Local, automatic variables assume unexpected values if they are read before they are initialized. The C Standard, 6.7.9, paragraph 10, specifies [ISO/IEC 9899:2011]:
If an object that has automatic storage duration is not initialized explicitly, its value is indeterminate.
...
Uninitialized automatic variables or dynamically allocated memory has indeterminate values, which for objects of some types, can be a trap representation. Reading such trap representations is undefined behavior (see undefined behavior 10 and undefined behavior 12); it can cause a program to behave in an unexpected manner and provide an avenue for attack. In (See undefined behavior 10 and undefined behavior 12.) In many cases, compilers issue a warning diagnostic message when reading uninitialized variables. (see See MSC00-C. Compile cleanly at high warning levels for more information.).
Noncompliant Code Example (Return-by-Reference)
...
This defect results from a failure to consider all possible data states. (see See MSC01-C. Strive for logical completeness for more information.).
Compliant Solution (Return-by-Reference)
...
This example remains problematic because a buffer overflow will occur if the null-terminated byte string referenced by msg is greater than 17 characters, including the null terminator. (see See STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator for more information.).
Compliant Solution (Uninitialized Local)
...
In this noncompliant code example described in "More Randomness or Less" [Wang 2012], the process ID, time of day, and uninitialized memory junk is used to seed a random number generator. This behavior is characteristic of some distributions derived from Debian Linux that use uninitialized memory as a source of entropy because the value stored in junk is indeterminate. However, because accessing an indeterminate value is undefined behavior, compilers may optimize out the uninitialized variable access completely, leaving only the time and process ID and resulting in a loss of desired entropy.
...
EXP33-C-EX1: Reading uninitialized memory by an lvalue of type unsigned char does not trigger undefined behavior. The unsigned char type is defined to not have a trap representation (see , which allows for moving bytes without knowing if they are initialized. (See the C Standard, 6.2.6.1, paragraph 3), which allows for moving bytes without knowing if they are initialized. .) However, on some architectures, such as the Intel Itanium, registers have a bit to indicate whether or not they have been initialized. The C Standard, 6.3.2.1, paragraph 2, allows such implementations to cause a trap for an object that never had its address taken and is stored in a register if such an object is referred to in any way.
...
Reading uninitialized variables for creating entropy is problematic , because these memory accesses can be removed by compiler optimization. VU#925211 is an example of a vulnerability caused by this coding error.
...