If the heap is initialized for security, then why is the stack uninitialized? The Next CEO of Stack OverflowSystem sending SIGTERM and SIGKILL during normal workHow to compile the C compiler from scratch, then compile Unix/Linux from scratchHow can I monitor per process/per thread memory consumption (divided into heap, stack, data, code)?Which parts of Memory can Swap Supportsecurity issues from installing from source code as rootWhat are the most restrictive external firewall / DNS listening port settings I can have for my DNS server (internal clients only)Trying to understanding startup procedure of monitWhy must the stack VMA be executable?Is copy-on-write not implemented based on page fault?What happens to the old stack, heap, and (initialized and uninitialized) data segments after execve() call?

What is the purpose of the Evocation wizard's Potent Cantrip feature?

Why do professional authors make "consistency" mistakes? And how to avoid them?

Rotate a column

How do I construct this japanese bowl?

Visit to the USA with ESTA approved before trip to Iran

How can I open an app using Terminal?

Inappropriate reference requests from Journal reviewers

Is a stroke of luck acceptable after a series of unfavorable events?

What is meant by a M next to a roman numeral?

Apart from "berlinern", do any other German dialects have a corresponding verb?

Is it my responsibility to learn a new technology in my own time my employer wants to implement?

How to write the block matrix in LaTex?

What is the difference between "behavior" and "behaviour"?

How to Reset Passwords on Multiple Websites Easily?

Return the Closest Prime Number

How easy is it to start Magic from scratch?

How can I get through very long and very dry, but also very useful technical documents when learning a new tool?

Why didn't Theresa May consult with Parliament before negotiating a deal with the EU?

Would this house-rule that treats advantage as a +1 to the roll instead (and disadvantage as -1) and allows them to stack be balanced?

Why doesn't a table tennis ball float on the surface? How do we calculate buoyancy here?

Where to find order of arguments for default functions

Putting a 2D region plot under a 3D plot

MAZDA 3 2006 (UK) - poor acceleration then takes off at 3250 revs

Horror movie/show or scene where a horse creature opens its mouth really wide and devours a man in a stables



If the heap is initialized for security, then why is the stack uninitialized?



The Next CEO of Stack OverflowSystem sending SIGTERM and SIGKILL during normal workHow to compile the C compiler from scratch, then compile Unix/Linux from scratchHow can I monitor per process/per thread memory consumption (divided into heap, stack, data, code)?Which parts of Memory can Swap Supportsecurity issues from installing from source code as rootWhat are the most restrictive external firewall / DNS listening port settings I can have for my DNS server (internal clients only)Trying to understanding startup procedure of monitWhy must the stack VMA be executable?Is copy-on-write not implemented based on page fault?What happens to the old stack, heap, and (initialized and uninitialized) data segments after execve() call?










4















On my Debian GNU/Linux 9 system, when a binary is executed,



  • the stack is uninitialized but

  • the heap is zero-initialized.

Why?



I assume that zero-initialization promotes security but, if for the heap, then why not also for the stack? Does the stack, too, not need security?



My question is not specific to Debian as far as I know.



Sample C code:



#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>

const size_t n = 8;

// --------------------------------------------------------------------
// UNINTERESTING CODE
// --------------------------------------------------------------------
static void print_array(
 const int *const p, const size_t size, const char *const name
)

 printf("%s at %p: ", name, p);
 for (size_t i = 0; i < size; ++i) printf("%d ", p[i]);
 printf("n");


// --------------------------------------------------------------------
// INTERESTING CODE
// --------------------------------------------------------------------
int main()

 int a[n];
 int *const b = malloc(n*sizeof(int));
 print_array(a, n, "a");
 print_array(b, n, "b");
 free(b);
 return 0;



Output:



a at 0x7ffe118997e0: 194 0 294230047 32766 294230046 32766 -550453275 32713 
b at 0x561d4bbfe010: 0 0 0 0 0 0 0 0


The C standard does not ask malloc() to clear memory before allocating it, of course, but my C program is merely for illustration. The question is not a question about C or about C's standard library. Rather, the question is a question about why the kernel and/or run-time loader are zeroing the heap but not the stack.



ANOTHER EXPERIMENT



My question regards observable GNU/Linux behavior rather than the requirements of standards documents. If unsure what I mean, then try this code, which invokes further undefined behavior (undefined, that is, as far as the C standard is concerned) to illustrate the point:



#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>

const size_t n = 4;

int main()

 for (size_t i = n; i; --i) 
 int *const p = malloc(sizeof(int));
 printf("%p %d ", p, *p);
 ++*p;
 printf("%dn", *p);
 free(p);
 
 return 0;



Output from my machine:



0x555e86696010 0 1
0x555e86696010 0 1
0x555e86696010 0 1
0x555e86696010 0 1


As far as the C standard is concerned, behavior is undefined, so my question does not regard the C standard. A call to malloc() need not return the same address each time but, since this call to malloc() does indeed happen to return the same address each time, it is interesting to notice that the memory, which is on the heap, is zeroed each time.



The stack, by contrast, had not seemed to be zeroed.



I do not know what the latter code will do on your machine, since I do not know which layer of the GNU/Linux system is causing the observed behavior. You can but try it.



UPDATE



@Kusalananda has observed in comments:




For what it's worth, your most recent code returns different addresses and (occasional) uninitialised (non-zero) data when run on OpenBSD. This obviously does not say anything about the behaviour that you are witnessing on Linux.




That my result differs from the result on OpenBSD is indeed interesting. Apparently, my experiments were discovering not a kernel (or linker) security protocol, as I had thought, but a mere implementational artifact.



In this light, I believe that, together, the answers below of @Mosvy and @StephenKitt settle my question.



See also on Stack Overflow: Why does malloc initialize the values to 0 in gcc? (credit: @bta).






linux security memory







share|improve this question



















  • 1





    For what it's worth, your most recent code returns different addresses and (occasional) uninitialised (non-zero) data when run on OpenBSD. This obviously does not say anything about the behaviour that you are witnessing on Linux.

    – Kusalananda
    5 hours ago












  • Please do not change the scope of your question, and do not try to edit it in order to make answers and comments redundant. In C, the "heap" is nothing else but the memory returned by malloc() and calloc(), and only the latter is zeroing out the memory; the new operator in C++ (also "heap") is on Linux just a wrapper for malloc(); the kernel doesn't know nor care what the "heap" is.

    – mosvy
    5 hours ago







  • 2





    Your second example is simply exposing an artifact of the malloc implementation in glibc; if you do that repeated malloc/free with a buffer larger than 8 bytes, you will clearly see that only the first 8 bytes are zeroed.

    – mosvy
    5 hours ago












  • @mosvy Aha. Confirmed. I will add my confirmation code to your answer, if this is acceptable to you. You can approve the edit at your discretion.

    – thb
    5 hours ago











  • @Kusalananda I see. That my result differs from the result on OpenBSD is indeed interesting. Apparently, you and Mosvy have shown that my experiments were discovering not a kernel (or linker) security protocol, as I had thought, but a mere implementational artifact.

    – thb
    4 hours ago















4















On my Debian GNU/Linux 9 system, when a binary is executed,



  • the stack is uninitialized but

  • the heap is zero-initialized.

Why?



I assume that zero-initialization promotes security but, if for the heap, then why not also for the stack? Does the stack, too, not need security?



My question is not specific to Debian as far as I know.



Sample C code:



#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>

const size_t n = 8;

// --------------------------------------------------------------------
// UNINTERESTING CODE
// --------------------------------------------------------------------
static void print_array(
 const int *const p, const size_t size, const char *const name
)

 printf("%s at %p: ", name, p);
 for (size_t i = 0; i < size; ++i) printf("%d ", p[i]);
 printf("n");


// --------------------------------------------------------------------
// INTERESTING CODE
// --------------------------------------------------------------------
int main()

 int a[n];
 int *const b = malloc(n*sizeof(int));
 print_array(a, n, "a");
 print_array(b, n, "b");
 free(b);
 return 0;



Output:



a at 0x7ffe118997e0: 194 0 294230047 32766 294230046 32766 -550453275 32713 
b at 0x561d4bbfe010: 0 0 0 0 0 0 0 0


The C standard does not ask malloc() to clear memory before allocating it, of course, but my C program is merely for illustration. The question is not a question about C or about C's standard library. Rather, the question is a question about why the kernel and/or run-time loader are zeroing the heap but not the stack.



ANOTHER EXPERIMENT



My question regards observable GNU/Linux behavior rather than the requirements of standards documents. If unsure what I mean, then try this code, which invokes further undefined behavior (undefined, that is, as far as the C standard is concerned) to illustrate the point:



#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>

const size_t n = 4;

int main()

 for (size_t i = n; i; --i) 
 int *const p = malloc(sizeof(int));
 printf("%p %d ", p, *p);
 ++*p;
 printf("%dn", *p);
 free(p);
 
 return 0;



Output from my machine:



0x555e86696010 0 1
0x555e86696010 0 1
0x555e86696010 0 1
0x555e86696010 0 1


As far as the C standard is concerned, behavior is undefined, so my question does not regard the C standard. A call to malloc() need not return the same address each time but, since this call to malloc() does indeed happen to return the same address each time, it is interesting to notice that the memory, which is on the heap, is zeroed each time.



