Password theft from memory?
RW
rwmaillists at googlemail.com
Wed Apr 27 00:46:04 UTC 2011
On Tue, 26 Apr 2011 16:23:11 +0200
"C. P. Ghost" <cpghost at cordula.ws> wrote:
> On Tue, Apr 26, 2011 at 11:41 AM, RW <rwmaillists at googlemail.com>
> wrote:
> >> The above quote states that the memory not occupied by the remapped
> >> object is zero filled. Which is to say that memory allocated by
> >> mmap() is either filled with new data or filled with zeros.
> >
> > In context it says:
> >
> > "If len is not a multiple of the page-size, the mapped region
> > may extend past the specified range. Any such extension beyond the
> > end of the mapped object will be zero-filled."
> >
> > To me the most straightforward reading of that is that it's
> > referring to non-aligned address ranges.
> >
> > Your interpretation may well be the intended one, but where would
> > that leave the anonymous mappings used by malloc? Are we to think
> > of them as extensions beyond a non-existent mapped object, and thus
> > infer that they are zero-filled? It's a bit of a stretch from
> > what's written.
>
> While it's not a *proof*, you could always do a little bit of black
> box testing.
I didn't really doubt it, if sbrk zero-filled then it would be a major
security regression if mmap didn't provide the same behaviour.
From vm_fault.c it looks clear a zeroed page is allocated when the
location is neither file-backed nor written-out to swap. That's probably
why mmap(2) doesn't bother to mention zero-filling except in a special
case.
More information about the freebsd-questions
mailing list