Password theft from memory?

[C. P. Ghost]

On Tue, Apr 26, 2011 at 11:41 AM, RW <rwmaillists at googlemail.com> wrote:
>> The above quote states that the memory not occupied by the remapped
>> object is zero filled. Which is to say that memory allocated by mmap()
>> is either filled with new data or filled with zeros.
>
> In context it says:
>
>     "If len is not a multiple of the page-size, the mapped region may
>     extend past the specified range.  Any such extension beyond the
>     end of the mapped object will be zero-filled."
>
> To me the most straightforward reading of that is that it's referring
> to non-aligned address ranges.
>
> Your interpretation may well be the intended one, but where would that
> leave the anonymous mappings used by malloc? Are we to think of them as
> extensions beyond a non-existent mapped object, and thus infer that they
> are zero-filled? It's a bit of a stretch from what's written.

While it's not a *proof*, you could always do a little bit of black box
testing.

1, So how about a little C program scanner.c that allocates a huge heap
via mmap(2)'s malloc(3) backend, and crawls that buffer, looking for
the first non-zero byte? If we always get zero-filled pages, you shouldn't
find any non-zero bytes there.

2. For good measure, another program filler.c could fill a huge heap with
a particular easily recognizable pattern (say something like 0xdeadbeef),
and exit; and then, scanner.c could not only check for non-zero byes, but
also for that particular pattern.

-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/