[TALK] Proving fundamental Unix guarantees
peter.jeremy at alcatel.com.au
Mon Jun 30 16:28:30 EST 2003
On 2003-Jun-30 11:44:16 +1000, Peter Jeremy <peter.jeremy at alcatel.com.au> wrote:
>In response to a query, one of our Unix vendors has stated
>"OS-name-deleted-to-protect-the-guilty does not guarantee that all
>memory given to a program is necessarily initialised" and "there are
>regions known as BSS which hold data (i.e. program variables) which
>ARE NOT INITIALISED. What this means is that these variables will
>hold whatever was in that memory location before it was allocated to
>them. ... This is designed behaviour".
Based on the replies I have received, maybe I should have included
We have bumped into a problem where a warm reboot (eg "shutdown -r")
gives different behaviour to a cold reboot (eg "shutdown -h"/boot).
According to the vendor, the only difference is that in the latter
case physical RAM will be initialised, whereas in the former case it
retains the previous values. I have suggested that this appears to
indicate that the kernel is using memory without initialising it -
which is a bug in the kernel. The vendor has suggested that the
kernel passes memory to the application without initialising it and
therefore it is a bug in the application.
Whilst I agree that there may be bugs in the application, having a
kernel pass uninitialised memory to a userland process is a major
security hole. (Want another process to be given a copy of your
su/pgp/ssh processes memory image?) I have confirmed that as far as I
can determine (and as expected), all memory is initialised before
being passed to the application.
Definitely the C standards require uninitialised static variables
(which are normally stored in BSS) to be initialised as if they were
assigned zero (which is zero on most systems) - though the mechanism
isn't specified. I was hoping that some of the POSIX or SVID
standards might say some words on the the kernel/userland interface.
More information about the Talk