CWE-364 信号处理例程中的竞争条件

Signal Handler Race Condition

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: Medium

基本描述

The software uses a signal handler that introduces a race condition.

扩展描述

Race conditions frequently occur in signal handlers, since signal handlers support asynchronous actions. These race conditions have a variety of root causes and symptoms. Attackers may be able to exploit a signal handler race condition to cause the software state to be corrupted, possibly leading to a denial of service or even code execution.

These issues occur when non-reentrant functions, or state-sensitive actions occur in the signal handler, where they may be called at any time. These behaviors can violate assumptions being made by the "regular" code that is interrupted, or by other signal handlers that may also be invoked. If these functions are called at an inopportune moment - such as while a non-reentrant function is already running - memory corruption could occur that may be exploitable for code execution. Another signal race condition commonly found occurs when free is called within a signal handler, resulting in a double free and therefore a write-what-where condition. Even if a given pointer is set to NULL after it has been freed, a race condition still exists between the time the memory was freed and the pointer was set to NULL. This is especially problematic if the same signal handler has been set for more than one signal -- since it means that the signal handler itself may be reentered.

There are several known behaviors related to signal handlers that have received the label of "signal handler race condition":

Signal handler vulnerabilities are often classified based on the absence of a specific protection mechanism, although this style of classification is discouraged in CWE because programmers often have a choice of several different mechanisms for addressing the weakness. Such protection mechanisms may preserve exclusivity of access to the shared resource, and behavioral atomicity for the relevant code:

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 362 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 362 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: CanPrecede cwe_CWE_ID: 415 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 416 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 123 cwe_View_ID: 1000

适用平台

Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Sometimes'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Sometimes'}]

常见的影响

范围 影响 注释
['Integrity', 'Confidentiality', 'Availability'] ['Modify Application Data', 'Modify Memory', 'DoS: Crash, Exit, or Restart', 'Execute Unauthorized Code or Commands'] It may be possible to cause data corruption and possibly execute arbitrary code by modifying global variables or data structures at unexpected times, violating the assumptions of code that uses this global data.
Access Control Gain Privileges or Assume Identity If a signal handler interrupts code that is executing with privileges, it may be possible that the signal handler will also be executed with elevated privileges, possibly making subsequent exploits more severe.

可能的缓解方案

MIT-3 Requirements

策略: Language Selection

Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Architecture and Design

策略:

Design signal handlers to only set flags, rather than perform complex functionality. These flags can then be checked and acted upon within the main program loop.

Implementation

策略:

Only use reentrant functions within signal handlers. Also, use sanity checks to ensure that state is consistent while performing asynchronous actions that affect the state of execution.

示例代码

This code registers the same signal handler function with two different signals (CWE-831). If those signals are sent to the process, the handler creates a log message (specified in the first argument to the program) and exits.

bad C

char logMessage;

void handler (int sigNum) {
syslog(LOG_NOTICE, "%s\n", logMessage);
free(logMessage);
/
artificially increase the size of the timing window to make demonstration of this weakness easier. /

sleep(10);
exit(0);
}

int main (int argc, char
argv[]) {
logMessage = strdup(argv[1]);
/ Register signal handlers. /

signal(SIGHUP, handler);
signal(SIGTERM, handler);
/ artificially increase the size of the timing window to make demonstration of this weakness easier. /

sleep(10);
}

The handler function uses global state (globalVar and logMessage), and it can be called by both the SIGHUP and SIGTERM signals. An attack scenario might follow these lines:

None

At this point, the state of the heap is uncertain, because malloc is still modifying the metadata for the heap; the metadata might be in an inconsistent state. The SIGTERM-handler call to free() is assuming that the metadata is inconsistent, possibly causing it to write data to the wrong location while managing the heap. The result is memory corruption, which could lead to a crash or even code execution, depending on the circumstances under which the code is running.

Note that this is an adaptation of a classic example as originally presented by Michal Zalewski [REF-360]; the original example was shown to be exploitable for code execution.

Also note that the strdup(argv[1]) call contains a potential buffer over-read (CWE-126) if the program is called without any arguments, because argc would be 0, and argv[1] would point outside the bounds of the array.

The following code registers a signal handler with multiple signals in order to log when a specific event occurs and to free associated memory before exiting.

bad C

#include <signal.h>
#include <syslog.h>
#include <string.h>
#include <stdlib.h>

void global1, global2;
char what;
void sh (int dummy) {
syslog(LOG_NOTICE,"%s\n",what);
free(global2);
free(global1);
/
Sleep statements added to expand timing window for race condition /

sleep(10);
exit(0);
}

int main (int argc,char
argv[]) {
what=argv[1];
global1=strdup(argv[2]);
global2=malloc(340);
signal(SIGHUP,sh);
signal(SIGTERM,sh);
/ Sleep statements added to expand timing window for race condition /

sleep(10);
exit(0);
}

However, the following sequence of events may result in a double-free (CWE-415):

None

This is just one possible exploitation of the above code. As another example, the syslog call may use malloc calls which are not async-signal safe. This could cause corruption of the heap management structures. For more details, consult the example within "Delivering Signals for Fun and Profit" [REF-360].

分析过的案例

标识 说明 链接
CVE-1999-0035 Signal handler does not disable other signal handlers, allowing it to be interrupted, causing other functionality to access files/etc. with raised privileges https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0035
CVE-2001-0905 Attacker can send a signal while another signal handler is already running, leading to crash or execution with root privileges https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0905
CVE-2001-1349 unsafe calls to library functions from signal handler https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1349
CVE-2004-0794 SIGURG can be used to remotely interrupt signal handler; other variants exist https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0794
CVE-2004-2259 SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2259

Notes

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Signal handler race condition
7 Pernicious Kingdoms Signal Handling Race Conditions
CLASP Race condition in signal handler
Software Fault Patterns SFP19 Missing Lock

引用