You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The C++ Standard, [basic.types], paragraph 9 [ISO/IEC 14882-2014], states:

The object representation of an object of type T is the sequence of N unsigned char objects taken up by the object of type T, where N equals sizeof(T). The value representation of an object is the set of bits that hold the value of type T.

Some types, such as integral types like int and wchar_t, have an object representation comprised solely of the bits from the object's value representation. For such types, accessing any of the bits of the value representation is well-defined behavior. This allows a programmer to use byte-wise access of the object, such as by calling std::memcmp() on it's object representation. Other types, such as classes, may not have an object representation comprised solely of the bits from the object's value representation. For instance, classes may have bitfield data members, padding inserted between data members, a vtable to support virtual method dispatch, or have data members declared with different access privileges. For such types, accessing bits of the object representation that are not part of the object's value representation may result in undefined behavior depending on how those bits are accessed.

Do not access the bits of an object representation that are not part of the object's value representation. Even if the bits are accessed in a well-defined manner, such as through an array of unsigned char objects, the values represented by those bits are unspecified or implementation-defined, and reliance on any particular value can lead to abnormal program execution.

Noncompliant Code Example

In this noncompliant code example, the complete object representation is accessed when comparing two objects of type S. Per the C++ Standard, [class], paragraph 13 [ISO/IEC 14882-2014], classes may be padded with data to ensure that they are properly aligned in memory. The contents of the padding and the amount of padding added is implementation-defined. This can lead to incorrect results when comparing the object representation of classes instead of the value representation, as the padding may assume different unspecified values for each object instance.

#include <cstring>
 
struct S {
  unsigned char buff_type;
  int size;
};
 
void f(const S &s1, const S &s2) {
  if (!std::memcmp(&s1, &s2, sizeof(S))) {
    // ...
  }
}

Compliant Solution

In this compliant solution, S overloads operator==() to perform a comparison of the value representation of the object.

struct S {  
  unsigned char buff_type;
  int size;
 
  friend bool operator==(const S &LHS, const S &RHS) {
    return LHS.buff_type == RHS.buff_type &&
           LHS.size == RHS.size;
  }
};
 
void f(const S &s1, const S &s2) {
  if (s1 == s2) {
    // ...
  }
}

Exceptions

EXP62-CPP-EX1: It is permissible to access the bits of an object representation when that access is otherwise unobservable in well-defined code. For instance, it is acceptable to call std::memcpy() on an object containing a bit-field, as in the following example, because the read and write of the padding bits cannot be observed.

#include <cstring>
 
struct S {
  int i : 10;
  int j;
};
 
void f(const S &s1) {
  S &s2;
  std::memcpy(&s2, &s1, sizeof(S));
}

Risk Assessment

The effects of accessing bits of an object representation that are not part of the object's value representation can range from implementation-defined behavior (such as assuming the layout of fields with differing access controls) to code execution vulnerabilities (such as overwriting the vtable pointer).

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP62-CPP

High

Probable

High

P6

L2

Automated Detection

Tool

Version

Checker

Description

  

 

 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

 

 

Bibliography

[ISO/IEC 14882-2014]Subclause 3.9, "Types"
Subclause 3.10, "Lvalues and Rvalues"
Clause 9, "Classes" 

 


  

  • No labels