Signal Handler Race Condition

Incomplete Base

Structure: Simple

Description

A signal handler race condition occurs when a program's signal handling routine is vulnerable to timing issues, allowing its state to be corrupted through asynchronous execution.

Extended Description

Signal handlers are inherently risky because they can interrupt a program's normal execution at any point. If a handler modifies shared resources like global variables, uses non-reentrant functions (e.g., malloc, free, printf), or is registered for multiple signals, it can corrupt memory. This happens when the handler's actions clash with operations in the main code or other handlers, leading to use-after-free, double-free, or other memory corruption vulnerabilities that attackers can exploit for denial of service or code execution. To prevent these issues, design signal handlers to be minimal and reentrant. Avoid shared state, use only async-signal-safe functions, and consider blocking (masking) other signals within the handler to ensure atomicity. For resources that must be shared, implement proper synchronization or use a flag that the main program checks safely after the signal handler returns, moving complex logic out of the handler itself.

Common Consequences 2

Scope: IntegrityConfidentialityAvailability

Impact: Modify Application DataModify MemoryDoS: Crash, Exit, or RestartExecute Unauthorized Code or Commands

It may be possible to cause data corruption and possibly execute arbitrary code by modifying global variables or data structures at unexpected times, violating the assumptions of code that uses this global data.

Scope: Access Control

Impact: Gain Privileges or Assume Identity

If a signal handler interrupts code that is executing with privileges, it may be possible that the signal handler will also be executed with elevated privileges, possibly making subsequent exploits more severe.

Potential Mitigations 3

Phase: Requirements

Strategy: Language Selection

Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Phase: Architecture and Design

Design signal handlers to only set flags, rather than perform complex functionality. These flags can then be checked and acted upon within the main program loop.

Phase: Implementation

Only use reentrant functions within signal handlers. Also, use validation to ensure that state is consistent while performing asynchronous actions that affect the state of execution.

Demonstrative Examples 2

ID : DX-26

This code registers the same signal handler function with two different signals (Signal Handler Function Associated with Multiple Signals). If those signals are sent to the process, the handler creates a log message (specified in the first argument to the program) and exits.

Code Example:

Bad

/* artificially increase the size of the timing window to make demonstration of this weakness easier. /

The handler function uses global state (globalVar and logMessage), and it can be called by both the SIGHUP and SIGTERM signals. An attack scenario might follow these lines:

- The program begins execution, initializes logMessage, and registers the signal handlers for SIGHUP and SIGTERM. - The program begins its "normal" functionality, which is simplified as sleep(), but could be any functionality that consumes some time. - The attacker sends SIGHUP, which invokes handler (call this "SIGHUP-handler"). - SIGHUP-handler begins to execute, calling syslog(). - syslog() calls malloc(), which is non-reentrant. malloc() begins to modify metadata to manage the heap. - The attacker then sends SIGTERM. - SIGHUP-handler is interrupted, but syslog's malloc call is still executing and has not finished modifying its metadata. - The SIGTERM handler is invoked. - SIGTERM-handler records the log message using syslog(), then frees the logMessage variable.

At this point, the state of the heap is uncertain, because malloc is still modifying the metadata for the heap; the metadata might be in an inconsistent state. The SIGTERM-handler call to free() is assuming that the metadata is inconsistent, possibly causing it to write data to the wrong location while managing the heap. The result is memory corruption, which could lead to a crash or even code execution, depending on the circumstances under which the code is running.

Note that this is an adaptation of a classic example as originally presented by Michal Zalewski [REF-360]; the original example was shown to be exploitable for code execution.

Also note that the strdup(argv[1]) call contains a potential buffer over-read (Buffer Over-read) if the program is called without any arguments, because argc would be 0, and argv[1] would point outside the bounds of the array.

ID : DX-48

The following code registers a signal handler with multiple signals in order to log when a specific event occurs and to free associated memory before exiting.

Code Example:

Bad

/* Sleep statements added to expand timing window for race condition /

However, the following sequence of events may result in a double-free (Double Free):

1. a SIGHUP is delivered to the process 1. sh() is invoked to process the SIGHUP 1. This first invocation of sh() reaches the point where global1 is freed 1. At this point, a SIGTERM is sent to the process 1. the second invocation of sh() might do another free of global1 1. this results in a double-free (Double Free)

This is just one possible exploitation of the above code. As another example, the syslog call may use malloc calls which are not async-signal safe. This could cause corruption of the heap management structures. For more details, consult the example within "Delivering Signals for Fun and Profit" [REF-360].

Observed Examples 5

CVE-1999-0035Signal handler does not disable other signal handlers, allowing it to be interrupted, causing other functionality to access files/etc. with raised privileges

CVE-2001-0905Attacker can send a signal while another signal handler is already running, leading to crash or execution with root privileges

CVE-2001-1349unsafe calls to library functions from signal handler

CVE-2004-0794SIGURG can be used to remotely interrupt signal handler; other variants exist

CVE-2004-2259SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free.

References 5

The CLASP Application Security Process

Secure Software, Inc.

2005

https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)

ID: REF-18

Delivering Signals for Fun and Profit

Michal Zalewski

https://lcamtuf.coredump.cx/signals.txt(2023-04-07)

ID: REF-360

Race Condition: Signal Handling

https://vulncat.fortify.com/en/detail?id=desc.structural.cpp.race_condition_signal_handling#:~:text=Signal%20handling%20race%20conditions%20can,installed%20to%20handle%20multiple%20signals.s(2023-04-07)

ID: REF-361

24 Deadly Sins of Software Security

Michael Howard, David LeBlanc, and John Viega

McGraw-Hill

2010

ID: REF-44

The Art of Software Security Assessment

Mark Dowd, John McDonald, and Justin Schuh

Addison Wesley

2006

ID: REF-62

Likelihood of Exploit

Medium

Applicable Platforms

Languages:

C : SometimesC++ : Sometimes

Modes of Introduction

Implementation

Functional Areas

Signals
Interprocess Communication

Affected Resources

System Process

Related Weaknesses

ChildOf:

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)

CanPrecede:

Double Free (CWE-415)

CanPrecede:

Use After Free (CWE-416)

CanPrecede:

Write-what-where Condition (CWE-123)

Taxonomy Mapping

PLOVER
7 Pernicious Kingdoms
CLASP
Software Fault Patterns