readdir_r considered harmful
============================
Issued by Ben Hutchings <ben@xxxxxxxxxxxxxxxxxxxx>, 2005-11-01.
Background
----------
The POSIX readdir_r function is a thread-safe version of the readdir
function used to read directory entries.  Whereas readdir returns a
pointer to a system-allocated buffer and may use global state without
mutual exclusion, readdir_r uses a user-supplied buffer and is
guaranteed to be reentrant.  Its use is therefore preferable or even
essential in portable multithreaded programs.
Problem Description
-------------------
The length of the user-supplied buffer passed to readdir_r is
implicit; it is assumed to be long enough to hold any directory entry
read from the given directory stream.  The length of a directory entry
obviously depends on the length of the name, and the maximum name
length may vary between filesystems.  The standard means to determine
the maximum name length within a directory is to call
pathconf(dir_name, _PC_NAME_MAX).  This method unfortunately results
in a race condition between the opendir and pathconf calls, which
could in some cases be exploited to cause a buffer overflow.  For
example, suppose a setuid program "rd" includes code like this:
    #include <dirent.h>
    #include <unistd.h>
    int main(int argc, char ** argv)
    {
        DIR * dir;
        long name_max;
        struct dirent * buf, * de;
        if ((dir = opendir(argv[1]))
            && (name_max = pathconf(argv[1], _PC_NAME_MAX)) > 0
            && (buf = (struct dirent *)malloc(
                    offsetof(struct dirent, d_name) + name_max + 1))
        {
            while (readdir_r(dir, buf, &de) == 0 && de)
            {
                /* process entry */
            }
        }
    }
Then an attacker could run:
    ln -sf exploit link && (rd link &; ln -sf /fat link)
where the "exploit" directory is on a filesystem that allows a maximum of
255 bytes in a name whereas the "/fat" directory is the root of a FAT
filesystem that allows a maximum of 12 byes.
Depending on the timing of operations, "rd" may open the "exploit" directory
but allocate a buffer only long enough for names in the "/fat" directory. 
Then names of entries in the "exploit" directory may overflow the allocated
buffer by up to 243 bytes.  Depending on the heap allocation behaviour of
the target program, it may be possible to construct a name that will
overwrite sensitive data following the buffer.  If the target program uses
alloca or a variable length array to create the buffer, a classic stack
overflow exploit is possible.
A similar attack could be mounted on a daemon that reads user-
controllable directories, for example a web server.
Attacks are easier where a program assumes that all directories will
have the same or smaller maximum name length than, for instance, its
initial current directory.
Impact
------
This depends greatly on how an application uses readdir_r and on the
configuration of the host system.  At the worst, a user with limited
access to the local filesystem could cause a privileged process to
execute arbitrary code.  However there are no known exploits.
Mitigation
----------
Many systems don't have any variation in maximum name lengths among
mounted and user-mountable filesystems.
Directory entry buffers for readdir_r are usually allocated on the
heap, and it is relatively hard to inject code into a process through
a heap buffer overflow, though denial-of-service may be more easily
achievable.
Many programmers that use readdir_r erroneously calculate the buffer
size as sizeof(struct dirent) + pathconf(dir_name, _PC_NAME_MAX) + 1
or similarly.  On Linux (with glibc) and most versions of Unix, struct
dirent is large enough to hold maximum-length names from most
filesystems, so this is safe (though wasteful).  This is not true of
Solaris and BeOS, where the d_name member is an array of length 1.
Affected software
-----------------
The following software appears to be exploitable when compiled for a
system that defines struct dirent with a short d_name array, such as
Solaris or BeOS:
- gcj (all versions to date)
The run-time library functions java.io.File.list and
java.io.File.listFiles call a private function written in C++ that
calls readdir_r using a stack buffer and has a race condition as
described above.
- KDE (versions 3.3.0 to 3.3.2 inclusive; not present in version 3.4.0)
The library function KURLCompletion::listDirectories, used for
interactive URL completion, may start a thread that calls readdir_r
using a stack buffer of type struct dirent (no extra bytes).  This
behaviour can be disabled by defining the environment variable
KURLCOMPLETION_LOCAL_KIO.
- libwww (at least versions 3.1 to 5.3.2 inclusive; not yet fixed)
The library functions HTMulti, HTBrowseDirectory (version 3.1) and
HTLoadFile (version 4.0 onwards, when called for a directory)
indirectly call readdir_r using a stack buffer of type struct dirent
(no extra bytes).  These functions are used in the process of
loading file: URLs.
- Rudiments library (versions 0.27 to 0.28.2 inclusive; not yet fixed)
The library function directory::getChildName calls readdir_r using
a stack buffer of type struct dirent (no extra bytes).
- teTeX (versions 1.0 to 2.0 inclusive; not present in version 3.0)
The xdvi program included in these versions of teTeX use libwww to
read resources specified by URLs.
- xmail (at least versions 1.0 to 1.21 inclusive; fixed in version 1.22)
Uses readdir_r with variously allocated buffers of type struct dirent
(no extra bytes) when listing mail directories.
The following software may also be exploitable:
- bfbtester (versions 2.0 and 2.0.1; not fixed)
Uses readdir_r with a stack buffer of size struct dirent (no extra
bytes) to list the contents of /tmp (or a specified temporary
directory) and directories in $PATH.  (Oh, the irony.)
- insight
Uses Tcl.
- ncftp (at least versions 3.1.8 and 3.1.9, but not version 2.4.3;
         not fixed)
Uses readdir_r with a heap buffer with
min(pathconf(gLogfileName, _PC_NAME_MAX), 512) + 8 extra bytes
(where gLogFileName is the path to the log file).
- netwib (versions 5.1.0 to 5.30.0 inclusive; fixed in version 5.3.1.0)
      