The stack, by contrast, had not seemed to be zeroed.



I do not know what the latter code will do on your machine, since I do not know which layer of the GNU/Linux system is causing the observed behavior. You can but try it.



UPDATE



@Kusalananda has observed in comments:




For what it's worth, your most recent code returns different addresses and (occasional) uninitialised (non-zero) data when run on OpenBSD. This obviously does not say anything about the behaviour that you are witnessing on Linux.




That my result differs from the result on OpenBSD is indeed interesting. Apparently, my experiments were discovering not a kernel (or linker) security protocol, as I had thought, but a mere implementational artifact.



In this light, I believe that, together, the answers below of @Mosvy and @StephenKitt settle my question.



See also on Stack Overflow: Why does malloc initialize the values to 0 in gcc? (credit: @bta).






linux security memory







share|improve this question



















  • 1





    For what it's worth, your most recent code returns different addresses and (occasional) uninitialised (non-zero) data when run on OpenBSD. This obviously does not say anything about the behaviour that you are witnessing on Linux.

    – Kusalananda
    5 hours ago












  • Please do not change the scope of your question, and do not try to edit it in order to make answers and comments redundant. In C, the "heap" is nothing else but the memory returned by malloc() and calloc(), and only the latter is zeroing out the memory; the new operator in C++ (also "heap") is on Linux just a wrapper for malloc(); the kernel doesn't know nor care what the "heap" is.

    – mosvy
    5 hours ago







  • 2





    Your second example is simply exposing an artifact of the malloc implementation in glibc; if you do that repeated malloc/free with a buffer larger than 8 bytes, you will clearly see that only the first 8 bytes are zeroed.

    – mosvy
    5 hours ago












  • @mosvy Aha. Confirmed. I will add my confirmation code to your answer, if this is acceptable to you. You can approve the edit at your discretion.

    – thb
    5 hours ago











  • @Kusalananda I see. That my result differs from the result on OpenBSD is indeed interesting. Apparently, you and Mosvy have shown that my experiments were discovering not a kernel (or linker) security protocol, as I had thought, but a mere implementational artifact.

    – thb
    4 hours ago













4












4








4


0






On my Debian GNU/Linux 9 system, when a binary is executed,



  • the stack is uninitialized but

  • the heap is zero-initialized.

Why?



I assume that zero-initialization promotes security but, if for the heap, then why not also for the stack? Does the stack, too, not need security?



My question is not specific to Debian as far as I know.



Sample C code:



#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>

const size_t n = 8;

// --------------------------------------------------------------------
// UNINTERESTING CODE
// --------------------------------------------------------------------
static void print_array(
 const int *const p, const size_t size, const char *const name
)

 printf("%s at %p: ", name, p);
 for (size_t i = 0; i < size; ++i) printf("%d ", p[i]);
 printf("n");


// --------------------------------------------------------------------
// INTERESTING CODE
// --------------------------------------------------------------------
int main()

 int a[n];
 int *const b = malloc(n*sizeof(int));
 print_array(a, n, "a");
 print_array(b, n, "b");
 free(b);
 return 0;



Output:



a at 0x7ffe118997e0: 194 0 294230047 32766 294230046 32766 -550453275 32713 
b at 0x561d4bbfe010: 0 0 0 0 0 0 0 0


The C standard does not ask malloc() to clear memory before allocating it, of course, but my C program is merely for illustration. The question is not a question about C or about C's standard library. Rather, the question is a question about why the kernel and/or run-time loader are zeroing the heap but not the stack.



ANOTHER EXPERIMENT



My question regards observable GNU/Linux behavior rather than the requirements of standards documents. If unsure what I mean, then try this code, which invokes further undefined behavior (undefined, that is, as far as the C standard is concerned) to illustrate the point:



#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>

const size_t n = 4;

int main()

 for (size_t i = n; i; --i) 
 int *const p = malloc(sizeof(int));
 printf("%p %d ", p, *p);
 ++*p;
 printf("%dn", *p);
 free(p);
 
 return 0;



Output from my machine:



0x555e86696010 0 1
0x555e86696010 0 1
0x555e86696010 0 1
0x555e86696010 0 1


As far as the C standard is concerned, behavior is undefined, so my question does not regard the C standard. A call to malloc() need not return the same address each time but, since this call to malloc() does indeed happen to return the same address each time, it is interesting to notice that the memory, which is on the heap, is zeroed each time.



