CWE-440: Expected Behavior Violation

CVE-2019-5108

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The provided code is extracted from the Control and Status Register (CSR), csr_regfile, module within the Hack@DAC'21 OpenPiton System-on-Chip (SoC). This module is designed to implement CSR registers in accordance with the RISC-V specification. The mie (machine interrupt enable) register is a 64-bit register [REF-1384], where bits correspond to different interrupt sources. As the name suggests, mie is a machine-level register that determines which interrupts are enabled. Note that in the example below the mie_q and mie_d registers represent the conceptual mie reigster in the RISC-V specification. The mie_d register is the value to be stored in the mie register while the mie_q register holds the current value of the mie register [REF-1385].

Vulnerable example

verilog

if (csr_we) begin

Safe example

verilog

if (csr_we) begin

CWE-440: Expected Behavior Violation

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-440?

What CVEs are caused by CWE-440?

What are the consequences of CWE-440?

Is CWE-440 actively exploited?

References

Stay ahead of CWE-440

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-440?

What CVEs are caused by CWE-440?

What are the consequences of CWE-440?

Is CWE-440 actively exploited?

References

Stay ahead of CWE-440