Predictable /tmp file in stats.c allows for local denial of service

[wfrisch]

Summary

In smc-tools [1][2], the open_cache_file() function in stats.c [3] operates on a predictable path in /tmp, allowing an unprivileged local user to deny the program's service.

sprintf(cache_file_path, "/tmp/.smcstats.u%d", getuid());
fd = open(cache_file_path, O_RDWR|O_CREAT|O_NOFOLLOW, 0600);

Implications

1. Symlink attacks are not possible here due to O_NOFOLLOW, but open() will fail, causing a denial of service.
2. If /proc/sys/fs/protected_regular = 0, an attacker can place a file with arbitrary content which will be read by smcr stats. However, since the parser is correctly implemented, there appears to be no obvious way to exploit this with bogus data.
3. If /proc/sys/fs/protected_regular = 2, open() will fail, causing a denial of service.

Suggested mitigation

The data should be stored in the user's home directory or /run/user/${UID}/.

[1] https://build.opensuse.org/package/show/network/smc-tools
[2] https://github.com/ibm-s390-linux/smc-tools
[3]

smc-tools/stats.c

Line 962 in 75e767d

sprintf(cache_file_path, "/tmp/.smcstats.u%d", getuid());

[JanKarcher]

Hello,
thanks for bringing this up and sending out a reminder.
I'm going to look into this and update the issue accordingly.

• Jan

[ngueorguiev]

Hello everyone,
Is there an update on this issue?
Thanks in advance.

[mmaslano]

Hello @JanKarcher
I noticed our internal bug got closed because we agreed on a solution (https://bugzilla.suse.com/show_bug.cgi?id=1230052), but the upstream seems to be missing this fix.
Thanks for looking into it.
Marcela