Codekhana

Userland/Libraries/LibC/sys/stat.h

2 issues

chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 17 Column: 5 CWE codes: 362
Suggestion: Use fchmod( ) instead

              __BEGIN_DECLS

mode_t umask(mode_t);
int chmod(const char* pathname, mode_t);
int fchmod(int fd, mode_t);
int mkdir(const char* pathname, mode_t);
int mkfifo(const char* pathname, mode_t);
int fstat(int fd, struct stat* statbuf);
int lstat(const char* path, struct stat* statbuf);

Reported by FlawFinder.

umask - Ensure that umask is given most restrictive possible setting (e.g., 066 or 077)

Security

Line: 16 Column: 8 CWE codes: 732

              
__BEGIN_DECLS

mode_t umask(mode_t);
int chmod(const char* pathname, mode_t);
int fchmod(int fd, mode_t);
int mkdir(const char* pathname, mode_t);
int mkfifo(const char* pathname, mode_t);
int fstat(int fd, struct stat* statbuf);

Reported by FlawFinder.

Tests/Kernel/setpgid-across-sessions-without-leader.cpp

2 issues

usleep - This C routine is considered obsolete (as opposed to the shell command by the same name). The interaction of this function with SIGALRM and other timer functions such as sleep(), alarm(), setitimer(), and nanosleep() is unspecified

Security

Line: 76 Column: 20 CWE codes: 676
Suggestion: Use nanosleep(2) or setitimer(2) instead

              
static void sleep_steps(useconds_t steps)
{
    const int rc = usleep(steps * STEP_SIZE);
    if (rc < 0) {
        perror("usleep");
        VERIFY_NOT_REACHED();
    }
}

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 114 Column: 18 CWE codes: 120 20

                  // the test as failed (for lack of knowledge). Otherwise, it outputs accordingly.
    dbgln("PX reads from pipe");
    unsigned char buf = 42;
    ssize_t rc = read(fds[0], &buf, 1);
    if (rc == 0) {
        // In fact, we only reach this branch when *all* processes have died,
        // including this one. So … should be unreachable.
        printf("DOUBLE FAIL: pipe is closed, but we still have it open.\n"
               "See debug log, some process probably crashed.\n");

Reported by FlawFinder.

Tests/Kernel/mmap-write-into-running-programs-executable-file.cpp

2 issues

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?

Security

Line: 16 Column: 14 CWE codes: 362

              
int main()
{
    int fd = open("/bin/SystemServer", O_RDONLY);
    if (fd < 0) {
        perror("open");
        return 1;
    }
    u8* ptr = (u8*)mmap(nullptr, 16384, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0);

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 72 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                      0xed, 0x09, 0x00, 0x00, 0xcd, 0x82, 0xc3
    };

    memcpy(&ptr[0x3111], payload, sizeof(payload));

    printf("ok\n");
    return 0;
}

Reported by FlawFinder.

Kernel/Devices/HID/KeyboardDevice.cpp

2 issues

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 296 Column: 13 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                      lock.unlock();

        auto result = buffer.write_buffered<sizeof(Event)>(sizeof(Event), [&](u8* data, size_t data_bytes) {
            memcpy(data, &event, sizeof(Event));
            return data_bytes;
        });
        if (result.is_error())
            return result.error();
        VERIFY(result.value() == sizeof(Event));

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 281 Column: 35 CWE codes: 120 20

                  return !m_queue.is_empty();
}

KResultOr<size_t> KeyboardDevice::read(FileDescription&, u64, UserOrKernelBuffer& buffer, size_t size)
{
    size_t nread = 0;
    ScopedSpinLock lock(m_queue_lock);
    while (nread < size) {
        if (m_queue.is_empty())

Reported by FlawFinder.

Userland/Libraries/LibC/shadow.cpp

2 issues

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?

Security

Line: 33 Column: 20 CWE codes: 362

                  if (s_stream) {
        rewind(s_stream);
    } else {
        s_stream = fopen("/etc/shadow", "r");
        if (!s_stream) {
            dbgln("open /etc/shadow failed: {}", strerror(errno));
        }
    }
}

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues

Security

Line: 164 Column: 9 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

                          return nullptr;
        }

        char buffer[1024];
        ++s_line_number;
        char* s = fgets(buffer, sizeof(buffer), s_stream);

        // Silently tolerate an empty line at the end.
        if ((!s || !s[0]) && feof(s_stream))

Reported by FlawFinder.

Tests/Kernel/bxvga-mmap-kernel-into-userspace.cpp

2 issues

execl - This causes a new program to execute and is difficult to use safely

Security

Line: 95 Column: 5 CWE codes: 78
Suggestion: try using a library call that implements the same functionality if available

                      return 1;
    }

    execl("/bin/sh", "sh", nullptr);

    return 0;
}

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?

