storlets

time-of-check to time-of-use (TOCTOU) attack

Bug #2047723 reported by lujiefsi on 2023-12-30

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	storlets	Fix Released	Undecided	Unassigned

Bug Description

The vulnerability is at https://github.com/openstack/storlets/blob/928de77bac448c9bc04a274c494608ce7190563a/storlets/gateway/gateways/docker/gateway.py#L320C20-L320C30

Take gateway.py#L320C20-L320C30 for example:

```
with open(cache_target_path, 'wb') as fn:
                for data in data_iter:
                    fn.write(data)
if not is_storlet:
                if not perm:
                    perm = '0600'
                os.chmod(cache_target_path, int(perm, 8))
```

When a file is first written and then its permissions are later changed using chmod, there exists a potential security risk known as a time-of-check to time-of-use (TOCTOU) attack. In this type of attack, an attacker exploits the time window between when the file is initially written and when its permissions are modified. During this time window, the attacker may gain access to the file.

See original description

lujiefsi (lujiefsi) on 2023-12-30

description:

updated

lujiefsi (lujiefsi) on 2023-12-30

description:

updated

lujiefsi (lujiefsi) on 2024-01-20

information type:

Private Security → Public Security

lujiefsi (lujiefsi) on 2024-01-20

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-01-20: Fix proposed to storlets (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/storlets/+/906183

Changed in storlets:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-01-21: Change abandoned on storlets (master)

Change abandoned by "Takashi Kajinami <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/storlets/+/906183
Reason: in favor of https://review.opendev.org/c/openstack/storlets/+/906186

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-01-21: Fix merged to storlets (master)

Reviewed: https://review.opendev.org/c/openstack/storlets/+/906186
Committed: https://opendev.org/openstack/storlets/commit/5ad58804af885db3eb7a78bea5000c401eeeb70e
Submitter: "Zuul (22348)"
Branch: master

commit 5ad58804af885db3eb7a78bea5000c401eeeb70e
Author: Takashi Kajinami <email address hidden>
Date: Sun Jan 21 02:30:33 2024 +0900

Restrict access to local storlet/dependency files

Now swift and storlet daemon inside containers run with consistent uid
so we don't need group/other permissions.

Also chown should be executed before actual file content is written,
so that the content is not read by a different user.

Closes-Bug: #2047723
Change-Id: I7790e51556875be1fc6438d1e2c599b693ca3b5b

Changed in storlets:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-03-13: Fix included in openstack/storlets 13.0.0.0rc1

This issue was fixed in the openstack/storlets 13.0.0.0rc1 release candidate.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.