SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 51

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 52

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The C Standard, subclause 6.7.2.1, discusses the layout of structure fields. It specifies that non-bit-field members are aligned in an implementation-defined manner and that there may be padding within or at the end of a structure. Furthermore, initializing the members of the structure does not guarantee initialization of the padding bytes. The C Standard, subclause 6.2.6.1, paragraph 6 [ISO/IEC 9899:2011], states:

...

When passing a pointer to a structure across a trust boundary to a different trusted domain, you programmers must ensure that the padding bytes of these structures do not contain sensitive information.

...

The C Standard static_assert() macro accepts a constant expression and an error message. The expression is evaluated at compile time , and, if false, the compilation is terminated and the error message is output . See (see DCL03-C. Use a static assertion to test the value of a constant expression for for more details). The explicit insertion of the padding bytes into the struct should ensure that no additional padding bytes are added by the compiler, and consequently both static_assert expressions should be true. However, it is necessary to validate these assumptions to ensure the safety of that the solution is correct for a particular implementation.

...

Microsoft Visual Studio  supports #pragma pack() to attempt to suppress padding bytes [MSDN]. The compiler will add padding bytes for memory alignment depending on the current packing mode but still honors alignment specified by __declspec(align()). In this compliant solution, the packing mode is set to 1 in an attempt to ensure all fields are given adjacent offsets:

...

Padding bytes might contain sensitive data because the C Standard allows any padding bytes to take unspecified values. A pointer to such a structure could be passed to other functions, causing information leakage.

...

Numerous vulnerabilities in the Linux Kernel have resulted from violations of this rule. CVE-2010-4083 describes a vulnerability in which the semctl() system call allows unprivileged users to read uninitialized kernel stack memory, because various fields of a semid_ds struct declared on the stack are not altered or zeroed before being copied back to the user. CVE-2010-3881 describes a vulnerability in which structure padding and reserved fields in certain data structures in QEMU-KVM were not initialized properly before being copied to user space. A privileged host user with access to /dev/kvm could use this flaw to leak kernel stack memory to user space. CVE-2010-3477 describes a kernel information leak in act_police where incorrectly initialized structures in the traffic-control dump code may allow the disclosure of kernel memory to user space applications.

...

Bibliography

[ISO/IEC 9899:2011]Subclause 6.2.6.1, "General"
Subclause 6.7.2.1, "Structure and Union Specifiers"
[Graff 2003] 
[Sun 1993] 

...