The stack, by contrast, had not seemed to be zeroed.



I do not know what the latter code will do on your machine, since I do not know which layer of the GNU/Linux system is causing the observed behavior. You can but try it.



UPDATE



@Kusalananda has observed in comments:




For what it's worth, your most recent code returns different addresses and (occasional) uninitialised (non-zero) data when run on OpenBSD. This obviously does not say anything about the behaviour that you are witnessing on Linux.




That my result differs from the result on OpenBSD is indeed interesting. Apparently, my experiments were discovering not a kernel (or linker) security protocol, as I had thought, but a mere implementational artifact.



In this light, I believe that, together, the answers below of @Mosvy and @StephenKitt settle my question.



See also on Stack Overflow: Why does malloc initialize the values to 0 in gcc? (credit: @bta).






linux security memory







share|improve this question
















On my Debian GNU/Linux 9 system, when a binary is executed,



  • the stack is uninitialized but

  • the heap is zero-initialized.

Why?



I assume that zero-initialization promotes security but, if for the heap, then why not also for the stack? Does the stack, too, not need security?



My question is not specific to Debian as far as I know.



Sample C code:



#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>

const size_t n = 8;

// --------------------------------------------------------------------
// UNINTERESTING CODE
// --------------------------------------------------------------------
static void print_array(
 const int *const p, const size_t size, const char *const name
)

 printf("%s at %p: ", name, p);
 for (size_t i = 0; i < size; ++i) printf("%d ", p[i]);
 printf("n");


// --------------------------------------------------------------------
// INTERESTING CODE
// --------------------------------------------------------------------
int main()

 int a[n];
 int *const b = malloc(n*sizeof(int));
 print_array(a, n, "a");
 print_array(b, n, "b");
 free(b);
 return 0;



Output:



a at 0x7ffe118997e0: 194 0 294230047 32766 294230046 32766 -550453275 32713 
b at 0x561d4bbfe010: 0 0 0 0 0 0 0 0


The C standard does not ask malloc() to clear memory before allocating it, of course, but my C program is merely for illustration. The question is not a question about C or about C's standard library. Rather, the question is a question about why the kernel and/or run-time loader are zeroing the heap but not the stack.



ANOTHER EXPERIMENT



My question regards observable GNU/Linux behavior rather than the requirements of standards documents. If unsure what I mean, then try this code, which invokes further undefined behavior (undefined, that is, as far as the C standard is concerned) to illustrate the point:



#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>

const size_t n = 4;

int main()

 for (size_t i = n; i; --i) 
 int *const p = malloc(sizeof(int));
 printf("%p %d ", p, *p);
 ++*p;
 printf("%dn", *p);
 free(p);
 
 return 0;



Output from my machine:



0x555e86696010 0 1
0x555e86696010 0 1
0x555e86696010 0 1
0x555e86696010 0 1


As far as the C standard is concerned, behavior is undefined, so my question does not regard the C standard. A call to malloc() need not return the same address each time but, since this call to malloc() does indeed happen to return the same address each time, it is interesting to notice that the memory, which is on the heap, is zeroed each time.



The stack, by contrast, had not seemed to be zeroed.



I do not know what the latter code will do on your machine, since I do not know which layer of the GNU/Linux system is causing the observed behavior. You can but try it.



UPDATE



@Kusalananda has observed in comments:




For what it's worth, your most recent code returns different addresses and (occasional) uninitialised (non-zero) data when run on OpenBSD. This obviously does not say anything about the behaviour that you are witnessing on Linux.




That my result differs from the result on OpenBSD is indeed interesting. Apparently, my experiments were discovering not a kernel (or linker) security protocol, as I had thought, but a mere implementational artifact.



In this light, I believe that, together, the answers below of @Mosvy and @StephenKitt settle my question.



See also on Stack Overflow: Why does malloc initialize the values to 0 in gcc? (credit: @bta).






linux security memory




linux security memory






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 4 hours ago







thb

















asked 12 hours ago









thbthb

548415




548415







  • 1





    For what it's worth, your most recent code returns different addresses and (occasional) uninitialised (non-zero) data when run on OpenBSD. This obviously does not say anything about the behaviour that you are witnessing on Linux.

