Example - 1

This code could be used in an e-commerce application that supports transfers between accounts. It takes the total amount of the transfer, sends it to the new account, and deducts the amount from the original account.

FatalError("Bad Transfer Amount");
FatalError("Insufficient Funds");
$transfer_amount = GetTransferAmount();$balance = GetBalanceFromDatabase();if ($transfer_amount < 0) {}$newbalance = $balance - $transfer_amount;if (($balance - $transfer_amount) < 0) {}SendNewBalanceToDatabase($newbalance);NotifyUser("Transfer of $transfer_amount succeeded.");NotifyUser("New balance: $newbalance");

A race condition could occur between the calls to GetBalanceFromDatabase() and SendNewBalanceToDatabase().

Suppose the balance is initially 100.00. An attack could be constructed as follows:

In the following pseudocode, the attacker makes two simultaneous calls of the program, CALLER-1 and CALLER-2. Both callers are for the same user account.CALLER-1 (the attacker) is associated with PROGRAM-1 (the instance that handles CALLER-1). CALLER-2 is associated with PROGRAM-2.CALLER-1 makes a transfer request of 80.00.PROGRAM-1 calls GetBalanceFromDatabase and sets $balance to 100.00PROGRAM-1 calculates $newbalance as 20.00, then calls SendNewBalanceToDatabase().Due to high server load, the PROGRAM-1 call to SendNewBalanceToDatabase() encounters a delay.CALLER-2 makes a transfer request of 1.00.PROGRAM-2 calls GetBalanceFromDatabase() and sets $balance to 100.00. This happens because the previous PROGRAM-1 request was not processed yet.PROGRAM-2 determines the new balance as 99.00.After the initial delay, PROGRAM-1 commits its balance to the database, setting it to 20.00.PROGRAM-2 sends a request to update the database, setting the balance to 99.00

At this stage, the attacker should have a balance of 19.00 (due to 81.00 worth of transfers), but the balance is 99.00, as recorded in the database.

To prevent this weakness, the programmer has several options, including using a lock to prevent multiple simultaneous requests to the web application, or using a synchronization mechanism that includes all the code between GetBalanceFromDatabase() and SendNewBalanceToDatabase().

Example - 2

The following function attempts to acquire a lock in order to perform operations on a shared resource.

// /* access shared resource */// 
pthread_mutex_lock(mutex);pthread_mutex_unlock(mutex);void f(pthread_mutex_t *mutex) {}

However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior.

In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting them to higher levels.

return result;
// /* access shared resource */// 
int result;result = pthread_mutex_lock(mutex);if (0 != result)return pthread_mutex_unlock(mutex);int f(pthread_mutex_t *mutex) {}

Example - 3

Suppose a processor's Memory Management Unit (MMU) has 5 other shadow MMUs to distribute its workload for its various cores. Each MMU has the start address and end address of "accessible" memory. Any time this accessible range changes (as per the processor's boot status), the main MMU sends an update message to all the shadow MMUs.

Suppose the interconnect fabric does not prioritize such "update" packets over other general traffic packets. This introduces a race condition. If an attacker can flood the target with enough messages so that some of those attack packets reach the target before the new access ranges gets updated, then the attacker can leverage this scenario.