Project

General

Profile

Actions

Security #8682

open
JI CT

unix-socket: TOCTOU race in Unix socket directory creation

Security #8682: unix-socket: TOCTOU race in Unix socket directory creation

Added by Jason Ish 9 days ago. Updated 2 days ago.

Status:
Triaged
Priority:
Normal
Target version:
Affected Versions:
Label:
CVE:
Git IDs:
Severity:
LOW
Disclosure Date:
GHSA:

Description

Reported by Sreejith Gopinath.

File: src/unix-manager.c:141–143
UnixNew() performs stat(SOCKET_PATH) followed by SCMkDir(SOCKET_PATH) with no atomic alternative. A local attacker can swap the target with a symlink in the race window; during privileged startup before privilege drop, the symlink target is opened as root. Already flagged in-source with /* coverity[toctou] */ but left unmitigated.
CWE-367. Confirmed at source level on both 7.0.15 and 8.0.4: unix-socket-high8-toctou-sequence-01 verifies the stat()/SCMkDir() sequence is still present in the check_dir block. A runtime race harness is not practical in CI given the narrow window; the test guards the vulnerable sequence until a safe primitive replaces it.
Suggested remediation: Replace stat()+SCMkDir() with an atomic mkdir() call and handle EEXIST explicitly, or use O_CREAT|O_EXCL semantics where applicable.


Subtasks 2 (2 open0 closed)

Security #8701: unix-socket: TOCTOU race in Unix socket directory creation (8.0.x backport)AssignedOISF DevActions
Security #8702: unix-socket: TOCTOU race in Unix socket directory creation (7.0.x backport)AssignedOISF DevActions

LS Updated by Lukas Sismis 2 days ago Actions #1

  • Status changed from New to Triaged
  • Target version changed from TBD to 9.0.0-beta1
  • Affected Versions 7.0.15, 8.0.4 added
  • Label Needs backport to 7.0, Needs backport to 8.0 added

OT Updated by OISF Ticketbot 2 days ago Actions #2

  • Subtask #8701 added

OT Updated by OISF Ticketbot 2 days ago Actions #3

  • Label deleted (Needs backport to 8.0)

OT Updated by OISF Ticketbot 2 days ago Actions #4

  • Subtask #8702 added

OT Updated by OISF Ticketbot 2 days ago Actions #5

  • Label deleted (Needs backport to 7.0)

LS Updated by Lukas Sismis 2 days ago Actions #6

  • Assignee set to Community Ticket
Actions

Also available in: PDF Atom