    – Kusalananda
    5 hours ago












  • Please do not change the scope of your question, and do not try to edit it in order to make answers and comments redundant. In C, the "heap" is nothing else but the memory returned by malloc() and calloc(), and only the latter is zeroing out the memory; the new operator in C++ (also "heap") is on Linux just a wrapper for malloc(); the kernel doesn't know nor care what the "heap" is.

    – mosvy
    5 hours ago







  • 2





    Your second example is simply exposing an artifact of the malloc implementation in glibc; if you do that repeated malloc/free with a buffer larger than 8 bytes, you will clearly see that only the first 8 bytes are zeroed.

    – mosvy
    5 hours ago












  • @mosvy Aha. Confirmed. I will add my confirmation code to your answer, if this is acceptable to you. You can approve the edit at your discretion.

    – thb
    5 hours ago











  • @Kusalananda I see. That my result differs from the result on OpenBSD is indeed interesting. Apparently, you and Mosvy have shown that my experiments were discovering not a kernel (or linker) security protocol, as I had thought, but a mere implementational artifact.

    – thb
    4 hours ago












  • 1





    For what it's worth, your most recent code returns different addresses and (occasional) uninitialised (non-zero) data when run on OpenBSD. This obviously does not say anything about the behaviour that you are witnessing on Linux.

    – Kusalananda
    5 hours ago












  • Please do not change the scope of your question, and do not try to edit it in order to make answers and comments redundant. In C, the "heap" is nothing else but the memory returned by malloc() and calloc(), and only the latter is zeroing out the memory; the new operator in C++ (also "heap") is on Linux just a wrapper for malloc(); the kernel doesn't know nor care what the "heap" is.

    – mosvy
    5 hours ago







  • 2





    Your second example is simply exposing an artifact of the malloc implementation in glibc; if you do that repeated malloc/free with a buffer larger than 8 bytes, you will clearly see that only the first 8 bytes are zeroed.

    – mosvy
    5 hours ago












  • @mosvy Aha. Confirmed. I will add my confirmation code to your answer, if this is acceptable to you. You can approve the edit at your discretion.

    – thb
    5 hours ago











  • @Kusalananda I see. That my result differs from the result on OpenBSD is indeed interesting. Apparently, you and Mosvy have shown that my experiments were discovering not a kernel (or linker) security protocol, as I had thought, but a mere implementational artifact.

    – thb
    4 hours ago







1




1





For what it's worth, your most recent code returns different addresses and (occasional) uninitialised (non-zero) data when run on OpenBSD. This obviously does not say anything about the behaviour that you are witnessing on Linux.

– Kusalananda
5 hours ago






For what it's worth, your most recent code returns different addresses and (occasional) uninitialised (non-zero) data when run on OpenBSD. This obviously does not say anything about the behaviour that you are witnessing on Linux.

– Kusalananda
5 hours ago














Please do not change the scope of your question, and do not try to edit it in order to make answers and comments redundant. In C, the "heap" is nothing else but the memory returned by malloc() and calloc(), and only the latter is zeroing out the memory; the new operator in C++ (also "heap") is on Linux just a wrapper for malloc(); the kernel doesn't know nor care what the "heap" is.

– mosvy
5 hours ago






Please do not change the scope of your question, and do not try to edit it in order to make answers and comments redundant. In C, the "heap" is nothing else but the memory returned by malloc() and calloc(), and only the latter is zeroing out the memory; the new operator in C++ (also "heap") is on Linux just a wrapper for malloc(); the kernel doesn't know nor care what the "heap" is.

– mosvy
5 hours ago





2




2





Your second example is simply exposing an artifact of the malloc implementation in glibc; if you do that repeated malloc/free with a buffer larger than 8 bytes, you will clearly see that only the first 8 bytes are zeroed.

– mosvy
5 hours ago






Your second example is simply exposing an artifact of the malloc implementation in glibc; if you do that repeated malloc/free with a buffer larger than 8 bytes, you will clearly see that only the first 8 bytes are zeroed.

– mosvy
5 hours ago














@mosvy Aha. Confirmed. I will add my confirmation code to your answer, if this is acceptable to you. You can approve the edit at your discretion.

– thb
5 hours ago





@mosvy Aha. Confirmed. I will add my confirmation code to your answer, if this is acceptable to you. You can approve the edit at your discretion.

– thb
5 hours ago













@Kusalananda I see. That my result differs from the result on OpenBSD is indeed interesting. Apparently, you and Mosvy have shown that my experiments were discovering not a kernel (or linker) security protocol, as I had thought, but a mere implementational artifact.

