目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-364 信号处理例程中的竞争条件 类漏洞列表 10

CWE-364 信号处理例程中的竞争条件 类弱点 10 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-364 指信号处理程序竞争条件,属于并发安全漏洞。由于信号处理程序支持异步操作,易引发竞态条件。攻击者利用此缺陷可破坏产品状态,导致数据损坏、拒绝服务甚至代码执行。开发者应避免在信号处理程序中调用非异步安全函数,确保关键操作的原子性,并采用线程安全机制来防止状态竞争,从而消除潜在风险。

MITRE CWE 官方描述
CWE:CWE-364 信号处理程序竞态条件 (Signal Handler Race Condition) 英文:The product uses a signal handler that introduces a race condition. 译文:该产品使用了引入竞态条件 (race condition) 的信号处理程序 (signal handler)。 竞态条件 (race conditions) 经常出现在信号处理程序 (signal handlers) 中,因为信号处理程序 (signal handlers) 支持异步操作 (asynchronous actions)。这些竞态条件 (race conditions) 具有多种根本原因 (root causes) 和症状 (symptoms)。攻击者 (attackers) 可能能够利用信号处理程序 (signal handler) 竞态条件 (race condition) 导致产品状态 (product state) 损坏 (corrupted),这可能进而导致拒绝服务 (denial of service) 甚至代码执行 (code execution)。当非重入函数 (non-reentrant functions) 或状态敏感操作 (state-sensitive actions) 出现在信号处理程序 (signal handler) 中时,就会发生这些问题,因为它们可能在任何时间被调用。这些行为可能会违反被中断的“常规”代码 (regular code) 或其他可能被调用的信号处理程序 (signal handlers) 所做的假设 (assumptions)。如果这些函数在不恰当的时机被调用——例如,当另一个非重入函数 (non-reentrant function) 已经在运行时——可能会发生内存损坏 (memory corruption),这可能会被利用来进行代码执行 (code execution)。另一个常见的信号竞态条件 (signal race condition) 发生在信号处理程序 (signal handler) 中调用 free 时,导致双重释放 (double free),从而产生任意写条件 (write-what-where condition)。即使给定指针 (pointer) 在释放后被设置为 NULL,在内存被释放和指针被设置为 NULL 之间仍然存在竞态条件 (race condition)。如果为多个信号 (signals) 设置了相同的信号处理程序 (signal handler),这尤其成问题——因为这意味着信号处理程序 (signal handler) 本身可能会被重入 (reentered)。 有几个与信号处理程序 (signal handlers) 相关的已知行为被标记为“信号处理程序竞态条件 (signal handler race condition)”: 1. 信号处理程序 (signal handler) 和“常规”代码 (regular code) 均可访问的共享状态 (shared state)(例如全局数据 (global data) 或静态变量 (static variables))。 2. 信号处理程序 (signal handler) 与其他信号处理程序 (signal handlers) 之间的共享状态 (shared state)。 3. 在信号处理程序 (signal handle…
常见影响 (2)
Integrity, Confidentiality, AvailabilityModify Application Data, Modify Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands
It may be possible to cause data corruption and possibly execute arbitrary code by modifying global variables or data structures at unexpected times, violating the assumptions of code that uses this global data.
Access ControlGain Privileges or Assume Identity
If a signal handler interrupts code that is executing with privileges, it may be possible that the signal handler will also be executed with elevated privileges, possibly making subsequent exploits more severe.
缓解措施 (3)
RequirementsUse a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
Architecture and DesignDesign signal handlers to only set flags, rather than perform complex functionality. These flags can then be checked and acted upon within the main program loop.
ImplementationOnly use reentrant functions within signal handlers. Also, use validation to ensure that state is consistent while performing asynchronous actions that affect the state of execution.
代码示例 (2)
This code registers the same signal handler function with two different signals (CWE-831). If those signals are sent to the process, the handler creates a log message (specified in the first argument to the program) and exits.
char *logMessage; void handler (int sigNum) { syslog(LOG_NOTICE, "%s\n", logMessage); free(logMessage); /* artificially increase the size of the timing window to make demonstration of this weakness easier. */ sleep(10); exit(0); } int main (int argc, char* argv[]) { logMessage = strdup(argv[1]); /* Register signal handlers. */ signal(SIGHUP, handler); signal(SIGTERM, handler); /* artificially increase the size of the timing window to make demonstration of this weakness easier. */ sleep(10); }
Bad · C
The following code registers a signal handler with multiple signals in order to log when a specific event occurs and to free associated memory before exiting.
#include <signal.h> #include <syslog.h> #include <string.h> #include <stdlib.h> void *global1, *global2; char *what; void sh (int dummy) { syslog(LOG_NOTICE,"%s\n",what); free(global2); free(global1); /* Sleep statements added to expand timing window for race condition */ sleep(10); exit(0); } int main (int argc,char* argv[]) { what=argv[1]; global1=strdup(argv[2]); global2=malloc(340); signal(SIGHUP,sh); signal(SIGTERM,sh); /* Sleep statements added to expand timing window for race condition */ sleep(10); exit(0); }
Bad · C
CVE ID标题CVSS风险等级Published
CVE-2026-33565 OpenHarmony 安全漏洞 — OpenHarmony 3.3 Low2026-05-19
CVE-2026-27766 OpenHarmony 安全漏洞 — OpenHarmony 5.5 Medium2026-05-19
CVE-2026-24792 OpenHarmony 安全漏洞 — OpenHarmony 8.1 High2026-05-19
CVE-2025-4598 Linux systemd-coredump 安全漏洞 4.7 Medium2025-05-30
CVE-2024-6409 OpenSSH 安全漏洞 7.0 High2024-07-08
CVE-2024-6387 OpenSSH 安全漏洞 8.1 High2024-07-01
CVE-2023-5676 Eclipse OpenJ9 竞争条件问题漏洞 — OpenJ9 4.1 Medium2023-11-15
CVE-2023-1285 Mitsubishi Electric GC-ENET-COM 竞争条件问题漏洞 — GC-ENET-COM 7.5 High2023-04-14
CVE-2020-14317 Red Hat Wildfly 安全漏洞 — Wildfly 7.5 -2021-06-02
CVE-2019-3805 Red Hat Wildfly 竞争条件问题漏洞 — wildfly 4.7 -2019-05-03

CWE-364(信号处理例程中的竞争条件) 是常见的弱点类别,本平台收录该类弱点关联的 10 条 CVE 漏洞。