Corgea LogoCorgea Security Hub

CWE-910: Use of Expired File Descriptor

Learn about CWE-910 (Use of Expired File Descriptor), its security impact, exploitation methods, and prevention guidelines.

What is Use of Expired File Descriptor?

• Overview: Use of Expired File Descriptor occurs when a program attempts to use a file descriptor after it has been closed, potentially leading to unexpected behavior or security vulnerabilities.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by manipulating the file descriptor to point to unintended files or devices, potentially allowing unauthorized access or data corruption.
  • Common attack patterns include forcing file descriptor reuse to access sensitive files or inject malicious data into a process.

• Security Impact:

  • Direct consequences of successful exploitation include unauthorized access to files, data corruption, or data leakage.
  • Potential cascading effects include system instability, application crashes, or the execution of arbitrary code if sensitive resources are compromised.
  • Business impact could involve data breaches, loss of customer trust, legal ramifications, and financial losses.

• Prevention Guidelines:

  • Specific code-level fixes include ensuring file descriptors are properly managed, checking validity before use, and avoiding reuse of closed descriptors.
  • Security best practices involve implementing strict resource management, using higher-level abstractions for file operations, and applying consistent error handling.
  • Recommended tools and frameworks include static analysis tools to detect improper file descriptor usage and employing memory safety features in modern languages or libraries.
Corgea can automatically detect and fix Use of Expired File Descriptor in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Medium

Affected Languages: C, C++, Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

C Example

#include <stdio.h>

int read_from_file(const char *filename) {
    FILE *file = fopen(filename, "r");
    if (file == NULL) {
        perror("Failed to open file");
        return -1;
    }

    // Close the file descriptor prematurely
    fclose(file); // This closes the file descriptor too early

    char buffer[256];
    // Attempting to read from the file after it's been closed
    if (fgets(buffer, sizeof(buffer), file) == NULL) { // Using a closed file descriptor
        perror("Failed to read from file");
        return -1;
    }

    printf("Read: %s\n", buffer);
    return 0;
}

int main() {
    read_from_file("example.txt");
    return 0;
}

Explanation:

  • Vulnerability: The file descriptor is closed prematurely on line 12 using fclose(file);. However, an attempt is made to read from this closed file descriptor on lines 14-15, which is invalid. This can lead to undefined behavior, including potential crashes or security vulnerabilities, as the file descriptor is no longer valid.

How to fix Use of Expired File Descriptor?

To fix this vulnerability, ensure that the file descriptor is only used while it is valid. Do not perform operations on a file descriptor after it has been closed. Follow these best practices:

  • Only close a file descriptor when you are sure you are done using it.
  • Do not reuse file descriptors after they are closed.
  • Set pointers to NULL after closing to prevent accidental reuse.

Fixed Code Example

#include <stdio.h>

int read_from_file(const char *filename) {
    FILE *file = fopen(filename, "r");
    if (file == NULL) {
        perror("Failed to open file");
        return -1;
    }

    char buffer[256];
    // Safely read from the file while the file descriptor is valid
    if (fgets(buffer, sizeof(buffer), file) == NULL) { // Ensure file is open before reading
        perror("Failed to read from file");
        fclose(file); // Close the file if reading fails
        return -1;
    }

    printf("Read: %s\n", buffer);
    fclose(file); // Close the file after all operations are complete
    file = NULL; // Set the file pointer to NULL to prevent accidental reuse
    return 0;
}

int main() {
    read_from_file("example.txt");
    return 0;
}

Explanation:

  • Fix: The file is only closed after all necessary operations are complete. Specifically, fclose(file); is moved to after the fgets call on line 18, ensuring the file descriptor remains valid for the duration of the read operation.
  • Additional Safety: After closing the file, setting the file pointer to NULL (line 19) helps prevent accidental reuse, which is a good practice in more complex systems.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-910: Use of Expired File Descriptor and get remediation guidance

Start for free and no credit card needed.