Pointer Address Assignment Behavior

On By In 1

An object that is accessed through a -qualified pointer has a special association with that pointer. This association requires that all accesses to that object use, directly or indirectly, the value of that particular pointer. The intended use of the restrict qualifier is to promote optimization, and deleting all instances of the qualifier from a program does not change its meaning (that is, observable behavior). In the absence of this qualifier, other pointers can alias this object. Caching the value in an object designated through a -qualified pointer is safe at the beginning of the block in which the pointer is declared because no preexisting aliases may also be used to reference that object. The cached value must be restored to the object by the end of the block, where preexisting aliases again become available. New aliases may be formed within the block, but these must all depend on the value of the -qualified pointer so that they can be identified and adjusted to refer to the cached value. For a -qualified pointer at file scope, the block is the body of each function in the file [Walls 2006]. Developers should be aware that C++ does not support the  qualifier, but some C++ compiler implementations support an equivalent qualifier as an extension. 

The C Standard [ISO/IEC 9899:2011] identifies the following undefined behavior:

A restrict-qualified pointer is assigned a value based on another restricted pointer whose associated block neither began execution before the block associated with this pointer, nor ended before the assignment (6.7.3.1).

This is an oversimplification, however, and it is important to review the formal definition of restrict in subclause 6.7.3.1 of the C Standard to properly understand undefined behaviors associated with the use of -qualified pointers.

Overlapping Objects

The qualifier requires that the pointers do not reference overlapping objects. If the objects referenced by arguments to functions overlap (meaning the objects share some common memory addresses), the behavior is undefined.

Noncompliant Code Example

This code example is noncompliant because an assignment is made between two -qualified pointers in the same scope:

Note that undefined behavior occurs only when is assigned to . It is valid for and to point into the same array object, provided the range of elements accessed through one of the pointers does not overlap with the range of elements accessed through the other pointer.

Compliant Solution

One way to eliminate the undefined behavior is simply to remove the qualification from the affected pointers:

-Qualified Function Parameters

When calling functions that have -qualified function parameters, it is important that the pointer arguments do not reference overlapping objects if one or more of the pointers are used to modify memory. Consequently, it is important to understand the semantics of the function being called.

Noncompliant Code Example

In this noncompliant code example, the function accepts three parameters. The function copies  integers from the array referenced by the -qualified pointer to the array referenced by the -qualified pointer . Because the destination array is modified during each execution of the function (for which is nonzero), if the array is accessed through one of the pointer parameters, it cannot also be accessed through the other. Declaring these function parameters as -qualified pointers allows aggressive optimization by the compiler but can also result in undefined behavior if these pointers refer to overlapping objects.

The function declares an array consisting of 100 values and then invokes to copy memory from one area of the array to another. This call has undefined behavior because each of through is accessed through both and .

Compliant Solution

In this compliant solution, the function is unchanged but the programmer has ensured that none of the calls to result in undefined behavior. The call to in is valid because the storage allocated to is effectively divided into two disjoint objects.

Noncompliant Code Example

In this noncompliant code example, the function  adds the integer array referenced by the -qualified pointers lhs to the integer array referenced by the -qualified pointer  and stores the result in the -qualified pointer referenced by . The function declares an array consisting of 100 values and then invokes to copy memory from one area of the array to another. The call has undefined behavior because the object modified by  is accessed by lhs and .

Compliant Solution

In this compliant solution, an unmodified object is aliased through two restricted pointers. Because  and  are disjoint arrays, a call of the form has defined behavior, because array  is not modified within function .

Invoking Library Functions with -Qualified Pointers

Ensure that -qualified source and destination pointers do not reference overlapping objects when invoking library functions. For example, the following table lists C standard library functions that copy memory from a source object referenced by a -qualified pointer to a destination object that is also referenced by a -qualified pointer: 

Standard CAnnex K

If the objects referenced by arguments to functions overlap (meaning the objects share some common memory addresses), the behavior is undefined. (See also undefined behavior 68.) The result of the functions is unknown, and data may be corrupted. As a result, these functions must never be passed pointers to overlapping objects. If data must be copied between objects that share common memory addresses, a copy function guaranteed to work on overlapping memory, such as , should be used.

Noncompliant Code Example

In this noncompliant code example, the values of objects referenced by and become unpredictable after the call to because their memory areas overlap:

Compliant Solution

In this compliant solution, the call to is replaced with a call to . The function performs the same operation as  when the memory regions do not overlap. When the memory regions do overlap, the n characters from the object pointed to by the source () are first copied into a temporary array of n characters that does not overlap the objects pointed to by the destination () or the source. The n characters from the temporary array are then copied into the object pointed to by the destination.