Uses readdir_r with a heap buffer with extra bytes: if pathconf is
available, pathconf("/", _PC_NAME_MAX)+1; otherwise, if NAME_MAX is
available, NAME_MAX+1; otherwise 256.
- OpenOffice.org (at least version 1.1.3)
The code that enumerates fonts and plugins in the appropriate
directories uses a stack buffer of type
long[sizeof(struct dirent) + _PC_NAME_MAX + 1].  I can only assume
this is the result of a programmer cutting his crack with aluminium
filings.
- Pike (versions 0.4pl8 to 7.4.327, 7.6.0 to 7.6.35, 7.7.0 to 7.7.21,
        all inclusive; fixed in versions 7.4.328, 7.6.36 and 7.7.22)
Uses readdir_r with a heap buffer with
max(pathconf(path, _PC_NAME_MAX), 1024) + 1 or NAME_MAX + 1025, or 2049
extra bytes, depending on which of these functions and macros are
available.  In addition to the race condition described above, there
is a second race condition in the evaluation of the greater of
pathconf(...) or 1024.
- reprepro
Uses readdir_r with a stack buffer of type struct dirent (no extra
bytes).  (Also misuses errno following the call.)
- Roxen (versions 1.1.1a2 to 4.0.402 inclusive; fixed in version 4.0.403)
Uses Pike.
- saods9
Uses Tcl.
- Tcl (versions 8.4.2 to 8.5a2 inclusive; fixed in version 8.5a3)
Uses readdir_r with a thread-specific heap buffer padded to a size of
at least MAXNAMLEN+1 bytes.  This can be a few bytes too short, though
the heap manager may pad the allocation sufficiently to make up for
this.
- xgsmlib
Uses stack buffer with no extra bytes when listing device directories.
Some proprietary software may also be vulnerable, but I have no way of
testing this.  I provided a draft of this advisory to Sun Security
earlier this year on the basis that applications running on Solaris
are most likely to be exploitable, but I have not received any
substantive response.  A brief search through the OpenSolaris source
code suggests that it may include exploitable applications, but
apparently no-one at Sun could spare the time to investigate this.
Recommendations
---------------
Many POSIX systems implement the dirfd function from BSD, which
returns the file descriptor used by a directory stream.  This allows
pathconf(dir_name, _PC_NAME_MAX) to be replaced by
fpathconf(dirfd(dir), _PC_NAME_MAX), eliminating the race condition.
Some systems, including Solaris, implement the fdopendir function
which creates a directory stream from a given file descriptor.  This
allows the opendir,pathconf sequence to be replaced by
open,fpathconf,fdopendir.  However this function is much less widely
available than dirfd.
Programs using readdir_r may be able to use readdir.  According to POSIX the
buffer readdir uses is not shared between directory streams.  However
readdir is not guaranteed to be thread-safe and some implementations may use
global state, so for portability the use of readdir in a multithreaded
program should be controlled using a mutex.
Suggested code for calculating the required buffer size for readdir_r
follows.
    #include <sys/types.h>
    #include <dirent.h>
    #include <limits.h>
    #include <stddef.h>
    #include <unistd.h>
    
