Password theft from memory?

Bob Hall rjhjr0 at gmail.com
Tue Apr 26 02:56:19 UTC 2011 

On Mon, Apr 25, 2011 at 11:29:08PM +0100, RW wrote:
> On Mon, 25 Apr 2011 13:54:20 -0400
> Bob Hall <rjhjr0 at gmail.com> wrote:
> 
> > On Mon, Apr 25, 2011 at 05:46:33PM +0200, C. P. Ghost wrote:
> > > On Mon, Apr 25, 2011 at 5:15 PM, Bob Hall <rjhjr0 at gmail.com> wrote:
> > > > On Mon, Apr 25, 2011 at 03:18:46PM +0100, RW wrote:
> > > >> I don't believe the heap is allocated zeroed pages.  The kernel
> > > >> does allocate such pages to the BSS segment, but that's because
> > > >> it holds zeroed data such as C static variables.
> > > >
> > > > According to McKusick and Neville-Neil's book on FreeBSD, sbrk
> > > > extends the uninitialized data segment with zero-filled pages.
> > > > Since malloc() is an interface to sbrk, it does the same thing.
> > > 
> > > True, except that malloc(3) now uses both sbrk(2) and mmap(2)
> > > allocators, depending on the user-settable flags
> > > in /etc/malloc.conf, MALLOC_OPTIONS and the global variable
> > > _malloc_options. So you have to look into mmap(2) too.
> > 
> > Good point. From the man page:
> > "Any such extension beyond the end of the mapped object will be
> > zero-filled." 
> > and
> > "A successful mmap deletes any previous mapping in the allocated
> > address range."
> 
> 
> The above quote refers to zeroing the fraction of a page that's left
> over when "len"  isn't a multiple of the page size.

The above quote states that the memory not occupied by the remapped
object is zero filled. Which is to say that memory allocated by mmap()
is either filled with new data or filled with zeros.

> However, there's a
> comment in malloc.c about mmap'ed regions being zeroed, so I guess they
> are, but it doesn't seem to be mentioned at all in mmap(2).
 
It is mentioned, in the first sentence I quoted.

> The reason I thought that heap memory isn't zeroed is from the
> discussion of pre-zeroed pages in this article: 
> 
> http://www.freebsd.org/doc/en_US.ISO8859-1/articles/vm-design/prefault-optimizations.html
> 
> It reads as if the BSS region is the only significant user of zeroed
> pages.

It appears to me to say that any virtual pages allocated to a process
are pre-zeroed, which would include the BSS segment.

More information about the freebsd-questions mailing list