Description

The software does not properly acquire a lock on a resource, or it does not properly release a lock on a resource, leading to unexpected resource state changes and behaviors.

Applicable Platforms
None

Time Of Introduction

• Architecture and Design
• Implementation

Related Attack Patterns

• CAPEC-26
• CAPEC-27

Common Consequences

Detection Methods
None

Potential Mitigations

Relationships

Demonstrative Examples   (Details)

1. In the following Java snippet, methods are defined to get and set a long field in an instance of a class that is shared across multiple threads. Because operations on double and long are nonatomic in Java, concurrent access may cause unexpected behavior. Thus, all operations on long and double fields should be synchronized.
2. It may seem that the following bit of code achieves thread safety while avoiding unnecessary synchronization... (Demonstrative Example Id DX-70)
3. The following function attempts to acquire a lock in order to perform operations on a shared resource. (Demonstrative Example Id DX-24)
4. This code tries to obtain a lock for a file, then writes to it. (Demonstrative Example Id DX-69)

Observed Examples

1. CVE-2009-0935 : Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice
2. CVE-2010-4210 : function in OS kernel unlocks a mutex that was not previously locked, causing a panic or overwrite of arbitrary memory.
3. CVE-2008-4302 : Chain: OS kernel does not properly handle a failure of a function call (CWE-755), leading to an unlock of a resource that was not locked (CWE-832), with resultant crash.
4. CVE-2009-1243 : OS kernel performs an unlock in some incorrect circumstances, leading to panic.
5. CVE-2009-2857 : OS deadlock
6. CVE-2009-1961 : OS deadlock involving 3 separate functions
7. CVE-2009-2699 : deadlock in library
8. CVE-2009-4272 : deadlock triggered by packets that force collisions in a routing table
9. CVE-2002-1850 : read/write deadlock between web server and script
10. CVE-2004-0174 : web server deadlock involving multiple listening connections
11. CVE-2009-1388 : multiple simultaneous calls to the same function trigger deadlock.
12. CVE-2006-5158 : chain: other weakness leads to NULL pointer dereference (CWE-476) or deadlock (CWE-833).
13. CVE-2006-4342 : deadlock when an operation is performed on a resource while it is being removed.
14. CVE-2006-2374 : Deadlock in device driver triggered by using file handle of a related device.
15. CVE-2006-2275 : Deadlock when large number of small messages cannot be processed quickly enough.
16. CVE-2005-3847 : OS kernel has deadlock triggered by a signal during a core dump.
17. CVE-2005-3106 : Race condition leads to deadlock.
18. CVE-2005-2456 : Chain: array index error (CWE-129) leads to deadlock (CWE-833)
19. CVE-2001-0682 : Program can not execute when attacker obtains a mutex.
20. CVE-2002-1914 : Program can not execute when attacker obtains a lock on a critical output file.
21. CVE-2002-1915 : Program can not execute when attacker obtains a lock on a critical output file.
22. CVE-2002-0051 : Critical file can be opened with exclusive read access by user, preventing application of security policy. Possibly related to improper permissions, large-window race condition.
23. CVE-2000-0338 : Chain: predictable file names used for locking, allowing attacker to create the lock beforehand. Resultant from permissions and randomness.
24. CVE-2000-1198 : Chain: Lock files with predictable names. Resultant from randomness.
25. CVE-2002-1869 : Product does not check if it can write to a log file, allowing attackers to avoid logging by accessing the file using an exclusive lock. Overlaps unchecked error condition. This is not quite CWE-412, but close.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

References:
None