Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

Modifying a variable through a pointer of an incompatible type (other than unsigned char) can lead to unpredictable results. Subclause 6.2.7 of the C Standard states that two types may be distinct yet compatible and addresses precisely  when two distinct types are compatible.

This problem is often caused by a violation of aliasing rules, which are part of the ISO C standard. Wiki MarkupC99 \[. The C Standard, 6.5, paragraph 7 [ISO/IEC 9899:1999|https://www.securecoding.cert.org/confluence/display/seccode/AA.+C+References#AA.CReferences-ISO%2FIEC98991999]\]  states that \\9899:2024 ], specifies those circumstances in which an object may or may not be aliased.

7. An object shall have its stored value accessed only by an lvalue expression that has one of
the following types: (78)

  • a type compatible with the effective type of the object,
  • a qualified version of a type compatible with the effective type of the object, 
— a type that is
  • the signed or unsigned type
corresponding to
  • compatible with the underlying type of the effective type of the

  • object,
— a type that is
  • the signed or unsigned type
corresponding to
  • compatible with a qualified version of the

  • underlying type of the effective type of the object, 
  • an aggregate or union type that includes one of the aforementioned types among its

  • members (including, recursively, a member of a subaggregate or contained union),
or
  • or 
  • a character type.

/78) The intent of this list is to specify those circumstances in which an object may or may not be aliased./

  •  

Noncompliant Code Example

In this noncompliant example, an object of type float is incremented through an int *. The programmer can use the unit in the last place to get the next representable value for a floating-point type.  However, accessing an object These rules say that a program is invalid if you try to access a variable through a pointer of an incompatible type . This is happening in the following example where a short is accessed through a pointer to integer (the code assumes 16-bit shorts and 32-bit integers).

...

is undefined behavior.

Code Block
bgColor#FFCCCC
langc

#include <stdio.h>
 
intvoid mainf(void)
 {
  if  short a[2];
(sizeof(int) == sizeof(float)) {
    a[0]=0x1111;
    a[1]=0x1111;

float f = 0.0f;
    *(int *)aip = 0x22222222; (int /* violation of aliasing rules */
*)&f;
    (*ip)++;
    printf("%xfloat is %x%f\n", f);
  }
}

Compliant Solution

In this compliant solution, the standard C function nextafterf() is used to round toward the highest representable floating-point value:

Code Block
bgColor#ccccff
langc
#include <float.h>
#include <math.h>
#include <stdio.h>
 
void f(void) {
  float f = 0.0f;
  f = nextafterf(f, FLT_MAX a[0], a[1]);
  printf("float is return 0%f\n", f);
}

Noncompliant Code Example

In this noncompliant code example, an array of two values of type short is treated as an integer and assigned an integer value. The resulting values are indeterminate.Optimized code produced by GCC 3.4.6.
.

Code Block
bgColor#FFCCCC
langc

#include <stdio.h>
 
intvoid mainfunc(void)
 {
    short a[2];

    a[0]=0x1111;
    a[1]=0x1111;

  *(int *)a = 0x22222222;

  printf("%x %x\n", a[0], a[1]);
    return 0;
}

Implementation Details

...

When translating this code, an implementation can assume that no access through an integer pointer can change the array a, consisting of shorts. Consequently, printf() may be called with the original values of a[0] and a[1].

Implementation Details

Recent versions of GCC turn on the option -fstrict-aliasing (, which allows alias-based optimizations) , by default with -O2. And some Some architectures then really print "1111 1111" as a result. Without optimization, the executable will generate generates the "expected" output "2222 2222.".

To disable optimizations based on alias - analysis for faulty legacy code, the option -fno-strict-aliasing can be used as a work-aroundworkaround. The option -Wstrict-aliasing (, which is included in -Wall) , warns about some - , but not all - cases , violations of violation of aliasing rules when -fstrict-aliasing is active.

Compliant Solution (gcc)

When GCC 3.4.6 compiles this code with optimization, the assignment through the aliased pointer is effectively eliminated.

Compliant Solution

This compliant solution uses a union type that includes a type compatible with the effective type of the object:To fix the code above, you can use a union instead of a cast.

Code Block
bgColor#ccccff
langc

#include <stdio.h>
 
intvoid mainfunc(void)
 {
    union
    {
        short a[2];
        int i;
  }  }u;

    u.a[0]=0x1111;
    u.a[1]=0x1111;

    u.i = 0x22222222;

    printf("%x %x\n", u.a[0], u.a[1]);
    return 0;
}

...

);

  /* ... */
}

The C standard states:

If the member used to read the contents of a union object is not the same as the member last used to store a value in the object, the appropriate part of the object representation of the value is reinterpreted as an object representation in the new type as described in 6.2.6 (a process sometimes called “type punning”). This might be a trap representation

The call to printf() typically outputs "2222 2222". However, there is no guarantee that this will be true; the object representations of a and i are unspecified and need not be compatible in this way, despite this operation being commonly accepted as an implementation extension. (See unspecified behavior 11.)

Noncompliant Code Example

In this noncompliant code example, a gadget object is allocated, then realloc() is called to create a widget object using the memory from the gadget object. Although reusing memory to change types is acceptable, accessing the memory copied from the original object is undefined behavior.

Code Block
bgColor#FFCCCC
langc
#include <stdlib.h>
 
struct gadget {
  int i;
  double d;
  char *p;
};
 
struct widget {
  char *q;
  int j;
  double e;
};
 
void func(void) {
  struct gadget *gp;
  struct widget *wp;
 
  gp = (struct gadget *)malloc(sizeof(struct gadget));
  if (!gp) {
    /* Handle error */
  }
  /* ... Initialize gadget ... */
  wp = (struct widget *)realloc(gp, sizeof(struct widget));
  if (!wp) {
    free(gp);
    /* Handle error */
  }
  if (wp->j == 12) {
    /* ... */
  }
  /* ... */
  free(wp);
}

Compliant Solution

This compliant solution reuses the memory from the gadget object but reinitializes the memory to a consistent state before reading from it:

Code Block
bgColor#ccccff
langc
#include <stdlib.h>
#include <string.h>
 
struct gadget {
  int i;
  double d;
  char *p;
};
 
struct widget {
  char *q;
  int j;
  double e;
};
 
void func(void) {
  struct gadget *gp;
  struct widget *wp;
 
  gp = (struct gadget *)malloc(sizeof (struct gadget));
  if (!gp) {
    /* Handle error */
  }
  /* ... */
  wp = (struct widget *)realloc(gp, sizeof(struct widget));
  if (!wp) {
    free(gp);
    /* Handle error */
  }
  memset(wp, 0, sizeof(struct widget));
  /* ... Initialize widget ... */

  if (wp->j == 12) {
    /* ... */
  }
  /* ... */
  free(wp);
}

Noncompliant Code Example

According to the C Standard, 6.7.7.3 [ISO/IEC 9899:2024], using two or more incompatible arrays in an expression is undefined behavior. (See also undefined behavior 73.)

For two array types to be compatible, both should have compatible underlying element types, and both size specifiers should have the same constant value. If either of these properties is violated, the resulting behavior is undefined.

In this noncompliant code example, the two arrays a and b fail to satisfy the equal size specifier criterion for array compatibility. Because a and b are not equal, writing to what is believed to be a valid member of a might exceed its defined memory boundary, resulting in an arbitrary memory overwrite.

Code Block
bgColor#FFCCCC
langc
enum { ROWS = 10, COLS = 15 };
 
void func(void) {
  int a[ROWS][COLS];
  int (*b)[ROWS] = a;
}

Most compilers will produce a warning diagnostic if the two array types used in an expression are incompatible.

Compliant Solution

In this compliant solution, b is declared to point to an array with the same number of elements as a, satisfying the size specifier criterion for array compatibility:

Code Block
bgColor#ccccff
langc
enum { ROWS = 10, COLS = 15 };
 
void func(void) {
  int a[ROWS][COLS];
  int (*b)[COLS] = a;
}

Risk Assessment

Optimizing for performance can lead to such aliasing errors which that can be quite difficult to detect. Furthermore, as in the case above preceding example, unexpected results can lead to buffer overflow attacks and/or , bypassing security checks and/, or unexpected execution.

