> Please describe exact testcases of the attacks you defend against. I have attached a demonstration script for the issue with rm -r. The script intentionally slows down the rm process to make the issue easier to reproduce but the same issue should be possible (but potentially difficult) without. The TOCTOU race is possible when between the fstat call stat call used to check for a directory and the opendir call to get a fd for the directory. Between these moments the directory can be replaced with a symlink pointing to any path and opendir will follow that symlink when getting the fd.
The same pattern of *stat + opendir exists in multiple places of the code and I decided to proactively harden these code paths against potential similar issues as well by changing the shared recursive_action. One might notice that even with my change a directory could have been replaced with a symlink between stat and opendir but that was mitigated by using O_DIRECTORY|O_NOFOLLOW (or other calls that would fail if the type changed). > The code is going to be evolving in the future. > The future core readers need to understand > what needs to be avoided, I understand, please ask again if something wasn't understandable enough!
test.sh
Description: application/shellscript
_______________________________________________ busybox mailing list [email protected] https://lists.busybox.net/mailman/listinfo/busybox
