You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In smc-tools [1][2], the open_cache_file() function in stats.c [3] operates on a predictable path in /tmp, allowing an unprivileged local user to deny the program's service.
Symlink attacks are not possible here due to O_NOFOLLOW, but open() will fail, causing a denial of service.
If /proc/sys/fs/protected_regular = 0, an attacker can place a file with arbitrary content which will be read by smcr stats. However, since the parser is correctly implemented, there appears to be no obvious way to exploit this with bogus data.
If /proc/sys/fs/protected_regular = 2, open() will fail, causing a denial of service.
Suggested mitigation
The data should be stored in the user's home directory or /run/user/${UID}/.
Summary
In smc-tools [1][2], the open_cache_file() function in stats.c [3] operates on a predictable path in /tmp, allowing an unprivileged local user to deny the program's service.
Implications
/proc/sys/fs/protected_regular= 0, an attacker can place a file with arbitrary content which will be read bysmcr stats. However, since the parser is correctly implemented, there appears to be no obvious way to exploit this with bogus data./proc/sys/fs/protected_regular= 2, open() will fail, causing a denial of service.Suggested mitigation
The data should be stored in the user's home directory or
/run/user/${UID}/.[1] https://build.opensuse.org/package/show/network/smc-tools
[2] https://github.com/ibm-s390-linux/smc-tools
[3]
smc-tools/stats.c
Line 962 in 75e767d
The text was updated successfully, but these errors were encountered: