...
In the common case of local, automatic variables being stored on the program stack, their values default to whichever values are currently stored in stack memory. Uninitialized memory often contains—but is not guaranteed to contain—zeros. Uninitialized memory has indeterminate value, which for objects of some types can be a trap representation. Reading uninitialized memory by an lvalue of a type other than unsigned char is undefined behavior (see undefined behavior 10 and undefined behavior 12 in Annex J of the C Standard); it can cause a program to behave in an unexpected manner and provide an avenue for attack.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <time.h>
#include <unistd.h>
#include <stdlib.h>
double cpu_time;
struct timeval tv;
unsigned long junk;
cpu_time = ((double) clock()) / CLOCKS_PER_SEC;
gettimeofday(&tv, NULL);
srandom((getpid() << 16) ^ tv.tv_sec ^ tv.tv_usec ^ junk); |
Exceptions
EXP33-EX1: Reading uninitialized memory of type unsigned char does not trigger undefined behavior. unsigned char is defined to not have a trap representation (C Standard 6.2.6.1p3), which allows for moving bytes around without knowing whether they've been initialized or not. However, on some architectures, such as the Intel Itanium, registers have a bit to indicate whether they have been initialized or not. According to 6.3.2.1p2, such architectures are allowed to cause a trap for a register-stored variable if they are referred to in any way.
Risk Assessment
Accessing uninitialized variables is undefined behavior and can result in unexpected program behavior. In some cases, these security flaws may allow the execution of arbitrary code.
...