Similar solutions using can replace the string functions as long as care is taken regarding the byte size of the characters and proper null-termination of the copied string.

Calling Functions with -Qualified Pointer to a -Qualified Type 

Ensure that functions that accept a -qualified pointer to a -qualified type do not modify the object referenced by that pointer. Formatted input and output standard library functions frequently fit this description. The following table lists of some of the common functions for which the format argument is a -qualified pointer to a -qualified type.

Standard CAnnex K

For formatted output functions such as , it is unlikely that a programmer would modify the format string. However, an attacker may attempt to do so if a program violates FIO30-C. Exclude user input from format strings and passes tainted values as part of the format string. 

Noncompliant Code Example

In this noncompliant code example, the programmer is attempting to overwrite the format string with a string value read in from such as  and use the resulting modified string of to input the subsequent values of and :

Compliant Solution

The intended results are achieved by this compliant solution:

Outer-to-Inner Assignments between Restricted Pointers

The assignment between -qualified pointers declared in an inner nested block from an outer block has defined behavior.

Noncompliant Code Example

The assignment of -qualified pointers to other -qualified pointers within the same block has undefined behavior:

Compliant Solution 

The intended results can be achieved using an inner nested block, as shown in this compliant solution:

Risk Assessment

The incorrect use of -qualified pointers can result in undefined behavior that might be exploited to cause data integrity violations.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP43-C

Medium

Probable

High

P4

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Automated Detection

Related Guidelines

Key here (explains table format and definitions)

  1. MISRA Rule 8.14 prohibits the use of the restrict keyword except in C standard library functions. 

Bibliography


int *restrict a; int *restrict b; extern int c[]; int main(void) { c[0] = 17; c[1] = 18; a = &c[0]; b = &c[1]; a = b; /* Undefined behavior */ /* ... */ }
int *a; int *b; extern int c[]; int main(void) { c[0] = 17; c[1] = 18; a = &c[0]; b = &c[1]; a = b; /* Defined behavior */ /* ... */ }
#include <stddef.h> void f(size_t n, int *restrict p, const int *restrict q) { while (n-- > 0) { *p++ = *q++; } } void g(void) { extern int d[100]; /* ... */ f(50, d + 1, d); /* Undefined behavior */ }
#include <stddef.h> void f(size_t n, int *restrict p, const int *restrict q) { while (n-- > 0) { *p++ = *q++; } } void g(void) { extern int d[100]; /* ... */ f(50, d + 50, d); /* Defined behavior */ }
#include <stddef.h>   void add(size_t n, int *restrict res, const int *restrict lhs, const int *restrict rhs) { for (size_t i = 0; i < n; ++i) { res[i] = lhs[i] + rhs[i]; } }   void f(void) { int a[100]; add(100, a, a, a); /* Undefined behavior */ }
#include <stddef.h> void add(size_t n, int *restrict res, const int *restrict lhs, const int *restrict rhs) { for (size_t i = 0; i < n; ++i) { res[i] = lhs[i] + rhs[i]; } }   void f(void) { int a[100]; int b[100]; add(100, a, b, b); /* Defined behavior */ }
#include <string.h> void func(void) { char c_str[]= "test string"; char *ptr1 = c_str; char *ptr2; ptr2 = ptr1 + 3; /* Undefined behavior because of overlapping objects */ memcpy(ptr2, ptr1, 6); /* ... */ }
#include <string.h> void func(void) { char c_str[]= "test string"; char *ptr1 = c_str; char *ptr2; ptr2 = ptr1 + 3; memmove(ptr2, ptr1, 6); /* Replace call to memcpy() */ /* ... */ }
#include <stdio.h>   void func(void) { int i; float x; char format[100] = "%s"; /* Undefined behavior */ int n = scanf(format, format + 2, &i, &x);  /* ... */ }
#include <stdio.h>   void func(void) { int i; float x int n = scanf("%d%f", &i, &x); /* Defined behavior */  /* ... */ }
void func(void) { int *restrict p1; int *restrict q1; int *restrict p2 = p1; /* Undefined behavior */ int *restrict q2 = q1; /* Undefined behavior */ }
void func(void) { int *restrict p1; int *restrict q1; { /* Added inner block */ int *restrict p2 = p1; /* Valid, well-defined behavior */ int *restrict q2 = q1; /* Valid, well-defined behavior */ } }

Do not convert a pointer value to a pointer type that is more strictly aligned than the referenced type. Different alignments are possible for different types of objects. If the type-checking system is overridden by an explicit cast or the pointer is converted to a void pointer () and then to a different type, the alignment of an object may be changed.

