GNU bug report logs - #11100
Racy code in copy.c

Previous Next

Package: coreutils;

Reported by: Philipp Thomas <pth <at> suse.de>

Date: Tue, 27 Mar 2012 13:32:02 UTC

Severity: normal

Merged with 11074

Done: Jim Meyering <jim <at> meyering.net>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Philipp Thomas <pth <at> suse.de>
To: bug-coreutils <at> gnu.org
Cc: Neil F Brown <nfbrown <at> suse.com>
Subject: Racy code in copy.c
Date: Tue, 27 Mar 2012 14:58:18 +0200

I'd like to pass on observations from my collegue Neil Brown:

in src/copy.c, copy_reg() is passed "bool *new_dst".

This is 'false' if the file already exists, in which case it attempts to
open the file with O_WRONLY | O_TRUNC | O_BINARY.
If it is 'true', only then does it use O_CREAT (and others).

Somewhere up the call chain - I'm not sure where - new_dst is set if 'stat'
on the file succeeds.  The above mentioned code assumes that the file still
exists.  This is racy - particularly for NFS where deletions from other
clients can take a while to appear.

Philipp
This bug report was last modified 3 years and 184 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.