Signal Handler Race Condition |
Weakness ID: 364 (Weakness Base) | Status: Incomplete |
Description Summary
Scope | Effect |
---|---|
Authorization | It may be possible to execute arbitrary code through the use of a write-what-where condition. |
Integrity | Signal race conditions often result in data corruption. |
Example 1
Reference | Description |
---|---|
CVE-2001-1349 | |
CVE-2004-0794 | |
CVE-2004-2259 |
Requirements specification: A language might be chosen, which is not subject to this flaw, through a guarantee of reentrant code. |
Phase: Architecture and Design Design signal handlers to only set flags rather than perform complex functionality. |
Phase: Implementation Ensure that non-reentrant functions are not found in signal handlers. Also, use sanity checks to ensure that state is consistent be performing asynchronous actions which effect the state of execution. |
Signal race conditions are a common issue that have only recently been seen as exploitable. These issues occur when non-reentrant functions, or state-sensitive actions occur in the signal handler, where they may be called at any time. If these functions are called at an inopportune moment -- such as while a non-reentrant function is already running --, memory corruption occurs that may be exploitable. Another signal race condition commonly found occurs when free is called within a signal handler, resulting in a double free and therefore a write-what-where condition. This is a perfect example of a signal handler taking actions which cannot be accounted for in state. Even if a given pointer is set to NULL after it has been freed, a race condition still exists between the time the memory was freed and the pointer was set to NULL. This is especially prudent if the same signal handler has been set for more than one signal -- since it means that the signal handler itself may be reentered. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 361 | Time and State | Seven Pernicious Kingdoms (primary)700 |
ChildOf | Weakness Class | 362 | Race Condition | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | Category | 387 | Signal Errors | Development Concepts699 |
ChildOf | Category | 634 | Weaknesses that Affect System Processes | Resource-specific Weaknesses (primary)631 |
CanPrecede | Weakness Base | 123 | Write-what-where Condition | Research Concepts1000 |
PeerOf | Weakness Variant | 415 | Double Free | Research Concepts1000 |
PeerOf | Weakness Base | 416 | Use After Free | Research Concepts1000 |
PeerOf | Weakness Variant | 479 | Unsafe Function Call from a Signal Handler | Research Concepts1000 |
PeerOf | Weakness Base | 365 | Race Condition in Switch | Research Concepts1000 |
CanAlsoBe | Weakness Base | 368 | Context Switching Race Condition | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Signal handler race condition | ||
7 Pernicious Kingdoms | Signal Handling Race Conditions | ||
CLASP | Race condition in signal handler |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Applicable Platforms, Common Consequences, Relationships, Other Notes, Taxonomy Mappings |