On Wed, Jan 11, 2012 at 11:45, Dave Hylands <[email protected]> wrote:
> Hi, > > On Wed, Jan 11, 2012 at 4:53 AM, 夏业添 <[email protected]> wrote: > > Hi, > > My tutor asked me to test whether one process leaves information in > > memory after it is dead. I tried to search some article about such thing > on > > the Internet but there seems to be no one discuss about it. And after > that, > > I tried to write some program in the User Mode to test it, using fork() > to > > create lots of processes and filling char 'a' into a 102400 bytes char > array > > in each process. Then I used malloc() to get some memory to seek char > 'a' in > > a new one process or many new processes, but failed. All memory I > malloced > > was full of zero. > > Yeah - so if it were possible for one process to get information about > another process like that you would have a security leak. > > > As the man page of malloc said:"The memory is not initialized", I > believe > > that the memory which was got by malloc() could be used by other process, > > and therefor information leakage exists. But how can I test it? Or where > can > > I get related information? > > All pages allocated from the OS will be initially zero'd, however, > once your process owns the page, if you filled it with Z's and then > freed it and reallocated you might very weill get your Z's back > instead of 0's. You'll never get data from another process though. > Real world example in C; I fixed a security bug in Samba that dealt with this exact problem. Credential files were read to memory as the root user and then the memory was freed without being zeroed. A user could therefore read the contents of a file that they didn't have permission to read because the whole thing was put in memory by a user that had permission to view the file. Someone clever could churn through memory and find the credentials if they knew that the mount command was just run. I added a memset() to the end of the parsing function to zero out the memory before freeing back to the OS. http://git.samba.org/?p=cifs-utils.git;a=commitdiff;h=6c917ebf360b3dbbc4c7ad9af3e106170528aa3c (you can skip to the end of the patch if you don't want to follow the entire flow of the code) Does this help express the idea any better? -- Peace and Blessings, -Scott.
_______________________________________________ Kernelnewbies mailing list [email protected] http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
