Race condition in sys_open with O_CREAT allowing for privilege escalation

[disconnect3d]

Hi,

There is a race condition in the sys_open syscall with the O_CREAT flag which allows for privilege escalation.

toaruos/kernel/sys/syscall.c

Lines 400 to 402 in 28190ad

	int result = create_file_fs((char *)file, mode);
	if (!result) {
	node = kopen((char *)file, flags);

The tl;dr is that since there is no locking here, an unprivileged process can create two threads. One will do a call to create a file, and another will remove the file immediately after it is created by the create_file_fs call, then symlink it to another file - owned by root - and then the kopen will just happily open the symlink. At this point, the unprivileged process can open any file owned by root.

I can share a proof of concept of exploiting that vulnerability if you want.

This bug was found during HXP 38C3 CTF competition (which contained a challenge with TaoruOS).

[klange]

This one's probably more straightforward to fix than a lot of the other subtle TOCTOUs; might be a good candidate for someone to pick up.