Date: Wed, 27 Apr 2011 01:45:54 +0100 From: RW <rwmaillists@googlemail.com> To: freebsd-questions@freebsd.org Subject: Re: Password theft from memory? Message-ID: <20110427014554.1e4c5281@gumby.homeunix.com> In-Reply-To: <BANLkTikQzhmyXkCeSzzG-o%2Bz0L3ohNt2YQ@mail.gmail.com> References: <BANLkTimJWAxW_4OmoeBQrvDDLjD-5Vr5hQ@mail.gmail.com> <BANLkTin_S%2BBRWu79AH16tPdgZd%2BUgZQAzQ@mail.gmail.com> <20110425151846.0a5359fd@gumby.homeunix.com> <20110425151536.GA61425@stainmore> <BANLkTinvvWhEy_A5ao=XWTpQOSTX0Vm2_A@mail.gmail.com> <20110425175420.GA61811@stainmore> <20110425232908.4104e026@gumby.homeunix.com> <20110426025614.GA62745@stainmore> <20110426104151.596bcc19@gumby.homeunix.com> <BANLkTikQzhmyXkCeSzzG-o%2Bz0L3ohNt2YQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 26 Apr 2011 16:23:11 +0200 "C. P. Ghost" <cpghost@cordula.ws> wrote: > On Tue, Apr 26, 2011 at 11:41 AM, RW <rwmaillists@googlemail.com> > wrote: > >> The above quote states that the memory not occupied by the remapped > >> object is zero filled. Which is to say that memory allocated by > >> mmap() is either filled with new data or filled with zeros. > > > > In context it says: > > > > =A0 =A0 "If len is not a multiple of the page-size, the mapped region > > may extend past the specified range. =A0Any such extension beyond the > > =A0 =A0 end of the mapped object will be zero-filled." > > > > To me the most straightforward reading of that is that it's > > referring to non-aligned address ranges. > > > > Your interpretation may well be the intended one, but where would > > that leave the anonymous mappings used by malloc? Are we to think > > of them as extensions beyond a non-existent mapped object, and thus > > infer that they are zero-filled? It's a bit of a stretch from > > what's written. >=20 > While it's not a *proof*, you could always do a little bit of black > box testing. I didn't really doubt it, if sbrk zero-filled then it would be a major security regression if mmap didn't provide the same behaviour.=20 =46rom vm_fault.c it looks clear a zeroed page is allocated when the location is neither file-backed nor written-out to swap. That's probably why mmap(2) doesn't bother to mention zero-filling except in a special case. =20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110427014554.1e4c5281>