Local, automatic variables can assume unexpected values if they are used before they are initialized. C99 specifies, "If an object that has automatic storage duration is not initialized explicitly, its value is indeterminate" [[ISO/IEC 9899:1999]] (see also bullet 10 of Appendix J). In the common case, on architectures that make use of a program stack, this value defaults to whichever values are currently stored in stack memory. While uninitialized memory often contains zeroes, this is not guaranteed. On architectures that include trap representations, reading an uninitialized object of any type other than unsigned char
(i.e., including int
) may trigger a trap (see bullet 11 of Appendix J). Consequently, uninitialized memory can cause a program to behave in an unpredictable or unplanned manner, lead to undefined behavior , and may provide an avenue for attack.
Additionally, memory allocated by functions such as malloc()
should not be used before being initialized as its contents are indeterminate.
In most cases, compilers warn about uninitialized variables. These warnings should be resolved as recommended by MSC00-C. Compile cleanly at high warning levels.
Noncompliant Code Example
In this noncompliant code example, the set_flag()
function is intended to set the variable sign
to 1
if number
is positive and -1
if number
is negative. However, the programmer neglected to account for number
being 0
. If number
is 0
, then sign
remains uninitialized. Because sign
is uninitialized, and again assuming that the architecture makes use of a program stack, it uses whatever value is at that location in the program stack. This may lead to unexpected or otherwise incorrect program behavior.
void set_flag(int number, int *sign_flag) { if (sign_flag == NULL) { return; } if (number > 0) { *sign_flag = 1; } else if (number < 0) { *sign_flag = -1; } } void func(int number) { int sign; set_flag(number, &sign); /* use sign */ }
Compilers assume that when the address of an uninitialized variable is passed to a function, the variable is initialized within that function. Because compilers frequently fail to diagnose any resulting failure to initialize the variable, the programmer must apply additional scrutiny to ensure the correctness of the code.
Implementation Details
Microsoft Visual Studio 2005, Visual Studio 2008, GCC version 3.4.4, and GCC version 4.1.3 fail to diagnose this error.
Compliant Solution
This defect results from a failure to consider all possible data states (see MSC01-C. Strive for logical completeness). Once the problem is identified, it can be trivially repaired by accounting for the possibility that number
can be equal to 0.
void set_flag(int number, int *sign_flag) { if (sign_flag == NULL) { return; } if (number >= 0) { /* account for number being 0 */ *sign_flag = 1; } else { assert(number < 0); *sign_flag = -1; } } void func(int number) { int sign; set_flag(number, &sign); /* use sign */ }
Noncompliant Code Example
In this noncompliant code example, the programmer mistakenly fails to set the local variable error_log
to the msg
argument in the report_error()
function [[mercy 06]]. Because error_log
has not been initialized, on architectures making use of a program stack, it assumes the value already on the stack at this location, which is a pointer to the stack memory allocated to the password
array. The sprintf()
call copies data in password
until a null byte is reached. If the length of the string stored in the password
array is greater than the size of the buffer
array, then a buffer overflow occurs.
#include <stdio.h> #include <ctype.h> #include <string.h> int do_auth(void) { char *username; char *password; /* Get username and password from user, return -1 if invalid */ } void report_error(const char *msg) { const char *error_log; char buffer[24]; sprintf(buffer, "Error: %s", error_log); printf("%s\n", buffer); } int main(void) { if (do_auth() == -1) { report_error("Unable to login"); } return 0; }
Noncompliant Code Example
In this noncompliant code example, the report_error()
function has been modified so that error_log
is properly initialized.
void report_error(const char *msg) { const char *error_log = msg; char buffer[24]; sprintf(buffer, "Error: %s", error_log); printf("%s\n", buffer); }
This solution is still problematic in that a buffer overflow will occur if the null-terminated byte string referenced by msg
is greater than 17 bytes, including the NULL terminator. The solution also makes use of a "magic number," which should be avoided (see DCL06-C. Use meaningful symbolic constants to represent literal values in program logic).
Compliant Solution
In this solution, the magic number is abstracted and the buffer overflow is eliminated.
enum {max_buffer = 24}; void report_error(const char *msg) { const char *error_log = msg; char buffer[max_buffer]; snprintf(buffer, sizeof(buffer), "Error: %s", error_log); printf("%s\n", buffer); }
Compliant Solution
A much simpler, less error prone, and better performing compliant solution is shown here:
void report_error(const char *msg) { printf("Error: %s\n", msg); }
Risk Assessment
Accessing uninitialized variables generally leads to unexpected program behavior. In some cases these types of flaws may allow the execution of arbitrary code.
VU#925211 in the OpenSSL package for Debian Linux, and other distributions derived from Debian, is said to reference uninitialized memory. One might say that uninitialized memory caused the vulnerability, but not directly. The original OpenSSL code used uninitialized memory as an additional source of randomness to an already-randomly-generated key. This generated good keys, but caused the code-auditing tools Valgrind and Purify to issue warnings. Debian tried to fix the warnings with two changes. One actually eliminated the uninitialized memory access, but the other weakened the randomness of the keys.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
EXP33-C |
high |
probable |
medium |
P12 |
L1 |
Automated Detection
The LDRA tool suite Version 7.6.0 can detect violations of this rule.
Fortify SCA Version 5.0 can detect violations of this rule, but will return false positives if the initialization was done in another function.
Splint Version 3.1.1 can detect violations of this rule.
GCC Compiler Version 4.4.0 can detect some violations of this rule when the -Wuninitialized
flag is used.
Compass/ROSE automatically detects simple violations of this rule, although it may return some false positives. It may not catch more complex violations, such as initialization within functions taking uninitialized variables as arguments. It does catch the second noncompliant code example, and can be extended to catch the first as well.
The Coverity Prevent UNINIT checker can find cases of an uninitialized variable being used before it is initialized, although it cannot detect cases of uninitialized members of a struct
. Because Coverity Prevent cannot discover all violations of this rule further verification is necessary.
Klocwork Version 8.0.4.16 can detect violations of this rule with the UNINIT.HEAP.MIGHT, UNINIT.HEAP.MUST, UNINIT.STACK.ARRAY.MIGHT, UNINIT.STACK.ARRAY.MUST, UNINIT.STACK.ARRAY.PARTIAL.MUST, and UNINIT.STACK.MUST checkers.
Related Vulnerabilities
CVE-2009-1888 results from a violation of this recommendation. Some versions of SAMBA (up to 3.3.5) call a function which takes in two potentially unitiliazed variables involving access rights. An attacker can exploit this to bypass the access control list and gain access to protected files [xorl 2009].
Searchfor vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
This rule appears in the C++ Secure Coding Standard as EXP33-CPP. Do not reference uninitialized memory.
References
[[Flake 06]]
[[ISO/IEC 9899:1999]] Section 6.7.8, "Initialization"
[[ISO/IEC PDTR 24772]] "LAV Initialization of Variables"
[[mercy 06]]
[[xorl 2009]] "CVE-2009-1888: SAMBA ACLs Uninitialized Memory Read"
EXP32-C. Do not access a volatile object through a non-volatile reference 03. Expressions (EXP)