Coverity Scan's TOCTOUs

Maxim Dounin mdounin at mdounin.ru
Mon Dec 15 22:37:57 UTC 2025 

Hello!

On Sun, Dec 14, 2025 at 10:57:31PM +0300, Sergey A. Osokin wrote:

> I've tried to figure out how to deal with the TOCTOUs, found by Coverity
> Scan, https://scan.coverity.com/projects/freenginx.
> 
> So, I've created a PoC for that: it uses *at family functions (conforming
> to POSIX.1-2008), such as mkdirat(2) and openat(2).
> 
> I do believe it's possible to fix TOCTOU issues similarly, but before
> I start my work on that I'd like to hear your thoughts.

It is certainly should be possible to resolve these issues with 
using *at() functions, or even with more common fstat() / fchown() 
/ fchmod() in some cases (e.g., CID 400877 and CID 728359 seems to 
only require these, and not *at() functions).

But doing so will likely require additional code, especially given 
that *at() functions are not available on some supported 
platforms, such as old Unix systems, and we generally use this 
only conditionally, falling back to normal functions if no support 
available (see src/core/ngx_open_file_cache.c for an example).

And at the same time most likely these issues are negligible, and 
can be safely ignored.

As such, my recommendation would be to first focus on thoughtful 
analysis of these issues.  If there are indeed some privilege 
escalation or other noticeable impact possible, we can consider 
fixing these on platforms with appropriate functions available.  
But if there are no real issues, I think it would be better to 
just ignore these instead of trying to implement multiple 
alternative code versions (with and without *at()).

At the same time, fixing CID 400877 and CID 728359 with fstat() / 
fchown() / fchmod(), as long as it's possible without multiple 
code versions, might make sense regardless, just to make sure 
Coverity (and similar tools) will no longer complain.  We already 
use fstat() unconditionally anyway, and both fchown() and fchmod() 
are available since 4.2BSD, in POSIX since Issue 4, Version 2, and 
seems to be present on all meaningful Unix systems (and the code 
in question is Unix-only anyway).  But I would recommend 
thoughtful analysis as the first step anyway.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx-devel mailing list