– thb
4 hours ago





@Kusalananda I see. That my result differs from the result on OpenBSD is indeed interesting. Apparently, you and Mosvy have shown that my experiments were discovering not a kernel (or linker) security protocol, as I had thought, but a mere implementational artifact.

– thb
4 hours ago










3 Answers
3






active

oldest

votes


















12














The storage returned by malloc() is not zero-initialized. Do not ever assume it is.



In your test program, it's just a fluke: I guess the malloc()just got a fresh block off mmap(), but don't rely on that, either.



For an example, if I run your program on my machine this way:



$ echo 'void __attribute__((constructor)) p(void)
 void *b = malloc(4444); memset(b, 4, 4444); free(b);
' | cc -include stdlib.h -include string.h -xc - -shared -o pollute.so

$ LD_PRELOAD=./pollute.so ./your_program
a at 0x7ffd40d3aa60: 1256994848 21891 1256994464 21891 1087613792 32765 0 0
b at 0x55834c75d010: 67372036 67372036 67372036 67372036 67372036 67372036 67372036 67372036


Your second example is simply exposing an artifact of the malloc implementation in glibc; if you do that repeated malloc/free with a buffer larger than 8 bytes, you will clearly see that only the first 8 bytes are zeroed, as in the following sample code.



#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>

const size_t n = 4;
const size_t m = 0x10;

int main()

 for (size_t i = n; i; --i) 
 int *const p = malloc(m*sizeof(int));
 printf("%p ", p);
 for (size_t j = 0; j < m; ++j) 
 printf("%d:", p[j]);
 ++p[j];
 printf("%d ", p[j]);
 
 free(p);
 printf("n");
 
 return 0;



Output:



0x55be12864010 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 
0x55be12864010 0:1 0:1 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 
0x55be12864010 0:1 0:1 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 
0x55be12864010 0:1 0:1 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4





share|improve this answer

























  • Well, yes, but this is why I have asked the question here rather than on Stack Overflow. My question was not about the C standard but about the way modern GNU/Linux systems typically link and load binaries. Your LD_PRELOAD is humorous but answers another question than the question I had meant to ask.

    – thb
    6 hours ago






  • 6





    I'm happy I made you laugh, but your assumptions and prejudices aren't funny at all. On a "modern GNU/Linux system", binaries are typically loaded by a dynamic linker, which is running constructors from dynamic libraries before getting to the main() function from your program. On your very Debian GNU/Linux 9 system, both malloc() and free() will be called more than once before the main() function from your program, even when not using any preloaded libraries.

    – mosvy
    6 hours ago



















13














Regardless of how the stack is initialised, you’re not seeing a pristine stack, because the C library does a number of things before calling main, and they touch the stack.



With the GNU C library, on x86-64, execution starts at the _start entry point, which calls __libc_start_main to set things up, and the latter ends up calling main. But before calling main, it calls a number of other functions, which causes various pieces of data to be written to the stack. The stack’s contents aren’t cleared in between function calls, so when you get into main, your stack contains leftovers from the previous function calls.



This only explains the results you get from the stack, see the other answers regarding your general approach and assumptions.






share|improve this answer

























  • Note that by the time main() is called, initialization routines may very well have modified memory returned by malloc() - especially if C++ libraries are linked in. Assuming the "heap" is initialized to anything is a really, really bad assumption.

    – Andrew Henle
    6 hours ago











  • Your answer together with the Mosvy's settle my question. The system unfortunately allows me to accept only one of the two; otherwise, I would accept both.

    – thb
    4 hours ago


















8














In both cases, you get uninitialized memory, and you can't make any assumptions about its contents.



When the OS has to apportion a new page to your process (whether that's for its stack or for the arena used by malloc()), it guarantees that it won't expose data from other processes; the usual way to ensure that is to fill it with zeros (but it's equally valid to overwrite with anything else, including even a page worth of /dev/urandom - in fact some debugging malloc() implementations write non-zero patterns, to catch mistaken assumptions such as yours).



If malloc() can satisfy the request from memory already used and released by this process, its contents won't be cleared (in fact, the clearing is nothing to do with malloc() and it can't be - it has to happen before the memory is mapped into your address space). You may get memory that has previously been written by your process/program (e.g. before main()).



In your example program, you're seeing a malloc() region that hasn't yet been written by this process (i.e. it's direct from a new page) and a stack that has been written to (by pre-main() code in your program). If you examine more of the stack, you'll find it's zero-filled further down (in its direction of growth).



