Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Mitigation Strategies

Static Analysis

Compliance with this rule and SIG31-C. Do not access or modify shared objects in signal handlers can be checked using structural static analysis checkers using the following algorithm:

  1. Assume an initial list of async-safe functions. This list would be specific to each OS, although POSIX does require a set of functions to be async-safe.
  2. All application defined functions that satisfy the async-safe property in that only call functions in the list of async-safe functions or modifies only sig_atomic_t variables are added to the async-safe function list. This handles the interprocedural case of calling a function in a signal handler that was itself an async-safe function.
  3. Traverse the abstract syntax tree (AST) to identify function calls to the signal function signal(int, void (*f)(int)).
  4. At each function call to signal(int, void (*f)(int)) get the second argument from the argument list. To make sure that this is not an overloaded function the function type signature is evaluated and/or the location of the declaration of the function is verified to be from the correct file (because this is not a link-time analysis it is not possible to test the library implementation). Any definition for signal() in the application is suspicious, because it should be in a library.
  5. Perform a nested query on the registered signal handler to get the list of functions that are called. Verify that each function being called is in the list of async-safe functions. To avoid repeatedly reviewing each function, the result of the first test of the function should be stored.
  6. Perform a nested query (can be combined with the one in the previous step) to identify all referenced objects. Verify that for each object referenced as an lvalue, that the type is sig_atomic_t or can be stripped away to a type for which sig_atomic_t is the base type (this handles the case of layers of typedef}}s hiding that a variable may really be of {{sig_atomic_t, but just not obviously so. The result from this analysis could be stored in the same location as the information from the previous step.
  7. If a violation is detected in either of the preceding two steps, report a violation (either a call to a non-asynch safe function or modification of a variable that was not sig_atomic_t).

References

Wiki Markup
\[[Dowd 06|AA. C References#Dowd 06]\] Chapter 13, "Synchronization and State"
\[[ISO/IEC 03|AA. C References#ISO/IEC 03]\] Section 5.2.3, "Signals and interrupts"
\[[ISO/IEC 9899-1999:TC2|AA. C References#ISO/IEC 9899-1999TC2]\] Section 7.14, "Signal handling <signal.h>"
\[[Open Group 04|AA. C References#Open Group 04]\] [longjmp|http://www.opengroup.org/onlinepubs/000095399/functions/longjmp.html]
\[OpenBSD\] [{{signal()}} Man Page|http://www.openbsd.org/cgi-bin/man.cgi?query=signal]
\[[Zalewski 01|AA. C References#Zalewski 01]\]