Rule

Recommendation

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

EXP39-C

medium

probable

high

P12

L1

References

GCC Known Bugs C bugs, Aliasing issues while casting to incompatible types

Medium

Unlikely

No

No

P2

L3

Automated Detection

Tool

Version

Checker

Description

Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

premium-cert-exp39-c
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0310, C0751, C3305

C++3017, C++3030, C++3033


Klocwork

Include Page
Klocwork_V
Klocwork_V

MISRA.CAST.FUNC_PTR.2012
MISRA.CAST.INCOMPLETE_PTR_TO_ANY.2012
MISRA.CAST.OBJ_PTR_TO_NON_INT.2012
MISRA.CAST.OBJ_PTR_TO_OBJ_PTR.2012


LDRA tool suite
Include Page
LDRA_V
LDRA_V
94 S, 554 SPartially implemented
Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-EXP39-a
CERT_C-EXP39-b
CERT_C-EXP39-c
CERT_C-EXP39-d
CERT_C-EXP39-e
CERT_C-EXP39-f

There shall be no implicit conversions from integral to floating type
A cast should not be performed between a pointer to object type and a different pointer to object type
Avoid accessing arrays and pointers out of bounds
Avoid buffer overflow from tainted data due to defining incorrect format limits
Avoid buffer read overflow from tainted data
Avoid buffer write overflow from tainted data

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule EXP39-C

Checks for cast to pointer pointing to object of different type (rule partially covered)

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V580

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

ISO/IEC TS 17961Accessing an object through a pointer to an incompatible type [ptrcomp]Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer2017-05-18: CERT: Partial overlap
CWE 2.11CWE-125, Out-of-bounds Read2017-05-18: CERT: Partial overlap
CWE 2.11CWE-7042017-06-14: CERT: Rule subset of CWE

CERT-CWE Mapping Notes

Key here for mapping notes

CWE-119 and EXP39-C

Independent( ARR30-C, ARR38-C, ARR32-C, INT30-C, INT31-C, EXP39-C, EXP33-C, FIO37-C) STR31-C = Subset( Union( ARR30-C, ARR38-C)) STR32-C = Subset( ARR38-C)

Intersection( EXP39-C, CWE-119) =


  • Reading memory assigned to one type, but being accessed through a pointer to a larger type.


EXP39-C – CWE-119 =


  • Writing to memory assigned to one type, but accessed through a pointer to a larger type



  • Reading memory assigned to one type, but being accessed through a pointer to a smaller (or equal-sized) type


CWE-119 – EXP39-C =


  • Reading beyond a buffer using a means other than accessing a variable through an incompatible pointer.


CWE-123 and EXP39-C

Intersection( CWE-123, EXP39-C) = Ø

EXP39-C allows overflowing a (small) buffer, but not arbitrary memory writes. (Possibly an arbitrary-memory write exploit could be devised using a “perfect storm” of incompatible types, but this would be uncommon in practice.)

CWE-125 and EXP39-C

Independent( ARR30-C, ARR38-C, EXP39-C, INT30-C) STR31-C = Subset( Union( ARR30-C, ARR38-C)) STR32-C = Subset( ARR38-C)

Intersection( EXP39-C, CWE-125) =


  • Reading memory assigned to one type, but being accessed through a pointer to a larger type.


ESP39-C – CWE-125 =


  • Reading memory assigned to one type, but being accessed through a pointer to a smaller (or equal-sized) type


CWE-125 – EXP39-C =


  • Reading beyond a buffer using a means other than accessing a variable through an incompatible pointer.


CWE-188 and EXP39-C

Intersection( CWE-188, EXP39-C) = Ø

CWE-188 appears to be about making assumptions about the layout of memory between distinct variables (that are not part of a larger struct or array). Such assumptions typically involve pointer arithmetic (which violates ARR30-C). EXP39-C involves only one object in memory being (incorrectly) interpreted as if it were another object. EG a float being treated as an int (usually via pointers and typecasting)

CWE-704 and EXP39-C

CWE-704 = Union( EXP39-C, list) where list =


  • Incorrect (?) typecast that is not incompatible


Bibliography

[Acton 2006]"Understanding Strict Aliasing"
GCC Known Bugs"C Bugs, Aliasing Issues while Casting to Incompatible Types"
[ISO/IEC 9899:2024]6.5, "Expressions"
6.7.7.3, "Array Declarators"
[Walfridsson 2003]Aliasing, Pointer Casts and GCC 3.3


...

Image Added Image Added Image Added Aliasing, pointer casts and gcc 3.3 Aliasing issue