Date: Tue, 26 Apr 2011 10:41:51 +0100 From: RW <rwmaillists@googlemail.com> To: freebsd-questions@freebsd.org Subject: Re: Password theft from memory? Message-ID: <20110426104151.596bcc19@gumby.homeunix.com> In-Reply-To: <20110426025614.GA62745@stainmore> References: <BANLkTimJWAxW_4OmoeBQrvDDLjD-5Vr5hQ@mail.gmail.com> <BANLkTin_S%2BBRWu79AH16tPdgZd%2BUgZQAzQ@mail.gmail.com> <20110425151846.0a5359fd@gumby.homeunix.com> <20110425151536.GA61425@stainmore> <BANLkTinvvWhEy_A5ao=XWTpQOSTX0Vm2_A@mail.gmail.com> <20110425175420.GA61811@stainmore> <20110425232908.4104e026@gumby.homeunix.com> <20110426025614.GA62745@stainmore>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 25 Apr 2011 22:56:14 -0400
Bob Hall <rjhjr0@gmail.com> wrote:
> On Mon, Apr 25, 2011 at 11:29:08PM +0100, RW wrote:
> > On Mon, 25 Apr 2011 13:54:20 -0400
> > Bob Hall <rjhjr0@gmail.com> wrote:
> >=20
> > > On Mon, Apr 25, 2011 at 05:46:33PM +0200, C. P. Ghost wrote:
> > > > On Mon, Apr 25, 2011 at 5:15 PM, Bob Hall <rjhjr0@gmail.com>
> > > > wrote:
> > > > > On Mon, Apr 25, 2011 at 03:18:46PM +0100, RW wrote:
> > > > >> I don't believe the heap is allocated zeroed pages. =A0The
> > > > >> kernel does allocate such pages to the BSS segment, but
> > > > >> that's because it holds zeroed data such as C static
> > > > >> variables.
> > > > >
> > > > > According to McKusick and Neville-Neil's book on FreeBSD, sbrk
> > > > > extends the uninitialized data segment with zero-filled pages.
> > > > > Since malloc() is an interface to sbrk, it does the same
> > > > > thing.
> > > >=20
> > > > True, except that malloc(3) now uses both sbrk(2) and mmap(2)
> > > > allocators, depending on the user-settable flags
> > > > in /etc/malloc.conf, MALLOC_OPTIONS and the global variable
> > > > _malloc_options. So you have to look into mmap(2) too.
> > >=20
> > > Good point. From the man page:
> > > "Any such extension beyond the end of the mapped object will be
> > > zero-filled."=20
> > > and
> > > "A successful mmap deletes any previous mapping in the allocated
> > > address range."
> >=20
> >=20
> > The above quote refers to zeroing the fraction of a page that's left
> > over when "len" isn't a multiple of the page size.
>=20
> The above quote states that the memory not occupied by the remapped
> object is zero filled. Which is to say that memory allocated by mmap()
> is either filled with new data or filled with zeros.
In context it says:=20
"If len is not a multiple of the page-size, the mapped region may
extend past the specified range. Any such extension beyond the
end of the mapped object will be zero-filled."
To me the most straightforward reading of that is that it's referring
to non-aligned address ranges.=20
Your interpretation may well be the intended one, but where would that
leave the anonymous mappings used by malloc? Are we to think of them as
extensions beyond a non-existent mapped object, and thus infer that they
are zero-filled? It's a bit of a stretch from what's written.
> > The reason I thought that heap memory isn't zeroed is from the
> > discussion of pre-zeroed pages in this article:=20
> >=20
> > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/vm-design/prefault-=
optimizations.html
> >=20
> > It reads as if the BSS region is the only significant user of zeroed
> > pages.
>=20
> It appears to me to say that any virtual pages allocated to a process
> are pre-zeroed, which would include the BSS segment.
It says:=20
"A large percentage of page faults that occur are zero-fill faults.
You can usually see this by observing the vmstat -s output. These
occur when a process accesses pages in its BSS area. "
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110426104151.596bcc19>