CWE-820 缺失同步机制
Missing Synchronization
结构: Simple
Abstraction: Base
状态: Incomplete
被利用可能性: unkown
基本描述
The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
扩展描述
If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 662 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 662 cwe_View_ID: 699 cwe_Ordinal: Primary
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Integrity', 'Confidentiality', 'Other'] | ['Modify Application Data', 'Read Application Data', 'Alter Execution Logic'] |
示例代码
例
The following code intends to fork a process, then have both the parent and child processes print a single line.
bad C
int counter;
for (word = string; counter = word++; ) {
fflush(stdout);
/ Make timing window a little larger... */
sleep(1);
}
}
int main(void) {
pid = fork();
if (pid == -1) {
}
else if (pid == 0) {
}
else {
}
exit(0);
}
One might expect the code to print out something like:
None
However, because the parent and child are executing concurrently, and stdout is flushed each time a character is printed, the output might be mixed together, such as:
None
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| The CERT Oracle Secure Coding Standard for Java (2011) | LCK05-J | Synchronize access to static fields that can be modified by untrusted code |
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论