eLocalLocal, automatic variables assume unexpected values if they are read before they are initialized. The C Standard, 6.7.9, paragraph 10, specifies [ISO/IEC 9899:2011]
...
Additionally, some dynamic memory allocation functions do not initialize the contents of the memory they allocate.
Function | Initialization |
|---|---|
| Does not perform initialization |
| Zero-initializes allocated memory |
| Does not perform initialization |
| Copies contents from original pointer; may not initialize all memory |
Uninitialized automatic variables or dynamically allocated memory has indeterminate values, which for objects of some types, can be a trap representation. Reading such trap representations is undefined behavior; it can cause a program to behave in an unexpected manner and provide an avenue for attack. (See undefined behavior 10 and undefined behavior 12.) In many cases, compilers issue a warning diagnostic message when reading uninitialized variables. (See MSC00-C. Compile cleanly at high warning levels for more information.)
...
Reading uninitialized variables for creating entropy is problematic because these memory accesses can be removed by compiler optimization. VU#925211 is an example of a vulnerability caused by this coding error.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXP33-C | High | Probable | Medium | P12 | L1 |
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| uninitialized-local-read uninitialized-variable-use | Partially checked | ||||||
| CodeSonar |
| LANG.MEM.UVAR | Uninitialized variable | ||||||
| Compass/ROSE | Automatically detects simple violations of this rule, although it may return some false positives. It may not catch more complex violations, such as initialization within functions taking uninitialized variables as arguments. It does catch the second noncompliant code example, and can be extended to catch the first as well | ||||||||
| Coverity |
| UNINIT | Implemented | ||||||
| Cppcheck |
| uninitvar | Detects uninitialized variables, uninitialized pointers, uninitialized struct members, and uninitialized array elements (However, if one element is initialized, then cppcheck assumes the array is initialized.) | ||||||
| GCC | 4.3.5 | Can detect some violations of this rule when the | |||||||
| Klocwork |
| UNINIT.HEAP.MIGHT | |||||||
| LDRA tool suite |
| 53 D, 69 D, 631 S, 652 S | Fully implemented | ||||||
| Parasoft C/C++test | 9.5 | BD-BP-NOTINIT | Fully implemented | ||||||
| Parasoft Insure++ | Runtime analysis | ||||||||
| Polyspace Bug Finder | R2016a | Pointer not initialized before dereference Variable not initialized before use | |||||||
| PRQA QA-C |
| 2961, 2962, 2963, 2966, 2967, 2968, 2971, 2972, 2973, 2976, 2977, 2978 | Fully implemented | ||||||
| PRQA QA-C++ |
| 2961, 2962, 2963, 2966, 2967, 2968, 2971, 2972, 2973, 2976, 2977, 2978 | |||||||
| Splint | 3.1.1 | ||||||||
| RuleChecker |
| uninitialized-local-read uninitialized-variable-use | Partially checked |
Related Vulnerabilities
CVE-2009-1888 results from a violation of this rule. Some versions of SAMBA (up to 3.3.5) call a function that takes in two potentially uninitialized variables involving access rights. An attacker can exploit these coding errors to bypass the access control list and gain access to protected files [xorl 2009].
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| CERT C Secure Coding Standard | MSC00-C. Compile cleanly at high warning levels MSC01-C. Strive for logical completeness |
| SEI CERT C++ Coding Standard | EXP53-CPP. Do not read uninitialized memory |
| ISO/IEC TR 24772:2013 | Initialization of Variables [LAV] |
| ISO/IEC TS 17961 | Referencing uninitialized memory [uninitref] |
| MITRE CWE | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-123, Write-what-where Condition CWE-125, Out-of-bounds Read CWE-665, Improper Initialization |
Bibliography
| [Flake 2006] | |
| [ISO/IEC 9899:2011] | Subclause 6.7.9, "Initialization" Subclause 6.2.6.1, "General" Subclause 6.3.2.1, "Lvalues, Arrays, and Function Designators" |
| [Mercy 2006] | |
| [VU#925211] | |
| [Wang 2012] | "More Randomness or Less" |
| [xorl 2009] | "CVE-2009-1888: SAMBA ACLs Uninitialized Memory Read" |
...