From unknown Sun Jun 22 17:17:19 2025 X-Loop: help-debbugs@gnu.org Subject: bug#8836: mktemp-related race condition in movemail Resent-From: Paul Eggert Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 10 Jun 2011 17:48:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 8836 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 8836@debbugs.gnu.org X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.130772803530913 (code B ref -1); Fri, 10 Jun 2011 17:48:01 +0000 Received: (at submit) by debbugs.gnu.org; 10 Jun 2011 17:47:15 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QV5nf-00082Y-K4 for submit@debbugs.gnu.org; Fri, 10 Jun 2011 13:47:15 -0400 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QV5nc-00082K-Qi for submit@debbugs.gnu.org; Fri, 10 Jun 2011 13:47:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QV5nV-0008Qy-Sf for submit@debbugs.gnu.org; Fri, 10 Jun 2011 13:47:07 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([140.186.70.17]:39049) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QV5nV-0008Qu-M9 for submit@debbugs.gnu.org; Fri, 10 Jun 2011 13:47:05 -0400 Received: from eggs.gnu.org ([140.186.70.92]:49862) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QV5nU-000889-85 for bug-gnu-emacs@gnu.org; Fri, 10 Jun 2011 13:47:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QV5nN-0008Pc-EC for bug-gnu-emacs@gnu.org; Fri, 10 Jun 2011 13:47:03 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:34264) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QV5nM-0008OB-Ss for bug-gnu-emacs@gnu.org; Fri, 10 Jun 2011 13:46:57 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 4D6DC39E80FF for ; Fri, 10 Jun 2011 10:46:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LJGmYzd80Kwu for ; Fri, 10 Jun 2011 10:46:47 -0700 (PDT) Received: from [131.179.64.200] (Penguin.CS.UCLA.EDU [131.179.64.200]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 9FAF039E80F9 for ; Fri, 10 Jun 2011 10:46:47 -0700 (PDT) Message-ID: <4DF25887.3010903@cs.ucla.edu> Date: Fri, 10 Jun 2011 10:46:47 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.1.10-1.fc14 Thunderbird/3.1.10 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 140.186.70.17 X-Spam-Score: -4.8 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -4.8 (----) There is a race condition in lib-src/movemail.c, and some related bugs. I plan to commit the following patch. This one has security implications, so I'm filing a bug report to give others a bigger heads-up. I found this one via GCC 4.6.0's static analysis. * movemail.c: Fix race condition and related bugs. (main) [!MAIL_USE_SYSTEM_LOCK]: Prefer mkstemp to mktemp, as this fixes some race conditions. Report mkstemp/mktemp errno rather than a possibly-garbage errno. Reinitialize the template each time through the loop, as earlier mkstemp/mktemp calls could have trashed it. Pass 0600 (not 0666) to mktemp, for consistency with mkstemp; the permissions don't matter anyway. === modified file 'lib-src/movemail.c' --- lib-src/movemail.c 2011-04-16 21:20:25 +0000 +++ lib-src/movemail.c 2011-06-10 17:30:52 +0000 @@ -168,8 +168,9 @@ #ifndef MAIL_USE_SYSTEM_LOCK struct stat st; int tem; - char *lockname, *p; + char *lockname; char *tempname; + size_t inname_dirlen; int desc; #endif /* not MAIL_USE_SYSTEM_LOCK */ @@ -298,26 +299,38 @@ to bug-gnu-emacs@prep.ai.mit.edu so we can fix it. */ lockname = concat (inname, ".lock", ""); - tempname = (char *) xmalloc (strlen (inname) + strlen ("EXXXXXX") + 1); - strcpy (tempname, inname); - p = tempname + strlen (tempname); - while (p != tempname && !IS_DIRECTORY_SEP (p[-1])) - p--; - *p = 0; - strcpy (p, "EXXXXXX"); - mktemp (tempname); - unlink (tempname); + for (inname_dirlen = strlen (inname); + inname_dirlen && !IS_DIRECTORY_SEP (inname[inname_dirlen - 1]); + inname_dirlen--) + continue; + tempname = (char *) xmalloc (inname_dirlen + sizeof "EXXXXXX"); while (1) { /* Create the lock file, but not under the lock file name. */ /* Give up if cannot do that. */ - desc = open (tempname, O_WRONLY | O_CREAT | O_EXCL, 0666); + + memcpy (tempname, inname, inname_dirlen); + strcpy (tempname + inname_dirlen, "EXXXXXX"); +#ifdef HAVE_MKSTEMP + desc = mkstemp (tempname); +#else + mktemp (tempname); + if (!