Read Time:2 Minute, 23 Second
Description
The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
CWE-662
CWE-662
CWE-662
CWE-662
Consequences
Availability: DoS: Resource Consumption (CPU)
Inconsistent locking discipline can lead to deadlock.
Potential Mitigations
Phase: Implementation
Description:
Use industry standard APIs to implement locking mechanism.
CVE References
- CVE-2009-0935
- Attacker provides invalid address to a memory-reading function, causing a mutex to be unlocked twice
- CVE-2010-4210
- function in OS kernel unlocks a mutex that was not previously locked, causing a panic or overwrite of arbitrary memory.
- CVE-2008-4302
- Chain: OS kernel does not properly handle a failure of a function call (CWE-755), leading to an unlock of a resource that was not locked (CWE-832), with resultant crash.
- CVE-2009-1243
- OS kernel performs an unlock in some incorrect circumstances, leading to panic.
- CVE-2009-2857
- OS deadlock
- CVE-2009-1961
- OS deadlock involving 3 separate functions
- CVE-2009-2699
- deadlock in library
- CVE-2009-4272
- deadlock triggered by packets that force collisions in a routing table
- CVE-2002-1850
- read/write deadlock between web server and script
- CVE-2004-0174
- web server deadlock involving multiple listening connections
- CVE-2009-1388
- multiple simultaneous calls to the same function trigger deadlock.
- CVE-2006-5158
- chain: other weakness leads to NULL pointer dereference (CWE-476) or deadlock (CWE-833).
- CVE-2006-4342
- deadlock when an operation is performed on a resource while it is being removed.
- CVE-2006-2374
- Deadlock in device driver triggered by using file handle of a related device.
- CVE-2006-2275
- Deadlock when large number of small messages cannot be processed quickly enough.
- CVE-2005-3847
- OS kernel has deadlock triggered by a signal during a core dump.
- CVE-2005-3106
- Race condition leads to deadlock.
- CVE-2005-2456
- Chain: array index error (CWE-129) leads to deadlock (CWE-833)
- CVE-2001-0682
- Program can not execute when attacker obtains a mutex.
- CVE-2002-1914
- Program can not execute when attacker obtains a lock on a critical output file.
- CVE-2002-1915
- Program can not execute when attacker obtains a lock on a critical output file.
- CVE-2002-0051
- Critical file can be opened with exclusive read access by user, preventing application of security policy. Possibly related to improper permissions, large-window race condition.
- CVE-2000-0338
- Chain: predictable file names used for locking, allowing attacker to create the lock beforehand. Resultant from permissions and randomness.
- CVE-2000-1198
- Chain: Lock files with predictable names. Resultant from randomness.
- CVE-2002-1869
- Product does not check if it can write to a log file, allowing attackers to avoid logging by accessing the file using an exclusive lock. Overlaps unchecked error condition. This is not quite CWE-412, but close.