CWE-820 缺失同步机制

Missing Synchronization

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: unkown

基本描述

The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.

扩展描述

If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 662 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 662 cwe_View_ID: 699 cwe_Ordinal: Primary

常见的影响

范围 影响 注释
['Integrity', 'Confidentiality', 'Other'] ['Modify Application Data', 'Read Application Data', 'Alter Execution Logic']

示例代码

The following code intends to fork a process, then have both the parent and child processes print a single line.

bad C

static void print (char * string) {
char * word;
int counter;
for (word = string; counter = word++; ) {
putc(counter, stdout);
fflush(stdout);
/ Make timing window a little larger... */

sleep(1);
}
}

int main(void) {
pid_t pid;

pid = fork();
if (pid == -1) {
exit(-2);
}
else if (pid == 0) {
print("child\n");
}
else {
print("PARENT\n");
}
exit(0);
}

One might expect the code to print out something like:

None

However, because the parent and child are executing concurrently, and stdout is flushed each time a character is printed, the output might be mixed together, such as:

None

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
The CERT Oracle Secure Coding Standard for Java (2011) LCK05-J Synchronize access to static fields that can be modified by untrusted code