From patchwork Thu Aug  8 19:40:54 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yann Droneaud <ydroneaud@opteya.com>
X-Patchwork-Id: 2841356
Return-Path: <linux-rdma-owner@kernel.org>
X-Original-To: patchwork-linux-rdma@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 69F8FBF546
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Thu,  8 Aug 2013 19:53:01 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 309FC20378
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Thu,  8 Aug 2013 19:53:00 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 0ABA120374
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Thu,  8 Aug 2013 19:52:58 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S966222Ab3HHTwz (ORCPT
	<rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
	Thu, 8 Aug 2013 15:52:55 -0400
Received: from smtp24.services.sfr.fr ([93.17.128.84]:31939 "EHLO
	smtp24.services.sfr.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752563Ab3HHTwy (ORCPT
	<rfc822; linux-rdma@vger.kernel.org>); Thu, 8 Aug 2013 15:52:54 -0400
X-Greylist: delayed 687 seconds by postgrey-1.27 at vger.kernel.org;
	Thu, 08 Aug 2013 15:52:54 EDT
Received: from filter.sfr.fr (localhost [127.0.0.1])
	by msfrf2401.sfr.fr (SMTP Server) with ESMTP id 4DF8570000BA;
	Thu,  8 Aug 2013 21:43:00 +0200 (CEST)
Received: from localhost.localdomain (187.20.90.92.rev.sfr.net
	[92.90.20.187])
	by msfrf2401.sfr.fr (SMTP Server) with ESMTP id CB2047000085;
	Thu,  8 Aug 2013 21:42:59 +0200 (CEST)
X-SFR-UUID: 20130808194259832.CB2047000085@msfrf2401.sfr.fr
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by localhost.localdomain (8.14.7/8.14.7) with ESMTP id r78JgvRS003092;
	Thu, 8 Aug 2013 21:42:57 +0200
Received: (from ydroneaud@localhost)
	by localhost.localdomain (8.14.7/8.14.7/Submit) id r78Jgu5B003091;
	Thu, 8 Aug 2013 21:42:56 +0200
From: Yann Droneaud <ydroneaud@opteya.com>
To: linux-rdma@vger.kernel.org
Cc: Yann Droneaud <ydroneaud@opteya.com>
Subject: [PATCH libibverbs v2 11/11] read_config_file(): refuse to open
	configuration file if it's symlink
Date: Thu,  8 Aug 2013 21:40:54 +0200
Message-Id: 
 <841fe809c4767b67b850c2cce4ea5d66160266c1.1375952089.git.ydroneaud@opteya.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <cover.1375952089.git.ydroneaud@opteya.com>
References: <cover.1375952089.git.ydroneaud@opteya.com>
In-Reply-To: <cover.1375952089.git.ydroneaud@opteya.com>
References: <cover.1375952089.git.ydroneaud@opteya.com>
MIME-Version: 1.0
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

O_NOFOLLOW is an option to open() that allows application
to not follow symlinks when opening a path.

Using this option, openat() will fail if the configuration file is a symlink.

See open()[1][2] for more information on O_NOFOLLOW.

Weakness addressed:

- CWE-59: Improper Link Resolution Before File Access ('Link Following')
<http://cwe.mitre.org/data/definitions/59.html>

- CWE-61: UNIX Symbolic Link (Symlink) Following
<http://cwe.mitre.org/data/definitions/61.html>

- CWE-363: Race Condition Enabling Link Following
<http://cwe.mitre.org/data/definitions/363.html>

- CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
<http://cwe.mitre.org/data/definitions/367.html>

Secure coding:

- POS01-C. Check for the existence of links when dealing with files
<https://www.securecoding.cert.org/confluence/display/seccode/POS01-C.+Check+for+the+existence+of+links+when+dealing+with+files>

- POS35-C. Avoid race conditions while checking for the existence of a symbolic link
<https://www.securecoding.cert.org/confluence/display/seccode/POS35-C.+Avoid+race+conditions+while+checking+for+the+existence+of+a+symbolic+link>

Links:

- [1] open
<http://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html>

- [2] open(2)
<http://man7.org/linux/man-pages/man2/open.2.html>

Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
---
 configure.ac | 6 ++++++
 src/init.c   | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 9544726..7e7bc63 100644
--- a/configure.ac
+++ b/configure.ac
@@ -52,6 +52,12 @@ AC_CHECK_DECLS([O_DIRECTORY],,[AC_DEFINE([O_DIRECTORY],[0], [Defined to 0 if not
 # include <fcntl.h>
 #endif
 ]])
+AC_CHECK_DECLS([O_NOFOLLOW],,[AC_DEFINE([O_NOFOLLOW],[0], [Defined to 0 if not provided])],
+[[
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
+]])
 AC_CHECK_DECLS([O_CLOEXEC],,[AC_DEFINE([O_CLOEXEC],[0], [Defined to 0 if not provided])],
 [[
 #ifdef HAVE_FCNTL_H
diff --git a/src/init.c b/src/init.c
index 0b46b78..0af6c47 100644
--- a/src/init.c
+++ b/src/init.c
@@ -269,7 +269,7 @@ static void read_config_file(int conf_dirfd, const char *name)
 	ssize_t len;
 	struct stat buf;
 
-	fd = openat(conf_dirfd, name, O_RDONLY | O_CLOEXEC);
+	fd = openat(conf_dirfd, name, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
 	if (fd == -1) {
 		fprintf(stderr, PFX "Warning: couldn't read config file '%s/%s'.\n",
 			IBV_CONFIG_DIR, name);