...
In this noncompliant code example described in "More Randomness or Less" [Wang 2012], the process ID, time of day, and uninitialized memory junk is used to seed a random number generator. This behavior is characteristic of some distributions derived from Debian Linux that use uninitialized memory as a source of entropy because the value stored in junk is indeterminate. However, because accessing an indeterminate value is undefined behavior 11, compilers may optimize out the uninitialized variable access completely, leaving leaving only the time and process ID and resulting in a loss of desired entropy.
...
Reading uninitialized variables is undefined behavior 20 and can result in unexpected program behavior. In some cases, these security flaws may allow the execution of arbitrary code.
Reading uninitialized variables for creating entropy is problematic because these memory accesses can be removed by compiler optimization. VU#925211 is an example of a vulnerability caused by this coding error.
Rule | Severity | Likelihood | Detectable | Remediation CostRepairable | Priority | Level |
|---|---|---|---|---|---|---|
EXP33-C | High | Probable | No | MediumYes | P12 | L1 |
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| uninitialized-local-read uninitialized-variable-use | Fully checked | ||||||
| Axivion Bauhaus Suite |
| CertC-EXP33 | |||||||
| CodeSonar |
| LANG.MEM.UVAR | Uninitialized variable | ||||||
| Compass/ROSE | Automatically detects simple violations of this rule, although it may return some false positives. It may not catch more complex violations, such as initialization within functions taking uninitialized variables as arguments. It does catch the second noncompliant code example, and can be extended to catch the first as well | ||||||||
| Coverity |
| UNINIT | Implemented | ||||||
| Cppcheck |
| uninitvar | |||||||
| Cppcheck Premium |
| uninitvar uninitdata uninitstring uninitMemberVar uninitStructMember | |||||||
| GCC | 4.3.5 | Can detect some violations of this rule when the | |||||||
| Helix QAC |
| DF2726, DF2727, DF2728, DF2961, DF2962, DF2963, DF2966, DF2967, DF2968, DF2971, DF2972, DF2973, DF2976, DF2977, DF2978 | Fully implemented | ||||||
| Klocwork |
| UNINIT.HEAP.MIGHT | Fully implemented | ||||||
| LDRA tool suite |
| 53 D, 69 D, 631 S, 652 S | Fully implemented | ||||||
| Parasoft C/C++test |
| CERT_C-EXP33-a | Avoid use before initialization | ||||||
| Parasoft Insure++ |
| Runtime analysis | |||||||
| PC-lint Plus |
| 530, 603, 644, 901 | Fully supported | ||||||
| Polyspace Bug Finder |
| Checks for:
Rule partially covered | |||||||
| PVS-Studio |
| V573, V614, V670, V679, V1050 | |||||||
| RuleChecker |
| uninitialized-local-read | Partially checked | ||||||
| Security Reviewer - Static Reviewer | 6.02 | C54 C55 C56 C57 C58 C59 C60 C61 C62 C63 | Fully implemented | ||||||
| Splint | 3.1.1 | ||||||||
| TrustInSoft Analyzer |
| initialisation | Exhaustively verified (see one compliant and one non-compliant example). |
...