Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 1 May 2011 20:03:22 +0200
From:      "C. P. Ghost" <>
To:        Modulok <>
Subject:   Re: Password theft from memory?
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, Apr 27, 2011 at 9:24 PM, Modulok <> wrote:
> I know that each process has its own private memory segment, but after a
> process exits, it nolonger owns that memory. What happens to it? If it's not
> zeroed out by my process, and it doesn't turn into pixie food, and it's not
> zeroed out by malloc... it still exists somewhere.

If I understand this correctly, when a process exits, the kernel reclaims its
address space and inserts it into its own address space (i.e. in a free list).
At this point, the pages are NOT (yet) zeroed out, they're merely detached
from the exiting process and attached to the kernel's free list.

Optionally, they may be zeroed in some time in the future, when a special
kernel thread pre-zeroes some pages there for faster allocation later.

In any case, when a new process starts and tries to mmap(2) those pages,
the kernel VM will lazily zero them out one by one upon first access by the

So, unless you access /dev/kmem to read virtual kernel memory directly,
you have NO way of getting access to the old data, even when it is not
yet zeroed. And as long as the permissions on /dev/kmem are sensibly
set, only privileged processes could access kernel virtual memory.

Coming to think of it, there's another exception besides /dev/kmem: a kernel
module runs with kernel privileges, and has access to the pages (of all
processes, and of the kernel including those on the free list). But this is
to be expected: a KLD becomes a part of the kernel when loaded.

> Maybe this would be best on hackers?
> -Modulok-


Cordula's Web.

Want to link to this message? Use this URL: <>