If you really want to understand what's happening at the OS level, I recommend that you bypass the C Library layer and interact using system calls such as brk() and mmap() instead.






share|improve this answer

























  • Your answer is good as far as it goes, +1, but my question has lent itself to misunderstanding. I have edited the question to clarify that I am not asking not about the requirements of the C standard (if I were asking that, I would ask on Stack Overflow) but about the observed behavior of GNU/Linux systems.

    – thb
    6 hours ago






  • 1





    A week or two ago, I tried a different experiment, calling malloc() and free() repeatedly. Though nothing requires malloc() to reuse the same storage recently freed, in the experiment, malloc() did happen to do that. It happened to return the same address each time, but also nulled the memory each time, which I had not expected. This was interesting to me. Further experiments have led to today's question.

    – thb
    6 hours ago












  • Uhh, if you call a low enough level call it is indeed guaranteed to be filled with zeros.

    – Joshua
    6 hours ago






  • 1





    @thb, Perhaps I'm not being clear enough - most implementations of malloc() do absolutely nothing with the memory they hand you - it's either previously-used, or freshly-assigned (and therefore zeroed by the OS). In your test, you evidently got the latter. Similarly, the stack memory is given to your process in the cleared state, but you don't examine it far enough to see parts your process hasn't yet touched. Your stack memory is cleared before it's given to your process.

    – Toby Speight
    5 hours ago







  • 1





    @TobySpeight: brk and sbrk are obsoleted by mmap. pubs.opengroup.org/onlinepubs/7908799/xsh/brk.html says LEGACY right at the top.

    – Joshua
    4 hours ago












Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f509232%2fif-the-heap-is-initialized-for-security-then-why-is-the-stack-uninitialized%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes









12














The storage returned by malloc() is not zero-initialized. Do not ever assume it is.



In your test program, it's just a fluke: I guess the malloc()just got a fresh block off mmap(), but don't rely on that, either.



For an example, if I run your program on my machine this way:



$ echo 'void __attribute__((constructor)) p(void)
 void *b = malloc(4444); memset(b, 4, 4444); free(b);
' | cc -include stdlib.h -include string.h -xc - -shared -o pollute.so

$ LD_PRELOAD=./pollute.so ./your_program
a at 0x7ffd40d3aa60: 1256994848 21891 1256994464 21891 1087613792 32765 0 0
b at 0x55834c75d010: 67372036 67372036 67372036 67372036 67372036 67372036 67372036 67372036


Your second example is simply exposing an artifact of the malloc implementation in glibc; if you do that repeated malloc/free with a buffer larger than 8 bytes, you will clearly see that only the first 8 bytes are zeroed, as in the following sample code.



#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>

const size_t n = 4;
const size_t m = 0x10;

int main()

 for (size_t i = n; i; --i) 
 int *const p = malloc(m*sizeof(int));
 printf("%p ", p);
 for (size_t j = 0; j < m; ++j) 
 printf("%d:", p[j]);
 ++p[j];
 printf("%d ", p[j]);
 
 free(p);
 printf("n");
 
 return 0;



Output:



0x55be12864010 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 
0x55be12864010 0:1 0:1 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 
0x55be12864010 0:1 0:1 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 
0x55be12864010 0:1 0:1 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4





share|improve this answer

























  • Well, yes, but this is why I have asked the question here rather than on Stack Overflow. My question was not about the C standard but about the way modern GNU/Linux systems typically link and load binaries. Your LD_PRELOAD is humorous but answers another question than the question I had meant to ask.

    – thb
    6 hours ago






  • 6





    I'm happy I made you laugh, but your assumptions and prejudices aren't funny at all. On a "modern GNU/Linux system", binaries are typically loaded by a dynamic linker, which is running constructors from dynamic libraries before getting to the main() function from your program. On your very Debian GNU/Linux 9 system, both malloc() and free() will be called more than once before the main() function from your program, even when not using any preloaded libraries.

    – mosvy
    6 hours ago
















12














The storage returned by malloc() is not zero-initialized. Do not ever assume it is.



In your test program, it's just a fluke: I guess the malloc()just got a fresh block off mmap(), but don't rely on that, either.



