SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 64

changes.mady.by.user Astha Singhal

Saved on

compared with

New Version 65

changes.mady.by.user Astha Singhal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

The type sig_atomic_t is the integer type of an object that can be accessed as an atomic entity, even in the presence of asynchronous interrupts. The type of sig_atomic_t is implementation defined, though it provides some guarantees. Integer values ranging from SIG_ATOMIC_MIN through SIG_ATOMIC_MAX, inclusive, may be safely stored to a variable of the type. In addition, when sig_atomic_t is a signed integer type, SIG_ATOMIC_MIN must be no greater than -127 and SIG_ATOMIC_MAX no less than 127. Otherwise, SIG_ATOMIC_MIN must be 0 and SIG_ATOMIC_MAX must be no less than 255. The macros SIG_ATOMIC_MIN and SIG_ATOMIC_MAX are defined in the header <stdint.h>.

Wiki MarkupAccording to the "Signals and Interrupts" section of the C99 Rationale \[ [ISO/IEC 2003|AA. Bibliography#ISO/IEC 03]\], other than calling a limited, prescribed set of library functions

The C89 Committee concluded that about the only thing a strictly conforming program can do in a signal handler is to assign a value to a volatile static variable which can be written uninterruptedly and promptly return.

...

Code Block
bgColor#ffcccc
langc
#include <signal.h>

extern double compute_value();

static volatile double value;   /* bug: not declared sig_atomic_t */

void sigfpe_handler(int signum) {
  if (0.0 == value)   /* bug: accessing non-sig_atomic_t object */
    value = 1.0;
  /* bug: SIGFPE handler returns */
}

int main(void) {
  signal(SIGFPE, sigfpe_handler);
  value = compute_value();
  return 0;
}

Risk Assessment

...

Accessing or modifying shared objects in signal handlers can result in accessing data in an inconsistent state. Zalewski's paper "Delivering Signals for Fun and Profit" provides some examples of vulnerabilities that can result from violating this and other signal-handling rules \ [[Zalewski 2001|AA. Bibliography#Zalewski 01]\].

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SIG31-C

high

likely

high

P9

L2

Automated Detection

Tool

Version

Checker

Description

Section

LDRA tool suite

Include Page
c:LDRA_Vc:
LDRA_V
Section

87 D

Section

Fully Implemented

Section

Compass/ROSE

 

 

Section

can detect violations of this rule for single-file programs

...

MITRE CWE: CWE ID 662, "Insufficient Synchronization"

Bibliography

...

\[[Dowd 2006|AA. Bibliography#Dowd 06] \] Chapter 13, Synchronization and State \
[[ISO/IEC 2003|AA. Bibliography#ISO/IEC 03]\] "Signals and Interrupts" \
[[Open Group 2004|AA. Bibliography#Open Group 04]\] [longjmp|http://www.opengroup.org/onlinepubs/000095399/functions/longjmp.html] \[[OpenBSD|AA. Bibliography#OpenBSD]\] [{{signal()}} Man Page|http://www.openbsd.org/cgi-bin/man.cgi?query=signal] \[[Zalewski 2001|AA. Bibliography#Zalewski 01]\ longjmp
[OpenBSD] signal() Man Page
[Zalewski 2001]

...

      11. Signals (SIG)      SIG32-C. Do not call longjmp() from inside a signal handler