Local, automatic variables assume unexpected values if they are read before they are initialized. The The C Standard, 6.7.911, paragraph 1011, specifies [ISO/IEC 9899:20112024]
If an object that has automatic storage duration is not initialized explicitly, its value representation is indeterminate.
...
In this noncompliant code example described in "More Randomness or Less" [Wang 2012], the process ID, time of day, and uninitialized memory junk is used to seed a random number generator. This behavior is characteristic of some distributions derived from Debian Linux that use uninitialized memory as a source of entropy because the value stored in junk is indeterminate. However, because accessing an indeterminate value is undefined behavior 11, compilers may optimize out the uninitialized variable access completely, leaving leaving only the time and process ID and resulting in a loss of desired entropy.
...
The realloc() function changes the size of a dynamically allocated memory object. The initial size bytes of the returned memory object are unchanged, but any newly added space is uninitialized, and its value is indeterminate. As in the case of malloc(), accessing memory beyond the size of the original object is undefined behavior 181186.
It is the programmer's responsibility to ensure that any memory allocated with malloc() and realloc() is properly initialized before it is used.
...
EXP33-C-EX1: Reading uninitialized memory by an lvalue of type unsigned char that could not have been declared with the register storage class does not trigger undefined behavior. The unsigned char type is defined to not have a trap representation, which allows for moving bytes without knowing if they are initialized. (See the C Standard, 6.2.6.1, paragraph 3.) However, ) The requirement that register could not have been used (not merely that it was not used) is because on some architectures, such as the Intel Itanium, registers have a bit to indicate whether or not they have been initialized. The C Standard, 6.3.2.1, paragraph 2, allows such implementations to cause a trap for an object that never had its address taken and is stored in a register if such an object is referred to in any way.
...
Reading uninitialized variables is undefined behavior 20 and can result in unexpected program behavior. In some cases, these security flaws may allow the execution of arbitrary code.
Reading uninitialized variables for creating entropy is problematic because these memory accesses can be removed by compiler optimization. VU#925211 is an example of a vulnerability caused by this coding error.
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
EXP33-C | High | Probable | No | MediumYes | P12 | L1 |
Automated Detection
| Tool | Version | Checker | Description | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| uninitialized-local-read uninitialized-variable-use | Fully checked | |||||||||||||||||||
| Axivion Bauhaus Suite |
| CertC-EXP33 | ||||||||||||||||||||
| CodeSonar |
| LANG.MEM.UVAR | Uninitialized variable | |||||||||||||||||||
| Compass/ROSE | Automatically detects simple violations of this rule, although it may return some false positives. It may not catch more complex violations, such as initialization within functions taking uninitialized variables as arguments. It does catch the second noncompliant code example, and can be extended to catch the first as well | |||||||||||||||||||||
| Coverity |
| UNINIT | Implemented | |||||||||||||||||||
| Cppcheck |
| uninitvar | Detects uninitialized ||||||||||||||||||||
| Cppcheck Premium |
| uninitvar uninitdata uninitstring uninitMemberVar uninitStructMember | variables, uninitialized pointers, uninitialized struct members, and uninitialized array elements (However, if one element is initialized, then cppcheck assumes the array is initialized.)||||||||||||||||||||
| GCC | 4.3.5 | Can detect some violations of this rule when the | ||||||||||||||||||||
| KlocworkHelix QAC |
| DF2726, DF2727, DF2728, DF2961, DF2962, DF2963, DF2966, DF2967, DF2968, DF2971, DF2972, DF2973, DF2976, DF2977, DF2978 | Fully implemented | |||||||||||||||||||
| Klocwork |
| UNINIT.UNINIT.HEAP.MIGHT | Fully implemented | |||||||||||||||||||
| LDRA tool suite |
| 53 D, 69 D, 631 S, 652 S | Fully implemented | |||||||||||||||||||
| Parasoft C/C++test |
| CERT_C-EXP33-a | Avoid use before initialization | |||||||||||||||||||
| Parasoft Insure++ |
| Runtime analysisPolyspace Bug Finder | ||||||||||||||||||||
| PC-lint Plus |
| Polyspace Bug Finder
| Polyspace Bug Finder
| 530, 603, 644, 901 | Fully supported | |||||||||||||||||
| Polyspace Bug Finder |
| Checks for:
Rule partially covered | Pointer not initialized before dereference Variable not initialized before use | PRQA QA-C | ||||||||||||||||||
| Include Page | PRQA QA-C_v | PRQA QA-C_v | 2961, 2962, 2963, 2966, 2967, 2968, 2971, 2972, 2973, 2976, 2977, 2978 | Fully implemented | PRQA QA-C++ | | Include Page | | cplusplus:PRQA QA-C++_V | cplusplus:PRQA QA-C++_V | |||||||||||||
| PVS-Studio |
| V573, V614, V670, V679, V1050 | ||||||||||||||||||||
| RuleChecker |
| uninitialized-local-read | Partially checked | |||||||||||||||||||
| Security Reviewer - Static Reviewer | 6.02 | C54 C55 C56 C57 C58 C59 C60 C61 C62 C63 | Fully implemented | |||||||||||||||||||
| Splint | 3.1.1 | |||||||||||||||||||||
| TrustInSoft Analyzer |
| initialisation | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
CVE-2009-1888 results from a violation of this rule. Some versions of SAMBA (up to 3.3.5) call a function that takes in two potentially uninitialized variables involving access rights. An attacker can exploit these coding errors to bypass the access control list and gain access to protected files [xorl 2009].
...
| [Flake 2006] | |
| [ISO/IEC 9899:20112024] | Subclause 6.7.911, "Initialization" Subclause 6.2.6.1, "General" Subclause 6.3.2.1, "Lvalues, Arrays, and Function Designators" |
| [Mercy 2006] | |
| [VU#925211] | |
| [Wang 2012] | "More Randomness or Less" |
| [xorl 2009] | "CVE-2009-1888: SAMBA ACLs Uninitialized Memory Read" |
...