From owner-freebsd-questions@FreeBSD.ORG Tue Apr 26 09:42:00 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38C47106564A for ; Tue, 26 Apr 2011 09:42:00 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id BA7B38FC0A for ; Tue, 26 Apr 2011 09:41:59 +0000 (UTC) Received: by wwc33 with SMTP id 33so386102wwc.31 for ; Tue, 26 Apr 2011 02:41:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:date:from:to:subject:message-id:in-reply-to :references:x-mailer:mime-version:content-type :content-transfer-encoding; bh=9taMHA4YF/WZnAsWAavWlP6fiGaDGb+GGvZ1/i/xJlY=; b=k7U9Vs4DChh+No4ZJCue5+F5wY7VCtCBeZUPDEFzhK9NhonyNG9uG3MeSQ0STCB+p3 Xq3RE9+5O2mtEP7HL+dt+TJoBstZ0LmXguMxQY7cJrmE4evaMw+HYkvASRYCrGS3LMYn XCWI+LgpwnFCJGWFOr0GTyiW/M0He62KAz7wI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; b=nd5GfAgH980DOlqOLHCwcY21JymrDzmE5uZ01iYqG2T21LhFYrjUcw+cUTX9g2TiCL nu3geceNOFm7cjvc1ksgCKp+eJhezheZ2ML7IOAM4KCn0c/3OmlVHeb4B1E7gRvnu1R7 jgjHOOBVJYdgIqV3rgdn/jTiegH/Ti2OK7SUc= Received: by 10.216.234.166 with SMTP id s38mr513514weq.83.1303810917394; Tue, 26 Apr 2011 02:41:57 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk [87.194.105.247]) by mx.google.com with ESMTPS id r57sm2915119wes.1.2011.04.26.02.41.53 (version=SSLv3 cipher=OTHER); Tue, 26 Apr 2011 02:41:56 -0700 (PDT) Date: Tue, 26 Apr 2011 10:41:51 +0100 From: RW To: freebsd-questions@freebsd.org Message-ID: <20110426104151.596bcc19@gumby.homeunix.com> In-Reply-To: <20110426025614.GA62745@stainmore> References: <20110425151846.0a5359fd@gumby.homeunix.com> <20110425151536.GA61425@stainmore> <20110425175420.GA61811@stainmore> <20110425232908.4104e026@gumby.homeunix.com> <20110426025614.GA62745@stainmore> X-Mailer: Claws Mail 3.7.8 (GTK+ 2.22.1; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: Password theft from memory? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 09:42:00 -0000 On Mon, 25 Apr 2011 22:56:14 -0400 Bob Hall wrote: > On Mon, Apr 25, 2011 at 11:29:08PM +0100, RW wrote: > > On Mon, 25 Apr 2011 13:54:20 -0400 > > Bob Hall wrote: > >=20 > > > On Mon, Apr 25, 2011 at 05:46:33PM +0200, C. P. Ghost wrote: > > > > On Mon, Apr 25, 2011 at 5:15 PM, Bob Hall > > > > wrote: > > > > > On Mon, Apr 25, 2011 at 03:18:46PM +0100, RW wrote: > > > > >> I don't believe the heap is allocated zeroed pages. =A0The > > > > >> kernel does allocate such pages to the BSS segment, but > > > > >> that's because it holds zeroed data such as C static > > > > >> variables. > > > > > > > > > > According to McKusick and Neville-Neil's book on FreeBSD, sbrk > > > > > extends the uninitialized data segment with zero-filled pages. > > > > > Since malloc() is an interface to sbrk, it does the same > > > > > thing. > > > >=20 > > > > True, except that malloc(3) now uses both sbrk(2) and mmap(2) > > > > allocators, depending on the user-settable flags > > > > in /etc/malloc.conf, MALLOC_OPTIONS and the global variable > > > > _malloc_options. So you have to look into mmap(2) too. > > >=20 > > > Good point. From the man page: > > > "Any such extension beyond the end of the mapped object will be > > > zero-filled."=20 > > > and > > > "A successful mmap deletes any previous mapping in the allocated > > > address range." > >=20 > >=20 > > The above quote refers to zeroing the fraction of a page that's left > > over when "len" isn't a multiple of the page size. >=20 > The above quote states that the memory not occupied by the remapped > object is zero filled. Which is to say that memory allocated by mmap() > is either filled with new data or filled with zeros. In context it says:=20 "If len is not a multiple of the page-size, the mapped region may extend past the specified range. Any such extension beyond the end of the mapped object will be zero-filled." To me the most straightforward reading of that is that it's referring to non-aligned address ranges.=20 Your interpretation may well be the intended one, but where would that leave the anonymous mappings used by malloc? Are we to think of them as extensions beyond a non-existent mapped object, and thus infer that they are zero-filled? It's a bit of a stretch from what's written. > > The reason I thought that heap memory isn't zeroed is from the > > discussion of pre-zeroed pages in this article:=20 > >=20 > > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/vm-design/prefault-= optimizations.html > >=20 > > It reads as if the BSS region is the only significant user of zeroed > > pages. >=20 > It appears to me to say that any virtual pages allocated to a process > are pre-zeroed, which would include the BSS segment. It says:=20 "A large percentage of page faults that occur are zero-fill faults. You can usually see this by observing the vmstat -s output. These occur when a process accesses pages in its BSS area. "