Call tomemset may be deleted¶
ID: cpp/memset-may-be-deletedKind: problemSecurity severity: 7.8Severity: warningPrecision: highTags: - security - external/cwe/cwe-014Query suites: - cpp-code-scanning.qls - cpp-security-extended.qls - cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
Callingmemset orbzero on a buffer to clear its contents may get optimized away by the compiler if the buffer is not subsequently used. This is not desirable behavior if the buffer contains sensitive data that could somehow be retrieved by an attacker.
Recommendation¶
Usememset_s (from C11) instead ofmemset, asmemset_s will not get optimized away. Alternatively use platform-supplied functions such asSecureZeroMemory orbzero_explicit that make the same guarantee. Passing the-fno-builtin-memset option to the GCC/Clang compiler usually also prevents the optimization. Finally, you can use the public-domainsecure_memzero function (see references below). This function, however, is not guaranteed to work on all platforms and compilers.
Example¶
The following program fragment usesmemset to erase sensitive information after it is no longer needed:
charpassword[MAX_PASSWORD_LENGTH];// read and verify passwordmemset(password,0,MAX_PASSWORD_LENGTH);
Because of dead store elimination, the call tomemset may be removed by the compiler (since the buffer is not subsequently used), resulting in potentially sensitive data remaining in memory.
The best solution to this problem is to use thememset_s function instead ofmemset:
charpassword[MAX_PASSWORD_LENGTH];// read and verify passwordmemset_s(password,MAX_PASSWORD_LENGTH,0,MAX_PASSWORD_LENGTH);
References¶
CERT C Coding Standard:MSC06-C. Beware of compiler optimizations.
USENIX: The Advanced Computing Systems Association:Dead Store Elimination (Still) Considered Harmfuls
Common Weakness Enumeration:CWE-14.