Skip to content

EnsureDBInstalled race condition (TOCTOU) #4818

New issue
New issue
Closed as not planned
Closed as not planned
EnsureDBInstalled race condition (TOCTOU)#4818
Labels
bugSomething isn't workingstaleNo recent activity has been detected on this issue/PR and it will be closed
@e-gineer

Description

@e-gineer
e-gineer
opened on Nov 11, 2025

Description

While EnsureDBInstalled() uses a mutex (ensureMux) to protect the installation process, the initial check IsDBInstalled() at line 56 happens outside the mutex lock. This creates a TOCTOU (Time-of-Check-Time-of-Use) race condition where two concurrent calls could both see the DB as not installed, then both proceed with installation (though the mutex will serialize the actual install).

Severity

MEDIUM - Race condition

Test Reference

Test: TestEnsureDBInstalled_Concurrent in pkg/db/db_local/install_test.go:167 (skipped)

Suggested Fix

Move the IsDBInstalled() check inside the mutex lock.

Related Code

  • pkg/db/db_local/install.go:39-54

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingstaleNo recent activity has been detected on this issue/PR and it will be closed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions