SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 48

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 49

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The C Standard, subclause 6.7.2.1, discusses the layout of structure fields. It specifies that non-bit-field members are aligned in an implementation-defined manner , and that there may be padding within or at the end of a structure.   Furthermore, initializing the members of the structure does not guarantee initialization of the padding bytes. The C Standard, subclause 6.2.6.1 paragraph 1, paragraph 6 [ISO/IEC 9899:2011], states:

...

This noncompliant code example runs in kernel space , and copies data from struct test to user space. However, padding bytes may be used within the structure, for example, to ensure the proper alignment of the structure members.   These padding bytes may contain sensitive information, which may then be leaked when the data is copied to user space.

...

However, compilers are free to implement arg.b = 2 by setting the low byte of a 32-bit register to 2, leaving the high bytes unchanged, and storing all 32 - bits of the register into memory. This could leak the high-order bytes resident in the register to a user.

...

This code ensures that no uninitialized padding bytes are copied to unprivileged users.   Note that structured structure copied to user space is now a packed structure , and that the copy_to_user() function would need to unpack it to recreate re-create the original padded structure.

...

Padding bytes can be explicitly declared as fields within the structure, however this . This solution is not portable, however, because it depends on the implementation and target memory architecture. The following solution is specific to the x86-32 architecture:

...

The C Standard static_assert() macro accepts a constant expression and an error message. The expression is evaluated at compile time, and, if false, the compilation is terminated and the error message is output. See DCL03-C. Use a static assertion to test the value of a constant expression for more details.   The explicit insertion of the padding bytes into the struct should ensure that no additional padding bytes are added by the compiler, and consequently both static_assert expressions should be true. However, it is necessary to validate these assumptions to ensure the safety of the solution for a particular implementation.

...

GCC allows specifying declaration attributes using the keyword __attribute__((__packed__)). When this attribute is present, the compiler will not add padding bytes for memory alignment , unless otherwise required to by the _Alignas alignment specifier, and it will attempt to place fields at adjacent memory offsets when possible.

...

Microsoft Visual Studio  supports #pragma pack() to attempt to suppress padding bytes [MSDN]. The compiler will add padding bytes for memory alignment depending on the current packing mode , but still honors alignment specified by __declspec(align()).   In this compliant solution, the packing mode is set to one 1 in an attempt to ensure all fields are given adjacent offsets.:

Code Block
bgColor#CCCCFF
borderStylesolid
#include <stddef.h>

#pragma pack(push, 1) /* 1 byte */
struct test {
  int a;
  char b;
  int c;
};
#pragma pack(pop)
 
/* Safely copy bytes to user space */
extern int copy_to_user(void *dest, void *src, size_t size);

void do_stuff(void *usr_buf) {
  struct test arg = {1, 2, 3};
  copy_to_user(usr_buf, &arg, sizeof(arg));
}

...

Padding bytes might contain sensitive data because the C Standard allows any padding bytes can to take unspecified values. A pointer to such a structure could be passed to other functions, causing information leakage.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DCL39-C

Low

Unlikely

High

P1

L3

Related Vulnerabilities

There have been numerious Numerous vulnerabilities in the Linux Kernel resulting have resulted from violations of this rule.   CVE-2010-4083 describes a vulnerability where in which the semctl system call allows unprivileged users to read uninitialized kernel stack memory, because various fields of a semid_ds struct declared on the stack are not altered or zeroed before being copied back to the user. CVE-2010-3881 describes a vulnerability where in which structure padding and reserved fields in certain data structures in QEMU-KVM were not initialized properly before being copied to user - space. A privileged host user with access to /dev/kvm could use this flaw to leak kernel stack memory to user - space. CVE-2010-3477 described describes a kernel information leak in act_police where incorrectly initialized structures in the traffic-control dump code may allow the disclosure of kernel memory to userspace user space applications.

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...