SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 98

changes.mady.by.user Amy Gale

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

Accessing or modifying shared objects in signal handlers can result in race conditions that can leave data in an inconsistent state. The two exceptions (C Standard, 5.1.2.3, paragraph 5) to this rule are the ability to read from and write to lock-free atomic objects or to read from or write to and variables of type volatile sig_atomic_t. Accessing any other type of object from a signal handler is undefined behavior. (see See undefined behavior 131.).

The need for the volatile keyword is described in DCL22-C. Use volatile for data that cannot be cached.

...

The signal handler may also call a handful of functions, including abort(). (see See SIG30-C. Call only asynchronous-safe functions within signal handlers for more information.).

Noncompliant Code Example

...

Signal handlers can refer to objects with static or thread storage duration durations that are lock-free atomic objects, as in this compliant solution:

Code Block
bgColor#ccccff
langc
#include <signal.h>
#include <stdlib.h>
#include <string.h>
#include <stdatomic.h>
 
#if#ifdef __STDC_NO_ATOMICS__ == 1
#error "Atomics isare not supported"
#elif ATOMIC_INT_LOCK_FREE == 0
#error "int is never lock-free"
#endif

atomic_int e_flag = ATOMIC_VAR_INIT(0);
 
void handler(int signum) {
  eflage_flag = 1;
}

int main(void) {
  enum { MAX_MSG_SIZE = 24 };
  char err_msg[MAX_MSG_SIZE];
#if ATOMIC_INT_LOCK_FREE == 1
  if (!atomic_is_lock_free(&e_flag)) {
    return EXIT_FAILURE;
  }
#endif
  if (signal(SIGINT, handler) == SIG_ERR) {
    return EXIT_FAILURE;
  }
  strcpy(err_msg, "No errors yet.");
  /* Main code loop */
  if (e_flag) {
    strcpy(err_msg, "SIGINT received.");
  }
  return EXIT_SUCCESS;
}

Exceptions

SIG31-C-EX1:  The C Standard, 7.14.1.1 paragraph 5 [ISO/IEC 9899:20112024], makes a special exception for errno when a valid call to the signal() function results in a SIG_ERR return, allowing errno to take an indeterminate value. (see See ERR32-C. Do not rely on indeterminate values of errno.)

the signal function with the first argument equal to the signal number corresponding to the signal that caused the invocation of the handler. Furthermore, if such a call to the signal function results in a SIG_ERR return, the object designated by errno has an indeterminate representation.

Risk Assessment

Accessing or modifying shared objects in signal handlers can result in accessing data in an inconsistent state. Michal Zalewski's paper "Delivering Signals for Fun and Profit" [Zalewski 2001] provides some examples of vulnerabilities that can result from violating this and other signal-handling rules.

Rule

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

SIG31-C

High

Likely

High

Yes

No

P9

P18

L2

L1

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
signal-handler-shared-accessPartially checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-SIG31
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
CONCURRENCY.DATARACEData
Race
race
Compass/ROSE

 

 



Can detect violations of this rule for single-file programs

Cppcheck Premium
24.9.0

premium-cert-sig31-c


Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C2029, C2030

C++3854, C++3855


LDRA tool suite
Include Page
LDRA_V
LDRA_V

87 D

Fully implemented

Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-SIG31-aProperly define signal handlers
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

2765

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule SIG31-CChecks for shared data access within signal handler (rule partially covered)
RuleChecker

Include Page
RuleChecker_V
RuleChecker_V

signal-handler-shared-accessPartially checked

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C++ Coding StandardVOID SIG31-CPP. Do not access shared objects in signal handlers

ISO/IEC TS 17961:2013Accessing shared objects in signal handlers [accsig]Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-662, Improper Synchronization2017-07-10: CERT: Rule subset of CWE
CWE 2.11CWE-828, Signal Handler with Functionality that is not Asynchronous-Safe

2017-10-30:MITRE:Unspecified Relationship

2018-10-19:CERT:Rule subset of CWE

CERT-CWE Mapping Notes

Key here for mapping notes

CWE-662 and SIG31-C

CWE-662 = Union( SIG31-C,

...

list) where list =

  • Improper synchronization of shared objects between threads
  • Improper synchronization of files between programs (enabling TOCTOU race conditions

CWE-828 and SIG31-C

CWE-828 = SIG31-C + non-async-safe things besides shared objects.

Bibliography

[C99 Rationale 2003]5.2.3, "Signals and Interrupts"
[ISO/IEC 9899:
2011
2024]Subclause 7.14.1.1, "The signal Function"
[Zalewski 2001]
 

...



...

Image Modified Image Modified Image Modified