...
Compliant Solution
In this compliant solution, the magic number is abstracted, and the buffer overflow is eliminated.
...
Noncompliant Code Example (mbstate_t)
In the this noncompliant code example below, the function mbrlen() is passed the address of an automatic mbstate_t object that has not been properly initialized, leading to undefined behavior. See undefined behavior 200 in Annex J of C11 [ISO/IEC 9899:2011].
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
void f(const char *mbs) {
size_t len;
mbstate_t state;
memset(&state, 0, sizeof state);
len = mbrlen(mbs, strlen(mbs), &state);
/* ... */
}
|
Noncompliant Code Example (Entropy)
In this noncompliant code example, the process id, time of day, and uninitialized memory junk is used to seed a random number generator. This is characteristic of some distributions derived from Debian that use uninitialized memory as a source of randomness. Although the unpredictable property of junk is desired, the problem here is that some compilers will actually entropy because the value stored in junk is indeterminate. However, because accessing indeterminate values is undefined behavior, compilers may optimize out the uninitialized variable access completely, leaving only the time and process id, and resulting in a loss of desired entropy.
| Code Block | ||||
|---|---|---|---|---|
| ||||
struct timeval tv; unsigned long junk; gettimeofday(&tv, NULL); srandom((getpid() << 16) ^ tv.tv_sec ^ tv.tv_usec ^ junk); |
While operating systems like OS X 10.6 keep the junk value, other systems like OS X 10.7 or 10.8 do not. The same code, when viewed in machine assembly, optimizes out the junk value leaving only the time and process id. In security protocols that rely on unpredictability like , such as RSA encryption, a loss in entropy results in a less secure system [Wang 2012].
Implementation Details
For this noncompliant code example, OS X 10.6 retains the junk value, while OS X 10.7 and OS X 10.8 do not.
Compliant Solution
...
(Entropy)
The previous noncompliant code example This can be solved by using a more reliable source for random number generation. This compliant solution uses the CPU clock in addition to the Realreal-Time time clock to seed the random number generator.
...
Accessing uninitialized variables generally leads to is undefined behavior and can result in unexpected program behavior. In some cases, these types of security flaws may allow the execution of arbitrary code.Distributions derived from Debian, particularly
VU#925211 in the OpenSSL package for Debian Linux, are said to reference uninitialized memory. One might say that uninitialized memory causes the vulnerability, but this is not entirely true. The original OpenSSL code uses uninitialized memory as an additional source of randomness to an already randomly generated key. This generates good keys, but also causes the code-auditing tools Valgrind and Purify to issue warnings. Debian tries to fix the warnings with two changes. One actually eliminates the uninitialized memory access, but the other weakens the randomness of the keys. Weakening the randomness makes the key more predictable and causes a loss of securityUsing uninitialized variables for creating entropy is problematic, because these memory accesses can be removed by compiler optimization. VU#925211 is an example of a vulnerability caused by this coding error.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXP33-C | high | probable | medium | P12 | L1 |
...
CVE-2009-1888 results from a violation of this recommendation. Some versions of SAMBA (up to 3.3.5) call a function which takes in two potentially unitiliazed variables involving access rights. An attacker can exploit this to bypass the access control list and gain access to protected files [xorl 2009].
Searchfor Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
Bibliography
[Flake 2006]
[Mercy 2006]
[[Wang 2012] "More Randomness or Less"
[xorl 2009] "CVE-2009-1888: SAMBA ACLs Uninitialized Memory Read"
...