Local, automatic variables assume unexpected values if they are read before they are initialized. The The C Standard, 6.7.911, paragraph 1011, specifies [ISO/IEC 9899:20112024]
If an object that has automatic storage duration is not initialized explicitly, its value representation is indeterminate.
...
Additionally, some dynamic memory allocation functions do not initialize the contents of the memory they allocate.
Function | Initialization |
---|---|
| Does not perform initialization |
| Zero-initializes allocated memory |
| Does not perform initialization |
| Copies contents from original pointer; may not initialize all memory |
Uninitialized automatic variables or dynamically allocated memory has indeterminate values, which for objects of some types, can be a trap representation. Reading such trap representations is undefined behavior; it can cause a program to behave in an unexpected manner and provide an avenue for attack. (See undefined behavior 10 and undefined behavior 12.) In many cases, compilers issue a warning diagnostic message when reading uninitialized variables. (See MSC00-C. Compile cleanly at high warning levels for more information.)
...
The realloc()
function changes the size of a dynamically allocated memory object. The initial size
bytes of the returned memory object are unchanged, but any newly added space is uninitialized, and its value is indeterminate. As in the case of malloc()
, accessing memory beyond the size of the original object is undefined behavior 181186.
It is the programmer's responsibility to ensure that any memory allocated with malloc()
and realloc()
is properly initialized before it is used.
...
EXP33-C-EX1: Reading uninitialized memory by an lvalue of type unsigned char
that could not have been declared with the register
storage class does not trigger undefined behavior. The unsigned char
type is defined to not have a trap representation, which allows for moving bytes without knowing if they are initialized. (See the C Standard, 6.2.6.1, paragraph 3.) However, ) The requirement that register
could not have been used (not merely that it was not used) is because on some architectures, such as the Intel Itanium, registers have a bit to indicate whether or not they have been initialized. The C Standard, 6.3.2.1, paragraph 2, allows such implementations to cause a trap for an object that never had its address taken and is stored in a register if such an object is referred to in any way.
...
Reading uninitialized variables for creating entropy is problematic because these memory accesses can be removed by compiler optimization. VU#925211 is an example of a vulnerability caused by this coding error.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP33-C | High | Probable | Medium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description |
---|
Astrée |
|
|
|
uninitialized-local-read uninitialized-variable-use | Fully checked | ||||||||
Axivion Bauhaus Suite |
| CertC-EXP33 | |||||||
CodeSonar |
| LANG.MEM.UVAR | Uninitialized variable | ||||||
Compass/ROSE |
Automatically detects simple violations of this rule, although it may return some false positives. It may not catch more complex violations, such as initialization within functions taking uninitialized variables as arguments. It does catch the second noncompliant code example, and can be extended to catch the first as well | |||
Coverity |
| UNINIT |
Fully implemented
Can find cases of an uninitialized variable being used before it is initialized, although it cannot detect cases of uninitialized members of a struct
(Because Coverity Prevent cannot discover all violations of this rule, further verification is necessary.)
Implemented |
Cppcheck |
| uninitvar | Detects uninitialized variables, uninitialized pointers, uninitialized struct members, and uninitialized array elements (However, if one element is initialized, then cppcheck assumes the array is initialized.) | ||||||
Cppcheck Premium |
Can detect some violations of this rule when the -Wuninitialized
flag is used
UNINIT.HEAP.MIGHT
UNINIT.HEAP.MUST
UNINIT.STACK.ARRAY.MIGHT
UNINIT.STACK.ARRAY.MUST UNINIT.STACK.ARRAY.PARTIAL.MUST
UNINIT.STACK.MIGHT
UNINIT.STACK.MUST
53 D, 69 D, 631 S, 652 S
Fully implemented
Pointer not initialized before dereference
Variable not initialized before use
Related Vulnerabilities
CVE-2009-1888 results from a violation of this rule. Some versions of SAMBA (up to 3.3.5) call a function that takes in two potentially uninitialized variables involving access rights. An attacker can exploit these coding errors to bypass the access control list and gain access to protected files [xorl 2009].
