitrary stuff on the stack will be used as the permission.  This is clearly wrong.

In our local ABI (for the CHERI ISA), variadic arguments are stored in a bounded array which in this case is of length zero.  When read, a fault occurs and these tests crash.
>How-To-Repeat:

>Fix:
Known instances of this bug are fixed in this patch:

diff --git a/tests/lib/libc/gen/t_ftok.c b/tests/lib/libc/gen/t_ftok.c
index 4c1ab18950eb..6a44049d0f85 100644
--- a/tests/lib/libc/gen/t_ftok.c
+++ b/tests/lib/libc/gen/t_ftok.c
@@ -65,7 +65,7 @@ ATF_TC_BODY(ftok_link, tc)
 	key_t k1, k2, k3;
 	int fd;
 
-	fd = open(path, O_RDONLY | O_CREAT);
+	fd = open(path, O_RDONLY | O_CREAT, 0600);
 
 	ATF_REQUIRE(fd >= 0);
 	(void)close(fd);
diff --git a/tests/lib/libc/stdio/t_fopen.c b/tests/lib/libc/stdio/t_fopen.c
index c5b89215430f..1946c921aeb6 100644
--- a/tests/lib/libc/stdio/t_fopen.c
+++ b/tests/lib/libc/stdio/t_fopen.c
@@ -58,7 +58,7 @@ ATF_TC_BODY(fdopen_close, tc)
 	 * used to fdopen(3) a stream is
 	 * closed once the stream is closed.
 	 */
-	fd = open(path, O_RDWR | O_CREAT);
+	fd = open(path, O_RDWR | O_CREAT, 0600);
 
 	ATF_REQUIRE(fd >= 0);
 
@@ -85,7 +85,7 @@ ATF_TC_BODY(fdopen_err, tc)
 {
 	int fd;
 
-	fd = open(path, O_RDONLY | O_CREAT);
+	fd = open(path, O_RDONLY | O_CREAT, 0600);
 	ATF_REQUIRE(fd >= 0);
 
 	errno = 0;
@@ -126,7 +126,7 @@ ATF_TC_BODY(fdopen_seek, tc)
 	 * with the stream corresponds with the offset
 	 * set earlier for the file descriptor.
 	 */
-	fd = open(path, O_RDWR | O_CREAT);
+	fd = open(path, O_RDWR | O_CREAT, 0600);
 
 	ATF_REQUIRE(fd >= 0);
 	ATF_REQUIRE(write(fd, "garbage", 7) == 7);
diff --git a/tests/lib/libc/sys/t_access.c b/tests/lib/libc/sys/t_access.c
index f75617235972..d4a5cd1e75b1 100644
--- a/tests/lib/libc/sys/t_access.c
+++ b/tests/lib/libc/sys/t_access.c
@@ -58,7 +58,7 @@ ATF_TC_BODY(access_access, tc)
 	size_t i;
 	int fd;
 
-	fd = open(path, O_RDONLY | O_CREAT);
+	fd = open(path, O_RDONLY | O_CREAT, 0600);
 
 	if (fd < 0)
 		return;
diff --git a/tests/lib/libc/sys/t_mprotect.c b/tests/lib/libc/sys/t_mprotect.c
index 3526554b2863..a8b9ae853dbb 100644
--- a/tests/lib/libc/sys/t_mprotect.c
+++ b/tests/lib/libc/sys/t_mprotect.c
@@ -87,7 +87,7 @@ ATF_TC_BODY(mprotect_access, tc)
 	size_t i;
 	int fd;
 
-	fd = open(path, O_RDONLY | O_CREAT);
+	fd = open(path, O_RDONLY | O_CREAT, 0600);
 	ATF_REQUIRE(fd >= 0);
 
