Codekhana

Kernel/FileSystem/TmpFS.h

2 issues

chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 64 Column: 21 CWE codes: 362
Suggestion: Use fchmod( ) instead

                  virtual KResultOr<NonnullRefPtr<Inode>> create_child(StringView name, mode_t, dev_t, uid_t, gid_t) override;
    virtual KResult add_child(Inode&, const StringView& name, mode_t) override;
    virtual KResult remove_child(const StringView& name) override;
    virtual KResult chmod(mode_t) override;
    virtual KResult chown(uid_t, gid_t) override;
    virtual KResult truncate(u64) override;
    virtual KResult set_atime(time_t) override;
    virtual KResult set_ctime(time_t) override;
    virtual KResult set_mtime(time_t) override;

Reported by FlawFinder.

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 65 Column: 21 CWE codes: 362
Suggestion: Use fchown( ) instead

                  virtual KResult add_child(Inode&, const StringView& name, mode_t) override;
    virtual KResult remove_child(const StringView& name) override;
    virtual KResult chmod(mode_t) override;
    virtual KResult chown(uid_t, gid_t) override;
    virtual KResult truncate(u64) override;
    virtual KResult set_atime(time_t) override;
    virtual KResult set_ctime(time_t) override;
    virtual KResult set_mtime(time_t) override;
    virtual void one_ref_left() override;

Reported by FlawFinder.

Kernel/FileSystem/SysFS.h

2 issues

chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 95 Column: 21 CWE codes: 362
Suggestion: Use fchmod( ) instead

                  virtual KResultOr<NonnullRefPtr<Inode>> create_child(StringView name, mode_t, dev_t, uid_t, gid_t) override;
    virtual KResult add_child(Inode&, StringView const& name, mode_t) override;
    virtual KResult remove_child(StringView const& name) override;
    virtual KResult chmod(mode_t) override;
    virtual KResult chown(uid_t, gid_t) override;
    virtual KResult truncate(u64) override;

    NonnullRefPtr<SysFSComponent> m_associated_component;
};

Reported by FlawFinder.

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 96 Column: 21 CWE codes: 362
Suggestion: Use fchown( ) instead

                  virtual KResult add_child(Inode&, StringView const& name, mode_t) override;
    virtual KResult remove_child(StringView const& name) override;
    virtual KResult chmod(mode_t) override;
    virtual KResult chown(uid_t, gid_t) override;
    virtual KResult truncate(u64) override;

    NonnullRefPtr<SysFSComponent> m_associated_component;
};

Reported by FlawFinder.

Kernel/FileSystem/SysFS.cpp

2 issues

chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 151 Column: 21 CWE codes: 362
Suggestion: Use fchmod( ) instead

                  return EROFS;
}

KResult SysFSInode::chmod(mode_t)
{
    return EPERM;
}

KResult SysFSInode::chown(uid_t, gid_t)

Reported by FlawFinder.

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 156 Column: 21 CWE codes: 362
Suggestion: Use fchown( ) instead

                  return EPERM;
}

KResult SysFSInode::chown(uid_t, gid_t)
{
    return EPERM;
}

KResult SysFSInode::truncate(u64)

Reported by FlawFinder.

Kernel/FileSystem/ProcFS.h

2 issues

chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 63 Column: 21 CWE codes: 362
Suggestion: Use fchmod( ) instead

                  virtual KResultOr<NonnullRefPtr<Inode>> create_child(StringView name, mode_t, dev_t, uid_t, gid_t) override final;
    virtual KResult add_child(Inode&, const StringView& name, mode_t) override final;
    virtual KResult remove_child(const StringView& name) override final;
    virtual KResult chmod(mode_t) override final;
    virtual KResult chown(uid_t, gid_t) override final;
    virtual KResult truncate(u64) override final;
};

class ProcFSGlobalInode : public ProcFSInode {

Reported by FlawFinder.

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 64 Column: 21 CWE codes: 362
Suggestion: Use fchown( ) instead

                  virtual KResult add_child(Inode&, const StringView& name, mode_t) override final;
    virtual KResult remove_child(const StringView& name) override final;
    virtual KResult chmod(mode_t) override final;
    virtual KResult chown(uid_t, gid_t) override final;
    virtual KResult truncate(u64) override final;
};

class ProcFSGlobalInode : public ProcFSInode {
    friend class ProcFS;

Reported by FlawFinder.

Kernel/Devices/AsyncDeviceRequest.h

2 issues

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 105 Column: 27 CWE codes: 120 20

                  [[nodiscard]] bool read_from_buffer(const UserOrKernelBuffer& buffer, Args... args)
    {
        if (in_target_context(buffer))
            return buffer.read(forward<Args>(args)...);
        ProcessPagingScope paging_scope(m_process);
        return buffer.read(forward<Args>(args)...);
    }

    template<size_t BUFFER_BYTES, typename... Args>

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 107 Column: 23 CWE codes: 120 20

                      if (in_target_context(buffer))
            return buffer.read(forward<Args>(args)...);
        ProcessPagingScope paging_scope(m_process);
        return buffer.read(forward<Args>(args)...);
    }

    template<size_t BUFFER_BYTES, typename... Args>
    [[nodiscard]] KResultOr<size_t> read_from_buffer_buffered(const UserOrKernelBuffer& buffer, Args... args)
    {

Reported by FlawFinder.

