Coverity: Set umask 0077 before creating tmp files#243
Coverity: Set umask 0077 before creating tmp files#243
Conversation
Coverity points out that it's a potential security problem if you create tmp files with group and world permissions. Adds umask calls to state_mt and the common test header.
derobins
requested review from
gaoikawa,
jordan-turbofish,
kurtmcmillan,
riley-dixon and
zbyrne
as code owners
There was a problem hiding this comment.
Pull request overview
Updates test utilities to set a restrictive umask (0077) around temporary-file creation, addressing Coverity’s warning about potentially permissive group/world permissions on tmp files.
Changes:
- Set umask to disallow group/world permissions before
mkstemp()in the sharedTmpfilehelper used by tests. - Set umask similarly in the
state_mtmultithreading stress test when creating its temporary file. - Add
<sys/stat.h>include to the common test header to supportumask()/permission macros.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
test/common/test-common.h |
Adds <sys/stat.h> and wraps mkstemp() with umask set/restore in Tmpfile. |
test/amd_detail/state_mt.cpp |
Wraps mkstemp() with umask set/restore in the multithreaded temp-file helper. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| mode_t old_umask = umask(S_IRWXG | S_IRWXO); | ||
|
|
||
| path += "/hipFile.XXXXXX"; | ||
| if ((fd = mkstemp(path.data())) == -1) { | ||
| throw std::runtime_error("Could not create temporary file"); | ||
| } | ||
|
|
||
| umask(old_umask); | ||
|
|
There was a problem hiding this comment.
umask() is set before mkstemp(), but if mkstemp() fails you throw before restoring the previous umask. That leaves the process umask changed for the rest of the test run. Please ensure the old umask is restored on all paths (e.g., restore before throwing, or use an RAII guard/scope-exit).
| mode_t old_umask = umask(S_IRWXG | S_IRWXO); | |
| path += "/hipFile.XXXXXX"; | |
| if ((fd = mkstemp(path.data())) == -1) { | |
| throw std::runtime_error("Could not create temporary file"); | |
| } | |
| umask(old_umask); | |
| struct UmaskGuard { | |
| mode_t old_umask; | |
| explicit UmaskGuard(mode_t new_mask) : old_umask(umask(new_mask)) {} | |
| ~UmaskGuard() { umask(old_umask); } | |
| } umask_guard(S_IRWXG | S_IRWXO); | |
| path += "/hipFile.XXXXXX"; | |
| if ((fd = mkstemp(path.data())) == -1) { | |
| throw std::runtime_error("Could not create temporary file"); | |
| } |
| // Security analyzers will be sad if you don't set umask 0077 | ||
| // before creating temporary files | ||
| mode_t old_umask = umask(S_IRWXG | S_IRWXO); | ||
|
|
There was a problem hiding this comment.
This file uses mode_t, umask(), and S_IRWXG/S_IRWXO but does not include <sys/stat.h>, which is where these are defined on POSIX systems. Please add #include <sys/stat.h> (or the appropriate header) to avoid build failures on stricter toolchains.
| @@ -57,6 +61,8 @@ make_temp_file() | |||
| exit(EXIT_FAILURE); | |||
| } | |||
|
|
|||
| umask(old_umask); | |||
There was a problem hiding this comment.
umask() is process-global; in this multi-threaded stress test, concurrent calls to make_temp_file() can interleave such that the final umask is not restored to the original value (e.g., thread A restores an earlier value while thread B later restores 077). To avoid this race, either avoid changing umask here (e.g., rely on mkstemp()/fchmod() for 0600), or serialize the set-create-restore sequence with a dedicated mutex.
Coverity points out that it's a potential security problem if you create tmp files with group and world permissions.
Adds umask calls to state_mt and the common test header.
Part of AIHIPFILE-161