Security

Line: 17 Column: 14 CWE codes: 362

              
int main()
{
    int fd = open("/dev/fb0", O_RDWR);
    if (fd < 0) {
        perror("open");
        return 1;
    }

Reported by FlawFinder.

Kernel/FileSystem/TmpFS.h

2 issues

chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 64 Column: 21 CWE codes: 362
Suggestion: Use fchmod( ) instead

                  virtual KResultOr<NonnullRefPtr<Inode>> create_child(StringView name, mode_t, dev_t, uid_t, gid_t) override;
    virtual KResult add_child(Inode&, const StringView& name, mode_t) override;
    virtual KResult remove_child(const StringView& name) override;
    virtual KResult chmod(mode_t) override;
    virtual KResult chown(uid_t, gid_t) override;
    virtual KResult truncate(u64) override;
    virtual KResult set_atime(time_t) override;
    virtual KResult set_ctime(time_t) override;
    virtual KResult set_mtime(time_t) override;

Reported by FlawFinder.

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 65 Column: 21 CWE codes: 362
Suggestion: Use fchown( ) instead

                  virtual KResult add_child(Inode&, const StringView& name, mode_t) override;
    virtual KResult remove_child(const StringView& name) override;
    virtual KResult chmod(mode_t) override;
    virtual KResult chown(uid_t, gid_t) override;
    virtual KResult truncate(u64) override;
    virtual KResult set_atime(time_t) override;
    virtual KResult set_ctime(time_t) override;
    virtual KResult set_mtime(time_t) override;
    virtual void one_ref_left() override;

Reported by FlawFinder.

Kernel/FileSystem/SysFS.h

2 issues

chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 95 Column: 21 CWE codes: 362
Suggestion: Use fchmod( ) instead

                  virtual KResultOr<NonnullRefPtr<Inode>> create_child(StringView name, mode_t, dev_t, uid_t, gid_t) override;
    virtual KResult add_child(Inode&, StringView const& name, mode_t) override;
    virtual KResult remove_child(StringView const& name) override;
    virtual KResult chmod(mode_t) override;
    virtual KResult chown(uid_t, gid_t) override;
    virtual KResult truncate(u64) override;

    NonnullRefPtr<SysFSComponent> m_associated_component;
};

Reported by FlawFinder.

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 96 Column: 21 CWE codes: 362
Suggestion: Use fchown( ) instead

                  virtual KResult add_child(Inode&, StringView const& name, mode_t) override;
    virtual KResult remove_child(StringView const& name) override;
    virtual KResult chmod(mode_t) override;
    virtual KResult chown(uid_t, gid_t) override;
    virtual KResult truncate(u64) override;

    NonnullRefPtr<SysFSComponent> m_associated_component;
};

Reported by FlawFinder.

Userland/Libraries/LibC/pty.cpp

2 issues

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues

Security

Line: 37 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

                      return -1;
    }

    char tty_name[32];
    int rc = ptsname_r(*amaster, tty_name, sizeof(tty_name));
    if (rc < 0) {
        int error = errno;
        close(*amaster);
        errno = error;

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?

Security

Line: 51 Column: 15 CWE codes: 362

                      [[maybe_unused]] auto rc = strlcpy(name, tty_name, 128);
    }

    *aslave = open(tty_name, O_RDWR | O_NOCTTY);
    if (*aslave < 0) {
        int error = errno;
        close(*amaster);
        errno = error;
        return -1;

Reported by FlawFinder.

Kernel/FileSystem/SysFS.cpp

2 issues

chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 151 Column: 21 CWE codes: 362
Suggestion: Use fchmod( ) instead

                  return EROFS;
}

KResult SysFSInode::chmod(mode_t)
{
    return EPERM;
}

KResult SysFSInode::chown(uid_t, gid_t)

Reported by FlawFinder.

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 156 Column: 21 CWE codes: 362
Suggestion: Use fchown( ) instead

                  return EPERM;
}

KResult SysFSInode::chown(uid_t, gid_t)
{
    return EPERM;
}

KResult SysFSInode::truncate(u64)

Reported by FlawFinder.

Modal title

The following issues were found

Userland/Libraries/LibC/sys/stat.h

2 issues

Tests/Kernel/setpgid-across-sessions-without-leader.cpp

2 issues

Tests/Kernel/mmap-write-into-running-programs-executable-file.cpp

2 issues

Kernel/Devices/HID/KeyboardDevice.cpp

2 issues

Userland/Libraries/LibC/shadow.cpp

2 issues

Tests/Kernel/bxvga-mmap-kernel-into-userspace.cpp

2 issues

Kernel/FileSystem/TmpFS.h

2 issues

Kernel/FileSystem/SysFS.h

2 issues

Userland/Libraries/LibC/pty.cpp

2 issues

Kernel/FileSystem/SysFS.cpp

2 issues