CWE-364 信号处理例程中的竞争条件
Signal Handler Race Condition
结构: Simple
Abstraction: Base
状态: Incomplete
被利用可能性: Medium
基本描述
The software uses a signal handler that introduces a race condition.
扩展描述
Race conditions frequently occur in signal handlers, since signal handlers support asynchronous actions. These race conditions have a variety of root causes and symptoms. Attackers may be able to exploit a signal handler race condition to cause the software state to be corrupted, possibly leading to a denial of service or even code execution.
These issues occur when non-reentrant functions, or state-sensitive actions occur in the signal handler, where they may be called at any time. These behaviors can violate assumptions being made by the "regular" code that is interrupted, or by other signal handlers that may also be invoked. If these functions are called at an inopportune moment - such as while a non-reentrant function is already running - memory corruption could occur that may be exploitable for code execution. Another signal race condition commonly found occurs when free is called within a signal handler, resulting in a double free and therefore a write-what-where condition. Even if a given pointer is set to NULL after it has been freed, a race condition still exists between the time the memory was freed and the pointer was set to NULL. This is especially problematic if the same signal handler has been set for more than one signal -- since it means that the signal handler itself may be reentered.
There are several known behaviors related to signal handlers that have received the label of "signal handler race condition":
Signal handler vulnerabilities are often classified based on the absence of a specific protection mechanism, although this style of classification is discouraged in CWE because programmers often have a choice of several different mechanisms for addressing the weakness. Such protection mechanisms may preserve exclusivity of access to the shared resource, and behavioral atomicity for the relevant code:
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 362 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 362 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: CanPrecede cwe_CWE_ID: 415 cwe_View_ID: 1000
-
cwe_Nature: CanPrecede cwe_CWE_ID: 416 cwe_View_ID: 1000
-
cwe_Nature: CanPrecede cwe_CWE_ID: 123 cwe_View_ID: 1000
适用平台
Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Sometimes'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Sometimes'}]
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Integrity', 'Confidentiality', 'Availability'] | ['Modify Application Data', 'Modify Memory', 'DoS: Crash, Exit, or Restart', 'Execute Unauthorized Code or Commands'] | It may be possible to cause data corruption and possibly execute arbitrary code by modifying global variables or data structures at unexpected times, violating the assumptions of code that uses this global data. |
| Access Control | Gain Privileges or Assume Identity | If a signal handler interrupts code that is executing with privileges, it may be possible that the signal handler will also be executed with elevated privileges, possibly making subsequent exploits more severe. |
可能的缓解方案
MIT-3 Requirements
策略: Language Selection
Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
Architecture and Design
策略:
Design signal handlers to only set flags, rather than perform complex functionality. These flags can then be checked and acted upon within the main program loop.
Implementation
策略:
Only use reentrant functions within signal handlers. Also, use sanity checks to ensure that state is consistent while performing asynchronous actions that affect the state of execution.
示例代码
例
This code registers the same signal handler function with two different signals (CWE-831). If those signals are sent to the process, the handler creates a log message (specified in the first argument to the program) and exits.
bad C
void handler (int sigNum) {
free(logMessage);
/ artificially increase the size of the timing window to make demonstration of this weakness easier. /
sleep(10);
exit(0);
int main (int argc, char argv[]) {
/ Register signal handlers. /
signal(SIGHUP, handler);
signal(SIGTERM, handler);
/ artificially increase the size of the timing window to make demonstration of this weakness easier. /
sleep(10);
The handler function uses global state (globalVar and logMessage), and it can be called by both the SIGHUP and SIGTERM signals. An attack scenario might follow these lines:
None
At this point, the state of the heap is uncertain, because malloc is still modifying the metadata for the heap; the metadata might be in an inconsistent state. The SIGTERM-handler call to free() is assuming that the metadata is inconsistent, possibly causing it to write data to the wrong location while managing the heap. The result is memory corruption, which could lead to a crash or even code execution, depending on the circumstances under which the code is running.
Note that this is an adaptation of a classic example as originally presented by Michal Zalewski [REF-360]; the original example was shown to be exploitable for code execution.
Also note that the strdup(argv[1]) call contains a potential buffer over-read (CWE-126) if the program is called without any arguments, because argc would be 0, and argv[1] would point outside the bounds of the array.
例
The following code registers a signal handler with multiple signals in order to log when a specific event occurs and to free associated memory before exiting.
bad C
#include <syslog.h>
#include <string.h>
#include <stdlib.h>
void global1, global2;
char what;
void sh (int dummy) {
free(global2);
free(global1);
/ Sleep statements added to expand timing window for race condition /
sleep(10);
exit(0);
int main (int argc,char argv[]) {
global1=strdup(argv[2]);
global2=malloc(340);
signal(SIGHUP,sh);
signal(SIGTERM,sh);
/ Sleep statements added to expand timing window for race condition /
sleep(10);
exit(0);
However, the following sequence of events may result in a double-free (CWE-415):
None
This is just one possible exploitation of the above code. As another example, the syslog call may use malloc calls which are not async-signal safe. This could cause corruption of the heap management structures. For more details, consult the example within "Delivering Signals for Fun and Profit" [REF-360].
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-1999-0035 | Signal handler does not disable other signal handlers, allowing it to be interrupted, causing other functionality to access files/etc. with raised privileges | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0035 |
| CVE-2001-0905 | Attacker can send a signal while another signal handler is already running, leading to crash or execution with root privileges | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0905 |
| CVE-2001-1349 | unsafe calls to library functions from signal handler | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1349 |
| CVE-2004-0794 | SIGURG can be used to remotely interrupt signal handler; other variants exist | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0794 |
| CVE-2004-2259 | SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2259 |
Notes
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Signal handler race condition | ||
| 7 Pernicious Kingdoms | Signal Handling Race Conditions | ||
| CLASP | Race condition in signal handler | ||
| Software Fault Patterns | SFP19 | Missing Lock |