The C Standard, 6.3.2.3, paragraph 7 [ISO/IEC 9899:2011], states

A pointer to an object or incomplete type may be converted to a pointer to a different object or incomplete type. If the resulting pointer is not correctly aligned for the referenced type, the behavior is undefined.

See undefined behavior 25.

If the misaligned pointer is dereferenced, the program may terminate abnormally. On some architectures, the cast alone may cause a loss of information even if the value is not dereferenced if the types involved have differing alignment requirements.

Noncompliant Code Example

In this noncompliant example, the  pointer  is converted to the more strictly aligned  pointer . On some implementations,  will not match . As a result, if a pointer to one object type is converted to a pointer to a different object type, the second object type must not require stricter alignment than the first.

Compliant Solution (Intermediate Object)

In this compliant solution, the  value is stored into an object of type  so that the pointer's value will be properly aligned:

Noncompliant Code Example

The C Standard allows any object pointer to be cast to and from . As a result, it is possible to silently convert from one pointer type to another without the compiler diagnosing the problem by storing or casting a pointer to and then storing or casting it to the final type. In this noncompliant code example, is passed the pointer but returns an object of type pointer:

This example compiles without warning using GCC 4.8 on Ubuntu Linux 14.04. However, can be more strictly aligned than an object of type .

Compliant Solution

Because the input parameter directly influences the return value, and returns an object of type , the formal parameter is redeclared to accept only an object of type :

Noncompliant Code Example

Some architectures require that pointers are correctly aligned when accessing objects larger than a byte. However, it is common in system code that unaligned data (for example, the network stacks) must be copied to a properly aligned memory location, such as in this noncompliant code example:

Assigning an unaligned value to a pointer that references a type that needs to be aligned is undefined behavior. An implementation may notice, for example, that and must be aligned and use an inline that uses instructions that assume aligned data.

Compliant Solution

This compliant solution avoids the use of the pointer:

Exceptions

EXP36-C-EX1: Some hardware architectures have relaxed requirements with regard to pointer alignment. Using a pointer that is not properly aligned is correctly handled by the architecture, although there might be a performance penalty. On such an architecture, improper pointer alignment is permitted but remains an efficiency problem.

EXP36-C-EX2: If a pointer is known to be correctly aligned to the target type, then a cast to that type is permitted. There are several cases where a pointer is known to be correctly aligned to the target type. The pointer could point to an object declared with a suitable alignment specifier. It could point to an object returned by , , , or , as per the C standard, section 7.22.3, paragraph 1  [ISO/IEC 9899:2011].

This compliant solution uses the alignment specifier, which is new to C11, to declare the  object  with the same alignment as that of an object of type . As a result, the two pointers reference equally aligned pointer types:

Risk Assessment

Accessing a pointer or an object that is not properly aligned can cause a program to crash or give erroneous information, or it can cause slow pointer accesses (if the architecture allows misaligned accesses).

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP36-C

Low

Probable

Medium

P4

L3

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Bibliography


#include <assert.h>   void func(void) { char c = 'x'; int *ip = (int *)&c; /* This can lose information */ char *cp = (char *)ip; /* Will fail on some conforming implementations */ assert(cp == &c); }
#include <assert.h>   void func(void) { char c = 'x'; int i = c; int *ip = &i; assert(ip == &i); }
int *loop_function(void *v_pointer) { /* ... */ return v_pointer; }   void func(char *char_ptr) { int *int_ptr = loop_function(char_ptr); /* ... */ }
int *loop_function(int *v_pointer) { /* ... */ return v_pointer; }   void func(int *loop_ptr) { int *int_ptr = loop_function(loop_ptr); /* ... */ }
#include <string.h>   struct foo_header { int len; /* ... */ };   void func(char *data, size_t offset) { struct foo_header *tmp; struct foo_header header; tmp = (struct foo_header *)(data + offset); memcpy(&header, tmp, sizeof(header)); /* ... */ }
#include <string.h>   struct foo_header { int len; /* ... */ };   void func(char *data, size_t offset) { struct foo_header header; memcpy(&header, data + offset, sizeof(header)); /* ... */ }
#include <stdalign.h> #include <assert.h>   void func(void) { /* Align c to the alignment of an int */ alignas(int) char c = 'x'; int *ip = (int *)&c; char *cp = (char *)ip; /* Both cp and &c point to equally aligned objects */ assert(cp == &c); }

0 comments

Leave a Reply

Your email address will not be published. Required fields are marked *