CodeQL documentation

Call to memset may be deleted

ID: cpp/memset-may-be-deleted
Kind: problem
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-14
Query suites:
   - cpp-code-scanning.qls
   - cpp-security-extended.qls
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

Calling memset or bzero on a buffer to clear its contents may get optimized away by the compiler if the buffer is not subsequently used. This is not desirable behavior if the buffer contains sensitive data that could somehow be retrieved by an attacker.

Recommendation

Use alternative platform-supplied functions that will not get optimized away. Examples of such functions include memset_s, SecureZeroMemory, and bzero_explicit. Alternatively, passing the -fno-builtin-memset option to the GCC/Clang compiler usually also prevents the optimization. Finally, you can use the public-domain secure_memzero function (see references below). This function, however, is not guaranteed to work on all platforms and compilers.

Example

The following program fragment uses memset to erase sensitive information after it is no longer needed:

char password[MAX_PASSWORD_LENGTH];
// read and verify password
memset(password, 0, MAX_PASSWORD_LENGTH);

Because of dead store elimination, the call to memset may be removed by the compiler (since the buffer is not subsequently used), resulting in potentially sensitive data remaining in memory.

The best solution to this problem is to use the memset_s function instead of memset:

char password[MAX_PASSWORD_LENGTH];
// read and verify password
memset_s(password, MAX_PASSWORD_LENGTH, 0, MAX_PASSWORD_LENGTH);

References