CWE -CWE -413：资源锁定不当（4.9）

弱点ID：413

抽象：Base
结构：简单的

View customized information:

Description

当软件必须独有访问资源时，该软件不会锁定或无法正确锁定资源。

Extended Description

When a resource is not properly locked, an attacker could modify the resource while it is being operated on by the software. This might violate the software's assumption that the resource will not change, potentially leading to unexpected behaviors.

关系

该表显示了与该弱点相关的弱点和高级类别。这些关系定义为childof，parentof，ementof，并深入了解可能存在于较高和较低抽象水平的类似项目。此外，定义了诸如Peerof和Canalsobe之类的关系，以显示用户可能想要探索的类似弱点。

Relevant to the view "Research Concepts" (CWE-1000)

自然	Type	ID	名称
Childof	班级 - 以非常抽象的方式描述的弱点，通常与任何特定的语言或技术无关。比支柱弱点更具体，但比基本弱点更一般。班级弱点通常用以下维度的1或2来描述问题：行为，属性和资源。	667	Improper Locking
ParentOf	变体 - 与某种类型的产品相关的弱点，通常涉及特定的语言或技术。比基本弱点更具体。变体级别的弱点通常以以下维度的3到5来描述问题：行为，财产，技术，语言和资源。	591	Sensitive Data Storage in Improperly Locked Memory

Relevant to the view "Software Development" (CWE-699)

自然	Type	ID	名称
MemberOf	类别- a CWE entry that contains a set of other entries that share a common characteristic.	411	资源锁定问题

介绍模式

引言的不同模式提供了有关如何以及何时引入这种弱点的信息。该阶段识别可能发生介绍的生命周期中的一个点，而音符提供了与给定阶段中引言有关的典型情况。

阶段	笔记
Architecture and Design
Implementation

适用的平台

该清单显示了可能出现的弱点的可能区域。这些可能适用于特定的命名语言，操作系统，体系结构，范式，技术或一类此类平台。该平台与给定弱点出现在该实例的频率一起列出。

语言

班级: Not Language-Specific（不确定的患病率）

常见后果

该表指定与弱点相关的不同个人后果。该范围确定了违反的应用程序安全区域，而影响描述了如果对手成功利用这一弱点，就会产生负面的技术影响。其可能性提供了有关预期相对于列表中其他后果的特定后果的可能性的信息。例如，可能会利用弱点来实现一定的影响，但很可能会利用它来实现不同的影响。

Scope	Impact	可能性
正直 Availability	技术影响：修改应用程序数据；DOS：不稳定；DOS：崩溃，退出或重新启动

Demonstrative Examples

Example 1

以下功能试图获取锁定以在共享资源上执行操作。

(bad code)

Example Language:C

void f(pthread_mutex_t *mutex) {

pthread_mutex_lock(mutex);

/* access shared resource */

pthread_mutex_unlock（mutex）;

}

However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior.

为了避免数据竞赛，正确编写的程序必须检查线程同步函数的结果，并通过尝试从它们恢复或将其报告到更高级别来适当处理所有错误。

(good code)

Example Language:C

int f(pthread_mutex_t *mutex) {

int result;

result = pthread_mutex_lock(mutex);
if (0 != result)

返回结果；

/* access shared resource */

返回pthread_mutex_unlock（mutex）;

}

Example 2

This Java example shows a simple BankAccount class with deposit and withdraw methods.

(bad code)

Example Language:爪哇

公共类BankAccount {

// variable for bank account balance
私人双重帐户；

// constructor for BankAccount
public BankAccount() {

accountBalance = 0;

}

//将金额存入银行估计的方法
public void deposit(double depositAmount) {

双重新空白=帐户余额 + redageAmount;
帐户余额= newbalance;

}

//从BankAccount提取金额的方法
公共无效提取（双重提取）{

双重新空白=帐户余额 - 取款；
帐户余额= newbalance;

}

// other methods for accessing the BankAccount object
...

}

However, the deposit and withdraw methods have shared access to the account balance private class variable. This can result in a race condition if multiple threads attempt to call the deposit and withdraw methods simultaneously where the account balance is modified by one thread before another thread has completed modifying the account balance. For example, if a thread attempts to withdraw funds using the withdraw method before another thread that is depositing funds using the deposit method completes the deposit then there may not be sufficient funds for the withdraw transaction.

To prevent multiple threads from having simultaneous access to the account balance variable the deposit and withdraw methods should be synchronized using the synchronized modifier.

(good code)

Example Language:爪哇

公共类BankAccount {

...
// synchronized method to deposit amount into BankAccount
public synchronized void deposit(double depositAmount) {

...

}

// synchronized method to withdraw amount from BankAccount
public synchronized void withdraw(double withdrawAmount) {

...

}

...