 	/*
diff --git a/tests/lib/libc/sys/t_stat.c b/tests/lib/libc/sys/t_stat.c
index adb32bb11efc..9d0136dae50b 100644
--- a/tests/lib/libc/sys/t_stat.c
+++ b/tests/lib/libc/sys/t_stat.c
@@ -64,7 +64,7 @@ ATF_TC_BODY(stat_chflags, tc)
 	(void)memset(&sa, 0, sizeof(struct stat));
 	(void)memset(&sb, 0, sizeof(struct stat));
 
-	fd = open(path, O_RDONLY | O_CREAT);
+	fd = open(path, O_RDONLY | O_CREAT, 0600);
 
 	ATF_REQUIRE(fd != -1);
 	ATF_REQUIRE(stat(path, &sa) == 0);
@@ -210,7 +210,7 @@ ATF_TC_BODY(stat_mtime, tc)
 		(void)memset(&sa, 0, sizeof(struct stat));
 		(void)memset(&sb, 0, sizeof(struct stat));
 
-		fd[i] = open(path, O_WRONLY | O_CREAT);
+		fd[i] = open(path, O_WRONLY | O_CREAT, 0600);
 
 		ATF_REQUIRE(fd[i] != -1);
 		ATF_REQUIRE(write(fd[i], "X", 1) == 1);
@@ -254,7 +254,7 @@ ATF_TC_BODY(stat_perm, tc)
 	uid = getuid();
 	gid = getgid();
 
-	fd = open(path, O_RDONLY | O_CREAT);
+	fd = open(path, O_RDONLY | O_CREAT, 0600);
 
 	ATF_REQUIRE(fd != -1);
 	ATF_REQUIRE(fstat(fd, &sa) == 0);
@@ -288,7 +288,7 @@ ATF_TC_BODY(stat_size, tc)
 	size_t i;
 	int fd;
 
-	fd = open(path, O_WRONLY | O_CREAT);
+	fd = open(path, O_WRONLY | O_CREAT, 0600);
 	ATF_REQUIRE(fd >= 0);
 
 	for (i = 0; i < n; i++) {
@@ -377,7 +377,7 @@ ATF_TC_BODY(stat_symlink, tc)
 	(void)memset(&sa, 0, sizeof(struct stat));
 	(void)memset(&sb, 0, sizeof(struct stat));
 
-	fd = open(path, O_WRONLY | O_CREAT);
+	fd = open(path, O_WRONLY | O_CREAT, 0600);
 
 	ATF_REQUIRE(fd >= 0);
 	ATF_REQUIRE(symlink(path, pathlink) == 0);
diff --git a/tests/lib/libc/sys/t_write.c b/tests/lib/libc/sys/t_write.c
index 576ce7e7c0b5..18bcaba4f7aa 100644
--- a/tests/lib/libc/sys/t_write.c
+++ b/tests/lib/libc/sys/t_write.c
@@ -69,7 +69,7 @@ ATF_TC_BODY(write_err, tc)
 	errno = 0;
 	ATF_REQUIRE_ERRNO(EBADF, write(-1, wbuf, sizeof(wbuf)) == -1);
 
-	fd = open(path, O_RDWR | O_CREAT);
+	fd = open(path, O_RDWR | O_CREAT, 0600);
 
 	if (fd >= 0) {
 
@@ -141,7 +141,7 @@ ATF_TC_BODY(write_pos, tc)
 	size_t i;
 	int fd;
 
-	fd = open(path, O_RDWR | O_CREAT);
+	fd = open(path, O_RDWR | O_CREAT, 0600);
 	ATF_REQUIRE(fd >= 0);
 
 	for (i = 0; i < n; i++) {
@@ -171,7 +171,7 @@ ATF_TC_BODY(write_ret, tc)
 	size_t i, j;
 	int fd;
 
-	fd = open(path, O_WRONLY | O_CREAT);
+	fd = open(path, O_WRONLY | O_CREAT, 0600);
 	ATF_REQUIRE(fd >= 0);
 
 	(void)memset(buf, 'x', sizeof(buf));
Home | Main Index | Thread Index | Old Index