Userland/Libraries/LibC/sys/mman.cpp

2 issues

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)

Security

Line: 18 Column: 112 CWE codes: 126

              
void* serenity_mmap(void* addr, size_t size, int prot, int flags, int fd, off_t offset, size_t alignment, const char* name)
{
    Syscall::SC_mmap_params params { (uintptr_t)addr, size, alignment, prot, flags, fd, offset, { name, name ? strlen(name) : 0 } };
    ptrdiff_t rc = syscall(SC_mmap, &params);
    if (rc < 0 && rc > -EMAXERRNO) {
        errno = -rc;
        return MAP_FAILED;
    }

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)

Security

Line: 66 Column: 67 CWE codes: 126

                      errno = EFAULT;
        return -1;
    }
    Syscall::SC_set_mmap_name_params params { addr, size, { name, strlen(name) } };
    int rc = syscall(SC_set_mmap_name, &params);
    __RETURN_WITH_ERRNO(rc, rc, -1);
}

int madvise(void* address, size_t size, int advice)

Reported by FlawFinder.

Kernel/FileSystem/ProcFS.cpp

2 issues

chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 96 Column: 22 CWE codes: 362
Suggestion: Use fchmod( ) instead

                  return EROFS;
}

KResult ProcFSInode::chmod(mode_t)
{
    return EPERM;
}

KResult ProcFSInode::chown(uid_t, gid_t)

Reported by FlawFinder.

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 101 Column: 22 CWE codes: 362
Suggestion: Use fchown( ) instead

                  return EPERM;
}

KResult ProcFSInode::chown(uid_t, gid_t)
{
    return EPERM;
}

KResult ProcFSInode::truncate(u64)

Reported by FlawFinder.

Kernel/FileSystem/Plan9FileSystem.h

2 issues

chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 166 Column: 21 CWE codes: 362
Suggestion: Use fchmod( ) instead

                  virtual KResultOr<NonnullRefPtr<Inode>> create_child(StringView name, mode_t, dev_t, uid_t, gid_t) override;
    virtual KResult add_child(Inode&, const StringView& name, mode_t) override;
    virtual KResult remove_child(const StringView& name) override;
    virtual KResult chmod(mode_t) override;
    virtual KResult chown(uid_t, gid_t) override;
    virtual KResult truncate(u64) override;

private:
    Plan9FSInode(Plan9FS&, u32 fid);

Reported by FlawFinder.

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 167 Column: 21 CWE codes: 362
Suggestion: Use fchown( ) instead

                  virtual KResult add_child(Inode&, const StringView& name, mode_t) override;
    virtual KResult remove_child(const StringView& name) override;
    virtual KResult chmod(mode_t) override;
    virtual KResult chown(uid_t, gid_t) override;
    virtual KResult truncate(u64) override;

private:
    Plan9FSInode(Plan9FS&, u32 fid);
    static NonnullRefPtr<Plan9FSInode> create(Plan9FS&, u32 fid);

Reported by FlawFinder.

Kernel/CoreDump.cpp

2 issues

chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 342 Column: 18 CWE codes: 362
Suggestion: Use fchmod( ) instead

                  if (result.is_error())
        return result;

    return m_fd->chmod(0600); // Make coredump file read/writable
}

}

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?

Security

Line: 59 Column: 49 CWE codes: 362

                      dbgln("Refusing to put core dump in sketchy directory '{}'", output_directory);
        return nullptr;
    }
    auto fd_or_error = VirtualFileSystem::the().open(
        KLexicalPath::basename(output_path),
        O_CREAT | O_WRONLY | O_EXCL,
        S_IFREG, // We will enable reading from userspace when we finish generating the coredump file
        *dump_directory.value(),
        UidAndGid { process.uid(), process.gid() });

Reported by FlawFinder.

Kernel/kstdio.h

2 issues

printf - If format strings can be influenced by an attacker, they can be exploited

Security

Line: 17 Column: 77 CWE codes: 134
Suggestion: Use a constant for the format specification

              void dbgputstr(const char*, size_t);
void kernelputstr(const char*, size_t);
void kernelcriticalputstr(const char*, size_t);
int snprintf(char* buf, size_t, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
void set_serial_debug(bool on_or_off);
int get_serial_debug();
}

void dbgputstr(StringView view);

Reported by FlawFinder.

snprintf - If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate

Security

Line: 17 Column: 5 CWE codes: 134
Suggestion: Use a constant for the format specification

              void dbgputstr(const char*, size_t);
void kernelputstr(const char*, size_t);
void kernelcriticalputstr(const char*, size_t);
int snprintf(char* buf, size_t, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
void set_serial_debug(bool on_or_off);
int get_serial_debug();
}

void dbgputstr(StringView view);

Reported by FlawFinder.

Modal title

The following issues were found

Kernel/FileSystem/TmpFS.h

2 issues

Kernel/FileSystem/SysFS.h

2 issues

Kernel/FileSystem/SysFS.cpp

2 issues

Kernel/FileSystem/ProcFS.h

2 issues

Kernel/Devices/AsyncDeviceRequest.h

2 issues

Userland/Libraries/LibC/sys/mman.cpp

2 issues

Kernel/FileSystem/ProcFS.cpp

2 issues

Kernel/FileSystem/Plan9FileSystem.h

2 issues

Kernel/CoreDump.cpp

2 issues

Kernel/kstdio.h

2 issues