Re: Getting passwords from the heap?

[Fredrik Widlund <fredrik.widlund () defcom com>]

On Wednesday 27 June 2001  4:22 pm, Aigars Grins wrote:
> > > Also, what is the difference between malloc(3) and calloc(3)?  calloc
> > > says it's supposed to clear the memory, but malloc(3) does that too...
> >
> > malloc() doesn't clear the memory, it requests a page from the OS, and
> > the
>
> OS
>
> > may clear that page that the memory is allocated from if it hasnt already
> > been allocated for that user.  So the first malloc of 2k will return
> > clean memory, but the next malloc of 1k could return memory that has been
> > mucked with by something else in that process (variables in called
> > functions,
> Sorry for my bad english.. The following applies for OpenBSD 2.7 (and most
> likely later versions as well). A more OpenBSD savvy programmer can
> propably correct me on a lot of details (please do).
>
> Malloc() uses sbrk() to access memory from the OS. This gives malloc() a
> 'static' area to work with. Static in the sense that it's always a single
> continuous space (the end point is what changes when it gets/gives
> resources from/to the OS). This space is continous from userland
> perspective, ie. the space is not a continous physical RAM space.

(The following applies for OpenBSD 2.8 (and likely 2.7 as well...))

Malloc really uses sbrk() to get the 'program break', then uses brk() to set 
a new break (i.e. grows/shrinks the program heap). The BRK(2) man-page is 
wrong btw., brk() returns 0 if ok, and something else (ENOMEM) on error.

brk() uses the sys_obreak (17) sys-call to allocate or deallocate memory. The 
argument for brk() will be page rounded (up). On allocation, brk() calls 
vm_allocate which by definition allocates _zero_filled_ memory. Thus, it is 
not possible to see other processes old memory contents using malloc. 

The malloc implementation will reuse allocated pages when possible, which may 
not be zero filled, and this is why calloc() exists.

Fredrik Widlund