Predictable /tmp file in stats.c allows for local denial of service

[wfrisch]

Summary

In smc-tools [1][2], the open_cache_file() function in stats.c [3] operates on a predictable path in /tmp, allowing an unprivileged local user to deny the program's service.

sprintf(cache_file_path, "/tmp/.smcstats.u%d", getuid()); fd = open(cache_file_path, O_RDWR|O_CREAT|O_NOFOLLOW, 0600);

Implications

1. Symlink attacks are not possible here due to O_NOFOLLOW, but open() will fail, causing a denial of service.
2. If /proc/sys/fs/protected_regular = 0, an attacker can place a file with arbitrary content which will be read by smcr stats. However, since the parser is correctly implemented, there appears to be no obvious way to exploit this with bogus data.
3. If /proc/sys/fs/protected_regular = 2, open() will fail, causing a denial of service.

Suggested mitigation

The data should be stored in the user's home directory or /run/user/${UID}/.

[1] https://build.opensuse.org/package/show/network/smc-tools [2] https://github.com/ibm-s390-linux/smc-tools [3] https://github.com/ibm-s390-linux/smc-tools/blob/75e767d2e900a0ce66fc80f58d59471b90e87fed/stats.c#L962

[JanKarcher]

Hello, thanks for bringing this up and sending out a reminder. I'm going to look into this and update the issue accordingly.

• Jan