The C Standard, 6.7.3.2.1, discusses the layout of structure fields. It It specifies that non-bit-field members are aligned in an implementation-defined manner and that there may be padding within or at the end of a structure. Furthermore, initializing the members of the structure does not guarantee initialization of the padding bytes. The C Standard, 6.2.6.1, paragraph 6 [ISO/IEC 9899:20112024], states
When a value is stored in an object of structure or union type, including in a member object, the bytes of the object representation that correspond to any padding bytes take unspecified values (e.g. structure and union assignment may or may not copy any padding bits).
Additionally, the storage units in which a bit-field resides may also have padding bits. For an object with automatic storage duration, these padding bits do not take on specific values and can contribute to leaking sensitive information.
...
GCC allows specifying declaration attributes using the keyword __attribute__((__packed__)). When this attribute is present, the compiler will not add padding bytes for memory alignment unless an explicit alignment specifier for a structure member requires the introduction of padding bytes.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stddef.h>
struct test {
int a;
char b;
int c;
} __attribute__((__packed__));
/* Safely copy bytes to user space */
extern int copy_to_user(void *dest, void *src, size_t size);
void do_stuff(void *usr_buf) {
struct test arg = {.a = 1, .b = 2, .c = 3};
copy_to_user(usr_buf, &arg, sizeof(arg));
}
|
...
Padding units might contain sensitive data because the C Standard allows any padding to take unspecified values. A pointer to such a structure could be passed to other functions, causing information leakage.
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
DCL39-C | Low | Unlikely | No | YesHigh | P1P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| function-argument-with-padding | Partially checked | ||||||
| Axivion Bauhaus Suite |
| CertC-DCL39 | Detects composite structures with padding, in particular those passed to trust boundary routines. | ||||||
| CodeSonar |
| MISC.PADDING.POTB | Padding Passed Across a Trust Boundary | ||||||
| Cppcheck Premium |
| premium-cert-dcl39-c | |||||||
| Helix QAC |
| DF4941, DF4942, DF4943 | Fully implemented | ||||||
| Klocwork |
| PORTING.STORAGE.STRUCT | Fully implemented | ||||||
| Parasoft C/C++test |
| CERT_C-DCL39-a | A pointer to a structure should not be passed to a function that can copy data to the user space | ||||||
| CERT C: Rule DCL39-C | Checks for information leak via structure padding | |||||||
| RuleChecker |
| function-argument-with-padding | Partially checked | ||||||
| Security Reviewer - Static Reviewer |
| C20, C21,C22, C23, C25 | Fully implemented |
Related Vulnerabilities
Numerous vulnerabilities in the Linux Kernel have resulted from violations of this rule. CVE-2010-4083 describes a vulnerability in which the semctl() system call allows unprivileged users to read uninitialized kernel stack memory because various fields of a semid_ds struct declared on the stack are not altered or zeroed before being copied back to the user.
...
Bibliography
| [ISO/IEC 9899:20112024] | 6.2.6.1, "General" 6.7.3.2.1, "Structure and Union Specifiers" |
| [Graff 2003] | |
| [Sun 1993] |
...