    /* Calculate the required buffer size (in bytes) for directory       *
     * entries read from the given directory handle.  Return -1 if this  *
     * this cannot be done.                                              *
     *                                                                   *
     * If you use autoconf, include fpathconf and dirfd in your          *
     * AC_CHECK_FUNCS list.  Otherwise use some other method to detect   *
     * and use them where available.                                     */
    
    size_t dirent_buf_size(DIR * dirp)
    {
        long name_max;
    #   if defined(HAVE_FPATHCONF) && defined(HAVE_DIRFD) \
           && defined(_PC_NAME_MAX)
            name_max = fpathconf(dirfd(dirp), _PC_NAME_MAX);
            if (name_max == -1)
    #           if defined(NAME_MAX)
                    name_max = NAME_MAX;
    #           else
                    return (size_t)(-1);
    #           endif
    #   else
    #       if defined(NAME_MAX)
                name_max = NAME_MAX;
    #       else
    #           error "buffer size for readdir_r cannot be determined"
    #       endif
    #   endif
        return (size_t)offsetof(struct dirent, d_name) + name_max + 1;
    }
An example of how to use the above function:
    #include <errno.h>
    #include <stdio.h>
    #include <stdlib.h>
    
    int main(int argc, char ** argv)
    {
        DIR * dirp;
        size_t size;
        struct dirent * buf, * ent;
        int error;
    
        if (argc != 2)
        {
            fprintf(stderr, "Usage: %s path\n", argv[0]);
            return 2;
        }
    
        dirp = opendir(argv[1]);
        if (dirp == NULL)
        {
            perror("opendir");
            return 1;
        }
        size = dirent_buf_size(dirp);
        printf("size = %lu\n" "sizeof(struct dirent) = %lu\n",
               (unsigned long)size, (unsigned long)sizeof(struct dirent));
        if (size == -1)
        {
            perror("dirent_buf_size");
            return 1;
        }
        buf = (struct dirent *)malloc(size);
        if (buf == NULL)
        {
            perror("malloc");
            return 1;
        }
        while ((error = readdir_r(dirp, buf, &ent)) == 0 && ent != NULL)
            puts(ent->d_name);
        if (error)
        {
            errno = error;
            perror("readdir_r");
            return 1;
        }
        return 0;
    }
The Austin Group should amend POSIX and the SUS in one or more of the
following ways:
1.  Standardise the dirfd function from BSD and recommend its use in
    determining the buffer size for readdir_r.
2.  Specify a new variant of readdir in which the buffer size is explicit
    and the function returns an error code if the buffer is too small.
3.  Specify that NAME_MAX must be defined as the length of the longest
    name that can be used on any filesystem.  (This seems to be what many
    or most implementations attempt to do at present, although POSIX
    currently specifies otherwise.)
Attachment:
signature.asc
Description: Digital signature