...
This compliant solution uses the EXP12-C-EX1 exception in EXP12-C. Do not ignore values returned by functions because the result of InterlockedAdd() is irrelevant to all subsequent calculations.
Risk Assessment
Race conditions caused by multiple threads concurrently accessing and modifying the same data can lead to abnormal termination and denial-of-service attacks or data integrity violations.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CON00-C | Medium | Probable | High | P4 | L3 |
Automated Detection
...
Noncompliant Code Example (Double-Fetch)
This noncompliant code example illustrates Xen Security Advisory CVE-2015-8550 / XSA-155 In In this example, the following code can be vulnerable to a a data race where where the integer referenced by by ps could could be modified by a second thread that ran between the two reads of the variable.
...
Even though there is only one read of the the *ps variable variable in the source code, the compiler is permitted to produce object code that performs multiple reads of the memory location. This is permitted by the "as-if" principle, as explained by section 5.1 of the C99 Rationale:
The /as if/ principle is invoked repeatedly in this Rationale. The C89 Committee found that describing various aspects of the C language, library, and environment in terms of concrete models best serves discussion and presentation. Every attempt has been made to craft these models so that implementations are constrained only insofar as they must bring about the same result, /as if/ they had implemented the presentation model; often enough the clearest model would make for the worst implementation.
Implementation Details (GCC)
This code produces two reads of the *ps value using GCC 4.8.4 on x86, as well as GCC 5.3.0 on x86-64 (Compiler-Introduced Double-Fetch Vulnerabilities – Understanding XSA-155).
Noncompliant Code Example (Volatile)
The data race can be disabled by declaring the data to be volatile, because the volatile keyword forces the compiler to not produce two reads of the data.
However, this violates [CON03-C.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
#include <stdlib.h>
void doStuff(volatile int* ps) {
printf("NON-VOLATILE");
switch (*ps) {
case 0: {printf("0"); break;}
case 1: {printf("1"); break;}
case 2: {printf("2"); break;}
case 3: {printf("3"); break;}
case 4: {printf("4"); break;}
default: {printf("default"); break;}
}
}
|
Risk Assessment
Race conditions caused by multiple threads concurrently accessing and modifying the same data can lead to abnormal termination and denial-of-service attacks or data integrity violations.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CON00-C | Medium | Probable | High | P4 | L3 |
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| CONCURRENCY.DATARACE | Data race | ||||||
| Coverity | 6.5 | MISSING_LOCK | Fully implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...