}

另一种解决方案是使用锁定对象来确保对银行帐户余额变量的独家访问。如下所示，存款和提取方法使用锁定对象设置锁定，以阻止其他线程对bankAccount对象的访问，直到该方法完成更新银行帐户余额变量为止。

(good code)

Example Language:爪哇

公共类BankAccount {

...
//锁定线程访问方法的对象
私人重新进入Balancechangelock；

//条件对象暂时将锁定到其他线程
私人条件足够的范围；

//将金额存入银行估计的方法
公共无效存款（双重金额）{

//将锁定锁定以阻止从其他线程访问bankAccount
balanceChangeLock.lock();
尝试 {

双重新空白=余额 +金额；
balance = newBalance;

// inform other threads that funds are available
sufficientFundsCondition.signalAll();

} catch（异常E）{...}
最后 {

//解锁锁定对象
balanceChangeLock.unlock();

}

}

//从银行帐户提取金额的方法
public void withdraw(double amount) {

//将锁定锁定以阻止从其他线程访问bankAccount
balanceChangeLock.lock();
尝试 {

while（余额<量）{

// temporarily unblock access

//直到有足够的资金可用
AfficeFundScondition.await（）;

}
双重新空白=余额 - 金额；
balance = newBalance;

} catch（异常E）{...}
最后 {

//解锁锁定对象
balanceChangeLock.unlock();

}

}
...

}

Potential Mitigations

阶段：建筑和设计

使用非冲突特权计划。

阶段s: Architecture and Design; Implementation

锁定资源时使用同步。

会员资格

This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.

自然	Type	ID	名称
MemberOf	类别- a CWE entry that contains a set of other entries that share a common characteristic.	852	Java（2011）的CERT ORACLE SECURE编码标准Chapter 9 - Visibility and Atomicity (VNA)
MemberOf	类别- a CWE entry that contains a set of other entries that share a common characteristic.	853	Java的Cert Oracle安全编码标准（2011）第10章 - 锁定（LCK）
MemberOf	类别- a CWE entry that contains a set of other entries that share a common characteristic.	986	SFP Secondary Cluster: Missing Lock
MemberOf	类别- a CWE entry that contains a set of other entries that share a common characteristic.	1142	Java的SEI CERT ORACLE SECURE编码标准 - 指南08.可见性和原子性（VNA）

Taxonomy Mappings

映射的分类名称	Node ID	Mapped Node Name
plover		Insufficient Resource Locking
Java（2011）的CERT ORACLE SECURE编码标准	VNA00-J	访问共享原始变量时可见性
Java（2011）的CERT ORACLE SECURE编码标准	VNA02-J	Ensure that compound operations on shared variables are atomic
Java（2011）的CERT ORACLE SECURE编码标准	LCK00-J	使用私有最终锁定对象同步可能与不信任代码交互的类
软件故障模式	SFP19	缺少锁

内容历史记录

Submissions
Submission Date	提交者	Organization
2006-07-19	plover
2006-07-19
贡献
Contribution Date	贡献者	Organization
2010-04-30	马丁·塞伯	思科系统公司
2010-04-30	Provided Demonstrative Example
修改
修改日期	修饰符	Organization
2008-07-01	埃里克·达奇（Eric Dalci）	雪茄
2008-07-01	updated Potential_Mitigations, Time_of_Introduction
2008-09-08	CWEContent Team	MITER
2008-09-08	updated Relationships, Taxonomy_Mappings
2010-06-21	CWEContent Team	MITER
2010-06-21	更新了示范_examples
2010-09-27	CWEContent Team	MITER
2010-09-27	updated Description, Name
2010-12-13	CWEContent Team	MITER
2010-12-13	更新了示范_examples
2011-06-01	CWEContent Team	MITER
2011-06-01	updated Common_Consequences, Relationships, Taxonomy_Mappings
2012-05-11	CWEContent Team	MITER
2012-05-11	更新的示范_examples，关系
2012-10-30	CWEContent Team	MITER
2012-10-30	updated Potential_Mitigations
2014-07-30	CWEContent Team	MITER
2014-07-30	updated Relationships, Taxonomy_Mappings
2017-11-08	CWEContent Team	MITER
2017-11-08	updated Applicable_Platforms
2019-01-03	CWEContent Team	MITER
2019-01-03	updated Relationships, Taxonomy_Mappings
2020-02-24	CWEContent Team	MITER
2020-02-24	updated Relationships
2021-03-15	CWEContent Team	MITER
2021-03-15	更新了示范_examples
先前的输入名称s
Change Date	先前的输入名称
2010-09-27	Insufficient Resource Locking

Common Weakness Enumeration

CWE-413: Improper Resource Locking


	Site Map\|使用条款\|Privacy Policy\|联系我们\| Use of the Common Weakness Enumeration (CWE) and the associated references from this website are subject to the使用条款. CWE is sponsored by theU.S. Department of Homeland Security(DHS)网络安全和基础设施安全局（CISA），由家land Security Systems Engineering and Development Institute（HSSEDI）由manbetx客户端首页(MITRE). Copyright © 2006–2023, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.