National Institute of Standards and Technology
Package illustrating a test case

Test case 150068

Description

This test case uses a counting semaphore initialized to one count of a shared resource to implement multiple unlocks of a critical resource for certain input. The test case takes a control integer, the names of two control files, and an input string. The control integer and the two control files are used for timing within the test case to ensure that the test case follows an exploiting or benign execution path, and the input string is used as shared data for the threads to act upon. When executing, the test case checks the input string for non-alpha characters, and if it contains non-alpha characters the test case increments the counting semaphore and spawns two threads that both use the semaphore as an access control mechanism surrounding a shared reference to the input string. Since the semaphore incorrectly indicates that there are two counts of the input string available, both threads now have the ability to access the shared string (actual concurrent access is controlled by the control files and integer) leading to a segfault. If the input string does not contain non-alpha characters, only one thread will spawn and the semaphore will be decremented and incremented appropriately, allowing the test case to run without error.
Metadata
- Base program: Subversion
- Source Taint: ENVIRONMENT_VARIABLE
- Data Type: SIMPLE
- Data Flow: ADDRESS_AS_LINEAR_EXPRESSION
- Control Flow: SEQUENCE

Flaws

Test Suites

Documentation

Have any comments on this test case? Please, send us an email.