logo

Deadlock

Incomplete Base
Structure: Simple
Description

Deadlock occurs when two or more threads or processes become permanently stuck, each waiting for the other to release a shared resource like a lock or mutex, preventing any of them from progressing.

Extended Description

Deadlock is a common concurrency bug that arises when threads or processes enter a circular waiting pattern. For example, Thread A holds Lock 1 and waits for Lock 2, while Thread B holds Lock 2 and waits for Lock 1. Since neither can proceed without the resource the other holds, the entire system grinds to a halt. This often stems from inconsistent or poorly managed locking order across different parts of the code. To prevent deadlocks, developers should enforce a strict, global order for acquiring multiple locks and use timeouts or non-blocking lock attempts. Techniques like lock hierarchies, deadlock detection algorithms, and minimizing the scope and duration of locks are crucial. Understanding and managing these dependencies is essential for building robust, multi-threaded applications that avoid this silent failure state.
Common Consequences 1
Scope: Availability

Impact: DoS: Resource Consumption (CPU)DoS: Resource Consumption (Other)DoS: Crash, Exit, or Restart

Each thread of execution will "hang" and prevent tasks from completing. In some cases, CPU consumption may occur if a lock check occurs in a tight loop.
Observed Examples 15
CVE-1999-1476A bug in some Intel Pentium processors allow DoS (hang) via an invalid "CMPXCHG8B" instruction, causing a deadlock
CVE-2009-2857OS deadlock
CVE-2009-1961OS deadlock involving 3 separate functions
CVE-2009-2699deadlock in library
CVE-2009-4272deadlock triggered by packets that force collisions in a routing table
CVE-2002-1850read/write deadlock between web server and script
CVE-2004-0174web server deadlock involving multiple listening connections
CVE-2009-1388multiple simultaneous calls to the same function trigger deadlock.
CVE-2006-5158chain: other weakness leads to NULL pointer dereference (NULL Pointer Dereference) or deadlock (Deadlock).
CVE-2006-4342deadlock when an operation is performed on a resource while it is being removed.
CVE-2006-2374Deadlock in device driver triggered by using file handle of a related device.
CVE-2006-2275Deadlock when large number of small messages cannot be processed quickly enough.
CVE-2005-3847OS kernel has deadlock triggered by a signal during a core dump.
CVE-2005-3106Race condition leads to deadlock.
CVE-2005-2456Chain: array index error (Improper Validation of Array Index) leads to deadlock (Deadlock)
References 2
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
Secure Coding in C and C++
Robert C. Seacord
Addison Wesley
2006
ID: REF-783
Related Attack Patterns
Related Weaknesses
ChildOf: Improper Locking (CWE-667)
ChildOf: Improper Synchronization (CWE-662)
Taxonomy Mapping
  • The CERT Oracle Secure Coding Standard for Java (2011)