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C Secure Coding Standard | MSC00-C. Compile cleanly at high warning levels MSC01-C. Strive for logical completeness |
SEI CERT C++ Coding Standard | EXP53-CPP. Do not read uninitialized memory |
ISO/IEC TR 24772:2013 | Initialization of Variables [LAV] |
ISO/IEC TS 17961 | Referencing uninitialized memory [uninitref] |
MITRE CWE | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-123, Write-what-where Condition CWE-125, Out-of-bounds Read CWE-665, Improper Initialization |
Bibliography
| uninitvar uninitdata uninitstring uninitMemberVar uninitStructMember | Detects uninitialized variables, uninitialized pointers, uninitialized struct members, and uninitialized array elements (However, if one element is initialized, then cppcheck assumes the array is initialized.) There are FN compared to some other tools because Cppcheck tries to avoid FP in impossible paths. | |||||||
GCC | 4.3.5 | Can detect some violations of this rule when the | |||||||
Helix QAC |
| DF2726, DF2727, DF2728, DF2961, DF2962, DF2963, DF2966, DF2967, DF2968, DF2971, DF2972, DF2973, DF2976, DF2977, DF2978 | Fully implemented | ||||||
Klocwork |
| UNINIT.HEAP.MIGHT | Fully implemented | ||||||
LDRA tool suite |
| 53 D, 69 D, 631 S, 652 S | Fully implemented | ||||||
Parasoft C/C++test |
| CERT_C-EXP33-a | Avoid use before initialization | ||||||
Parasoft Insure++ |
| Runtime analysis | |||||||
PC-lint Plus |
| 530, 603, 644, 901 | Fully supported | ||||||
Polyspace Bug Finder |
| Checks for:
Rule partially covered | |||||||
PVS-Studio |
| V573, V614, V670, V679, V1050 | |||||||
RuleChecker |
| uninitialized-local-read | Partially checked | ||||||
Splint | 3.1.1 | ||||||||
TrustInSoft Analyzer |
| initialisation | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
CVE-2009-1888 results from a violation of this rule. Some versions of SAMBA (up to 3.3.5) call a function that takes in two potentially uninitialized variables involving access rights. An attacker can exploit these coding errors to bypass the access control list and gain access to protected files [xorl 2009].
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
CERT C Secure Coding Standard | MSC00-C. Compile cleanly at high warning levels | Prior to 2018-01-12: CERT: Unspecified Relationship |
CERT C Secure Coding Standard | MSC01-C. Strive for logical completeness | Prior to 2018-01-12: CERT: Unspecified Relationship |
CERT C | EXP53-CPP. Do not read uninitialized memory | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TR 24772:2013 | Initialization of Variables [LAV] | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TS 17961 | Referencing uninitialized memory [uninitref] | Prior to 2018-01-12: CERT: Unspecified Relationship |
CWE 2.11 | CWE-456 | 2017-07-05: CERT: Exact |
CWE 2.11 | CWE-457 | 2017-07-05: CERT: Exact |
CWE 2.11 | CWE-758 | 2017-07-05: CERT: Rule subset of CWE |
CWE 2.11 | CWE-908 | 2017-07-05: CERT: Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-119 and EXP33-C
- Intersection( CWE-119, EXP33-C) = Ø
- EXP33-C is about reading uninitialized memory, but this memory is considered part of a valid buffer (on the stack, or returned by a heap function). No buffer overflow is involved.
CWE-676 and EXP33-C
- Intersection( CWE-676, EXP33-C) = Ø
- EXP33-C implies that memory allocation functions (e.g., malloc()) are dangerous because they do not initialize the memory they reserve. However, the danger is not in their invocation, but rather reading their returned memory without initializing it.
CWE-758 and EXP33-C
Independent( INT34-C, INT36-C, MSC37-C, FLP32-C, EXP33-C, EXP30-C, ERR34-C, ARR32-C)
CWE-758 = Union( EXP33-C, list) where list =
- Undefined behavior that results from anything other than reading uninitialized memory
CWE-665 and EXP33-C
Intersection( CWE-665, EXP33-C) = Ø
CWE-665 is about correctly initializing items (usually objects), not reading them later. EXP33-C is about reading memory later (that has not been initialized).
CWE-908 and EXP33-C
CWE-908 = Union( EXP33-C, list) where list =
- Use of uninitialized items besides raw memory (objects, disk space, etc)
New CWE-CERT mappings:
CWE-123 and EXP33-C
Intersection( CWE-123, EXP33-C) = Ø
EXP33-C is only about reading uninitialized memory, not writing, whereas CWE-123 is about writing.
CWE-824 and EXP33-C
EXP33-C = Union( CWE-824, list) where list =
- Read of uninitialized memory that does not represent a pointer
Bibliography
[Flake 2006] | |
[ISO/IEC 9899:2024] | Subclause 6.7.11 |
, "Initialization" Subclause 6.2.6.1, "General" Subclause 6.3.2.1, "Lvalues, Arrays, and Function Designators" |
[Mercy 2006] |
[VU#925211] |
[Wang 2012] | "More Randomness or Less" |
[xorl 2009] | "CVE-2009-1888: SAMBA ACLs Uninitialized Memory Read" |
...
...