Local, automatic variables can assume unexpected values if they are used before they are initialized. The C standard specifiesStandard specifies, "If an object that has automatic storage duration is not initialized explicitly, its value is indeterminate" [ISO/IEC 9899:2011]. (See also undefined behavior 11 of in Annex J.)
In the common case, on implementations that make use of a program stack, this value defaults to whichever values are currently stored in stack memory. While uninitialized Uninitialized memory often contains zeros, this contains—but is not guaranteed to contain—zeros. Uninitialized memory has indeterminate value, which for objects of some types can be a trap representation. Reading uninitialized memory is undefined behavior, (See see undefined behavior 10 of in Annex J .of the C Standard), it can cause a program to behave in an unexpected manner , and provide an avenue for attack.
...
A much simpler, less error prone, and better-performing compliant solution is shown here:
...
In this noncompliant code example, the function mbrlen() is passed the address of an automatic mbstate_t object that has not been properly initialized, leading to undefined behavior. See undefined behavior behavior 200 in Annex J of C11 the C Standard [ISO/IEC 9899:2011].
| Code Block | ||||
|---|---|---|---|---|
| ||||
void f(const char *mbs) {
size_t len;
mbstate_t state;
len = mbrlen(mbs, strlen(mbs), &state);
/* ... */
}
|
...
In this noncompliant code example, the process idID, time of day, and uninitialized memory junk is used to seed a random number generator. This behavior is characteristic of some distributions derived from Debian that use uninitialized memory as a source of entropy because the value stored in junk is indeterminate. However, because accessing indeterminate values is undefined behavior, compilers may optimize out the uninitialized variable access completely, leaving only the time and process id, ID and resulting in a loss of desired entropy.
...
For this noncompliant code example, OS X 10.6 retains the junk value, while but OS X 10.7 and OS X 10.8 do not.
...
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| 57 D | Fully implemented. | |||||||
| Fortify SCA | Can detect violations of this rule, but will return false positives if the initialization was done in another function. | ||||||||
| Splint | V. 3.1.1 | ||||||||
| GCC | V 4.3.5 | Can detect some violations of this rule when the -Wuninitialized flag is used. | |||||||
| Compass/ROSE | Automatically detects simple violations of this rule, although it may return some false positives. It may not catch more complex violations, such as initialization within functions taking uninitialized variables as arguments. It does catch the second noncompliant code example, and can be extended to catch the first as well. | ||||||||
| V. 5.0 | NO_EFFECT | Can find cases of an uninitialized variable being used before it is initialized, although it cannot detect cases of uninitialized members of a struct. Because Coverity Prevent cannot discover all violations of this rule, further verification is necessary. | |||||||
| V. 9.1 | UNINIT.HEAP.MIGHT | ||||||||
| PRQA QA-C |
| 2961 (D) 2962 (A) 2963 (S) 2971 (D) 2972 (A) | Fully implemented. |
Related Vulnerabilities
CVE-2009-1888 results from a violation of this recommendation. Some versions of SAMBA (up to 3.3.5) call a function which takes in two potentially unitiliazed variables involving access rights. An attacker can exploit this to bypass the access control list and gain access to protected files [xorl 2009].
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
...
| TR 17961 | (Draft) Referencing uninitialized memory [uninitref] |
| ISO/IEC TR 24772 |
...
| Initialization of variables |
...
| [LAV] |
Bibliography
| [Flake 2006] | |
|---|---|
| [ISO/IEC 9899:2011] | Section 6.7.9, "Initialization" |
| [Mercy 2006] | |
| [Wang 2012] | "More Randomness or Less" |
| [xorl 2009] | "CVE-2009-1888: SAMBA ACLs Uninitialized Memory Read" |
...