CWE-831: Signal Handler Function Associated with Multiple Signals
弱点ID:831
抽象:根据 结构:简单的
查看自定义信息:
描述
该产品定义一个用作多个信号处理程序的函数。
扩展描述
While sometimes intentional and safe, when the same function is used to handle multiple signals, a race condition could occur if the function uses any state outside of its local declaration, such as global variables or non-reentrant functions, or has any side effects.
An attacker could send one signal that invokes the handler function; in many OSes, this will typically prevent the same signal from invoking the handler again, at least until the handler function has completed execution. However, the attacker could then send a different signal that is associated with the same handler function. This could interrupt the original handler function while it is still executing. If there is shared state, then the state could be corrupted. This can lead to a variety of potential consequences depending on context, including denial of service and code execution.
Another rarely-explored possibility arises when the signal handler is only designed to be executed once (if at all). By sending multiple signals, an attacker could invoke the function more than once. This may generate extra, unintended side effects. A race condition might not even be necessary; the attacker could send one signal, wait until it is handled, then send the other signal.
根据- a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.
syslog(log_notice,“%s \ n”,logmessage); free(logMessage); /* artificially increase the size of the timing window to make demonstration of this weakness easier. */
睡眠(10); 出口(0);
}
int main(int argc,char* argv []){
logMessage = strdup(argv [1]); /* Register signal handlers. */
信号(叹气,处理程序); signal(SIGTERM, handler); /* artificially increase the size of the timing window to make demonstration of this weakness easier. */
At this point, the state of the heap is uncertain, because malloc is still modifying the metadata for the heap; the metadata might be in an inconsistent state. The SIGTERM-handler call to free() is assuming that the metadata is inconsistent, possibly causing it to write data to the wrong location while managing the heap. The result is memory corruption, which could lead to a crash or even code execution, depending on the circumstances under which the code is running.
请注意,这是Michal Zalewski最初提出的经典示例的改编[Ref-360]; the original example was shown to be exploitable for code execution.
另请注意,strdup(argv [1])呼叫包含一个潜在的缓冲区过读(CWE-126) if the program is called without any arguments, because argc would be 0, and argv[1] would point outside the bounds of the array.
描述
该表显示了与该弱点相关的弱点和高级类别。这些关系定义为childof,parentof,ementof,并深入了解可能存在于较高和较低抽象水平的类似项目。此外,定义了诸如Peerof和Canalsobe之类的关系,以显示用户可能想要探索的类似弱点。
