CWE-663: Use of a Non-reentrant Function in a Concurrent Context

Description

The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2001-1349

unsafe calls to library functions from signal handler
CVE: CVE-2004-2259

SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free.

Related Attack Patterns (CAPEC)

CAPEC-29

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Modify Memory, Read Memory, Modify Application Data, Read Application Data, Alter Execution Logic — Notes:

Potential Mitigations

Implementation: Use reentrant functions if available. (N/A)
Implementation: Add synchronization to your non-reentrant function. (N/A)
Implementation: In Java, use the ReentrantLock Class. (N/A)

Applicable Platforms

None listed.

Demonstrative Examples

Intro: In this example, a signal handler uses syslog() to log a message:

char *message; void sh(int dummy) { syslog(LOG_NOTICE,"%s\n",message); sleep(10); exit(0); } int main(int argc,char* argv[]) { ... signal(SIGHUP,sh); signal(SIGTERM,sh); sleep(10); exit(0); } If the execution of the first call to the signal handler is suspended after invoking syslog(), and the signal handler is called a second time, the memory allocated by syslog() enters an undefined, and possibly, exploitable state.

Intro: The following code relies on getlogin() to determine whether or not a user is trusted. It is easily subverted.

pwd = getpwnam(getlogin()); if (isTrustedGroup(pwd->pw_gid)) { allow(); } else { deny(); }

Notes

No notes available.

← Back to CWE list