Password theft from memory?

RW rwmaillists at googlemail.com
Tue Apr 26 09:42:00 UTC 2011 

On Mon, 25 Apr 2011 22:56:14 -0400
Bob Hall <rjhjr0 at gmail.com> wrote:

> On Mon, Apr 25, 2011 at 11:29:08PM +0100, RW wrote:
> > On Mon, 25 Apr 2011 13:54:20 -0400
> > Bob Hall <rjhjr0 at gmail.com> wrote:
> > 
> > > On Mon, Apr 25, 2011 at 05:46:33PM +0200, C. P. Ghost wrote:
> > > > On Mon, Apr 25, 2011 at 5:15 PM, Bob Hall <rjhjr0 at gmail.com>
> > > > wrote:
> > > > > On Mon, Apr 25, 2011 at 03:18:46PM +0100, RW wrote:
> > > > >> I don't believe the heap is allocated zeroed pages.  The
> > > > >> kernel does allocate such pages to the BSS segment, but
> > > > >> that's because it holds zeroed data such as C static
> > > > >> variables.
> > > > >
> > > > > According to McKusick and Neville-Neil's book on FreeBSD, sbrk
> > > > > extends the uninitialized data segment with zero-filled pages.
> > > > > Since malloc() is an interface to sbrk, it does the same
> > > > > thing.
> > > > 
> > > > True, except that malloc(3) now uses both sbrk(2) and mmap(2)
> > > > allocators, depending on the user-settable flags
> > > > in /etc/malloc.conf, MALLOC_OPTIONS and the global variable
> > > > _malloc_options. So you have to look into mmap(2) too.
> > > 
> > > Good point. From the man page:
> > > "Any such extension beyond the end of the mapped object will be
> > > zero-filled." 
> > > and
> > > "A successful mmap deletes any previous mapping in the allocated
> > > address range."
> > 
> > 
> > The above quote refers to zeroing the fraction of a page that's left
> > over when "len"  isn't a multiple of the page size.
> 
> The above quote states that the memory not occupied by the remapped
> object is zero filled. Which is to say that memory allocated by mmap()
> is either filled with new data or filled with zeros.

In context it says: 

     "If len is not a multiple of the page-size, the mapped region may
     extend past the specified range.  Any such extension beyond the
     end of the mapped object will be zero-filled."

To me the most straightforward reading of that is that it's referring
to non-aligned address ranges. 

Your interpretation may well be the intended one, but where would that
leave the anonymous mappings used by malloc? Are we to think of them as
extensions beyond a non-existent mapped object, and thus infer that they
are zero-filled? It's a bit of a stretch from what's written.


> > The reason I thought that heap memory isn't zeroed is from the
> > discussion of pre-zeroed pages in this article: 
> > 
> > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/vm-design/prefault-optimizations.html
> > 
> > It reads as if the BSS region is the only significant user of zeroed
> > pages.
> 
> It appears to me to say that any virtual pages allocated to a process
> are pre-zeroed, which would include the BSS segment.

It says: 

   "A large percentage of page faults that occur are zero-fill faults.
   You can usually see this by observing the vmstat -s output. These
   occur when a process accesses pages in its BSS area. "

More information about the freebsd-questions mailing list