On Thu, Apr 10, 2014 at 11:48:15AM -0600, [email protected] wrote: > On Thu, Apr 10, 2014 at 06:26:48PM +0100, Rob Kendrick wrote: > | On Thu, Apr 10, 2014 at 10:09:10AM -0700, Scott G. Kelly wrote: > | > Does heartbleed allow one to read (discarded, freed) physical memory > containing data from the OS and/or other processes in linux? > | > | Yes. It doesn't clear memory when it is freed, so you may end up > | allocating memory that has old content in it, perhaps even from swap. > > Correct. FWIW, the grsecurity patch adds the [moderately expensive] > capability to do this at the kernel level.
I'm overextending myself, because I haven't crawled through the Linux memory allocation code any time in the past 10 years, but I'm pretty sure that while it is true that free() doesn't clear memory, that is only an issue for re-allocation in the same process (or in other threads, which are in the same memory space.) The original question was whether a processes could get uncleared memory from a *different* process, and I'm pretty sure that it can't. As I replied in my other message, I'm pretty sure that when a process is started, it has an empty page table. If you access a page that maps to the real 0x0-page, you get a page fault. The kernel then looks to see if the access is below the current brk value, and if it is, it writes the address of a common zero-page to the page table. This zero-page is always kept with contents of 0. Since Linux is COW (copy-on-write), every read in that page will return 0s, and the first time you try to do a write you'll trap into the kernel, the kernel will copy the zero-page (which is all zeros) to a new page (effectively clearing anything that might have been there from another process that might have free()d it), and it'll write that new page's physical address to the page table. So the OPs original concern/curiosity isn't a problem, as far as I can tell. That said, since most servers are multi-threaded, heartbleed will definitely allow memory to bleed between those threads, so that's bad enough... -Craig BTW. Sorry for the top-post last time... Forgot my net-manners. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