*tempname) + desc = -1; + else + { + unlink (tempname); + desc = open (tempname, O_WRONLY | O_CREAT | O_EXCL, 0600); + } +#endif if (desc < 0) { + int mkstemp_errno = errno; char *message = (char *) xmalloc (strlen (tempname) + 50); sprintf (message, "creating %s, which would become the lock file", tempname); + errno = mkstemp_errno; pfatal_with_name (message); } close (desc); From unknown Sun Jun 22 17:17:19 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Paul Eggert Subject: bug#8836: closed (Re: bug#8836: Acknowledgement (mktemp-related race condition in movemail)) Message-ID: References: <4DF25982.20901@cs.ucla.edu> <4DF25887.3010903@cs.ucla.edu> X-Gnu-PR-Message: they-closed 8836 X-Gnu-PR-Package: emacs Reply-To: 8836@debbugs.gnu.org Date: Fri, 10 Jun 2011 17:52:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1307728322-31351-1" This is a multi-part message in MIME format... ------------=_1307728322-31351-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #8836: mktemp-related race condition in movemail which was filed against the emacs package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 8836@debbugs.gnu.org. --=20 8836: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D8836 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1307728322-31351-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 8836-done) by debbugs.gnu.org; 10 Jun 2011 17:51:11 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QV5rO-00088V-MI for submit@debbugs.gnu.org; Fri, 10 Jun 2011 13:51:11 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QV5rM-000881-V5 for 8836-done@debbugs.gnu.org; Fri, 10 Jun 2011 13:51:05 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 900F139E80FF for <8836-done@debbugs.gnu.org>; Fri, 10 Jun 2011 10:50:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTHnigX7QiiS for <8836-done@debbugs.gnu.org>; Fri, 10 Jun 2011 10:50:59 -0700 (PDT) Received: from [131.179.64.200] (Penguin.CS.UCLA.EDU [131.179.64.200]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 33AD639E80F9 for <8836-done@debbugs.gnu.org>; Fri, 10 Jun 2011 10:50:59 -0700 (PDT) Message-ID: <4DF25982.20901@cs.ucla.edu> Date: Fri, 10 Jun 2011 10:50:58 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.1.10-1.fc14 Thunderbird/3.1.10 MIME-Version: 1.0 To: 8836-done@debbugs.gnu.org Subject: Re: bug#8836: Acknowledgement (mktemp-related race condition in movemail) References: <4DF25887.3010903@cs.ucla.edu> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -3.1 (---) X-Debbugs-Envelope-To: 8836-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -3.1 (---) I committed the fix in bzr 104555 on the trunk. ------------=_1307728322-31351-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 10 Jun 2011 17:47:15 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QV5nf-00082Y-K4 for submit@debbugs.gnu.org; Fri, 10 Jun 2011 13:47:15 -0400 Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QV5nc-00082K-Qi for submit@debbugs.gnu.org; Fri, 10 Jun 2011 13:47:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QV5nV-0008Qy-Sf for submit@debbugs.gnu.org; Fri, 10 Jun 2011 13:47:07 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=unavailable version=3.3.1 Received: from lists.gnu.org ([140.186.70.17]:39049) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QV5nV-0008Qu-M9 for submit@debbugs.gnu.org; Fri, 10 Jun 2011 13:47:05 -0400 Received: from eggs.gnu.org ([140.186.70.92]:49862) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QV5nU-000889-85 for bug-gnu-emacs@gnu.org; Fri, 10 Jun 2011 13:47:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QV5nN-0008Pc-EC for bug-gnu-emacs@gnu.org; Fri, 10 Jun 2011 13:47:03 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:34264) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QV5nM-0008OB-Ss for bug-gnu-emacs@gnu.org; Fri, 10 Jun 2011 13:46:57 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 4D6DC39E80FF for ; Fri, 10 Jun 2011 10:46:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LJGmYzd80Kwu for ; Fri, 10 Jun 2011 10:46:47 -0700 (PDT) Received: from [131.179.64.200] (Penguin.CS.UCLA.EDU [131.179.64.200]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 9FAF039E80F9 for ; Fri, 10 Jun 2011 10:46:47 -0700 (PDT) Message-ID: <4DF25887.3010903@cs.ucla.edu> Date: Fri, 10 Jun 2011 10:46:47 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.1.10-1.fc14 Thunderbird/3.1.10 MIME-Version: 1.0 To: bug-gnu-emacs@gnu.org Subject: mktemp-related race condition in movemail Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 140.186.70.17 X-Spam-Score: -4.8 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -4.8 (----) There is a race condition in lib-src/movemail.c, and some related bugs. I plan to commit the following patch. This one has security implications, so I'm filing a bug report to give others a bigger heads-up. I found this one via GCC 4.6.0's static analysis. * movemail.c: Fix race condition and related bugs. (main) [!MAIL_USE_SYSTEM_LOCK]: Prefer mkstemp to mktemp, as this fixes some race conditions. Report mkstemp/mktemp errno rather than a possibly-garbage errno. Reinitialize the template each time through the loop, as earlier mkstemp/mktemp calls could have trashed it. Pass 0600 (not 0666) to mktemp, for consistency with mkstemp; the permissions don't matter anyway. === modified file 'lib-src/movemail.c' --- lib-src/movemail.c 2011-04-16 21:20:25 +0000 +++ lib-src/movemail.c 2011-06-10 17:30:52 +0000 @@ -168,8 +168,9 @@ #ifndef MAIL_USE_SYSTEM_LOCK struct stat st; int tem; - char *lockname, *p; + char *lockname; char *tempname; + size_t inname_dirlen; int desc; #endif /* not MAIL_USE_SYSTEM_LOCK */ @@ -298,26 +299,38 @@ to bug-gnu-emacs@prep.ai.mit.edu so we can fix it. */ lockname = concat (inname, ".lock", ""); - tempname = (char *) xmalloc (strlen (inname) + strlen ("EXXXXXX") + 1); - strcpy (tempname, inname); - p = tempname + strlen (tempname); - while (p != tempname && !IS_DIRECTORY_SEP (p[-1])) - p--; - *p = 0; - strcpy (p, "EXXXXXX"); - mktemp (tempname); - unlink (tempname); + for (inname_dirlen = strlen (inname); + inname_dirlen && !IS_DIRECTORY_SEP (inname[inname_dirlen - 1]); + inname_dirlen--) + continue; + tempname = (char *) xmalloc (inname_dirlen + sizeof "EXXXXXX"); while (1) { /* Create the lock file, but not under the lock file name. */ /* Give up if cannot do that. */ - desc = open (tempname, O_WRONLY | O_CREAT | O_EXCL, 0666); + + memcpy (tempname, inname, inname_dirlen); + strcpy (tempname + inname_dirlen, "EXXXXXX"); +#ifdef HAVE_MKSTEMP + desc = mkstemp (tempname); +#else + mktemp (tempname); + if (!*tempname) + desc = -1; + else + { + unlink (tempname); + desc = open (tempname, O_WRONLY | O_CREAT | O_EXCL, 0600); + } +#endif if (desc < 0) { + int mkstemp_errno = errno; char *message = (char *) xmalloc (strlen (tempname) + 50); sprintf (message, "creating %s, which would become the lock file", tempname); + errno = mkstemp_errno; pfatal_with_name (message); } close (desc); ------------=_1307728322-31351-1--