For an example, if I run your program on my machine this way:



$ echo 'void __attribute__((constructor)) p(void)
 void *b = malloc(4444); memset(b, 4, 4444); free(b);
' | cc -include stdlib.h -include string.h -xc - -shared -o pollute.so

$ LD_PRELOAD=./pollute.so ./your_program
a at 0x7ffd40d3aa60: 1256994848 21891 1256994464 21891 1087613792 32765 0 0
b at 0x55834c75d010: 67372036 67372036 67372036 67372036 67372036 67372036 67372036 67372036


Your second example is simply exposing an artifact of the malloc implementation in glibc; if you do that repeated malloc/free with a buffer larger than 8 bytes, you will clearly see that only the first 8 bytes are zeroed, as in the following sample code.



#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>

const size_t n = 4;
const size_t m = 0x10;

int main()

 for (size_t i = n; i; --i) 
 int *const p = malloc(m*sizeof(int));
 printf("%p ", p);
 for (size_t j = 0; j < m; ++j) 
 printf("%d:", p[j]);
 ++p[j];
 printf("%d ", p[j]);
 
 free(p);
 printf("n");
 
 return 0;



Output:



0x55be12864010 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 
0x55be12864010 0:1 0:1 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 
0x55be12864010 0:1 0:1 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 
0x55be12864010 0:1 0:1 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4





share|improve this answer

























  • Well, yes, but this is why I have asked the question here rather than on Stack Overflow. My question was not about the C standard but about the way modern GNU/Linux systems typically link and load binaries. Your LD_PRELOAD is humorous but answers another question than the question I had meant to ask.

    – thb
    6 hours ago






  • 6





    I'm happy I made you laugh, but your assumptions and prejudices aren't funny at all. On a "modern GNU/Linux system", binaries are typically loaded by a dynamic linker, which is running constructors from dynamic libraries before getting to the main() function from your program. On your very Debian GNU/Linux 9 system, both malloc() and free() will be called more than once before the main() function from your program, even when not using any preloaded libraries.

    – mosvy
    6 hours ago














12












12








12







The storage returned by malloc() is not zero-initialized. Do not ever assume it is.



In your test program, it's just a fluke: I guess the malloc()just got a fresh block off mmap(), but don't rely on that, either.



For an example, if I run your program on my machine this way:



$ echo 'void __attribute__((constructor)) p(void)
 void *b = malloc(4444); memset(b, 4, 4444); free(b);
' | cc -include stdlib.h -include string.h -xc - -shared -o pollute.so

$ LD_PRELOAD=./pollute.so ./your_program
a at 0x7ffd40d3aa60: 1256994848 21891 1256994464 21891 1087613792 32765 0 0
b at 0x55834c75d010: 67372036 67372036 67372036 67372036 67372036 67372036 67372036 67372036


Your second example is simply exposing an artifact of the malloc implementation in glibc; if you do that repeated malloc/free with a buffer larger than 8 bytes, you will clearly see that only the first 8 bytes are zeroed, as in the following sample code.



#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>

const size_t n = 4;
const size_t m = 0x10;

int main()

 for (size_t i = n; i; --i) 
 int *const p = malloc(m*sizeof(int));
 printf("%p ", p);
 for (size_t j = 0; j < m; ++j) 
 printf("%d:", p[j]);
 ++p[j];
 printf("%d ", p[j]);
 
 free(p);
 printf("n");
 
 return 0;



Output:



0x55be12864010 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 
0x55be12864010 0:1 0:1 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 
0x55be12864010 0:1 0:1 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 
0x55be12864010 0:1 0:1 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4





share|improve this answer















The storage returned by malloc() is not zero-initialized. Do not ever assume it is.



In your test program, it's just a fluke: I guess the malloc()just got a fresh block off mmap(), but don't rely on that, either.



For an example, if I run your program on my machine this way:



$ echo 'void __attribute__((constructor)) p(void)
 void *b = malloc(4444); memset(b, 4, 4444); free(b);
' | cc -include stdlib.h -include string.h -xc - -shared -o pollute.so

$ LD_PRELOAD=./pollute.so ./your_program
a at 0x7ffd40d3aa60: 1256994848 21891 1256994464 21891 1087613792 32765 0 0
b at 0x55834c75d010: 67372036 67372036 67372036 67372036 67372036 67372036 67372036 67372036


Your second example is simply exposing an artifact of the malloc implementation in glibc; if you do that repeated malloc/free with a buffer larger than 8 bytes, you will clearly see that only the first 8 bytes are zeroed, as in the following sample code.



#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>

const size_t n = 4;
const size_t m = 0x10;

int main()

 for (size_t i = n; i; --i) 
 int *const p = malloc(m*sizeof(int));
 printf("%p ", p);
 for (size_t j = 0; j < m; ++j) 
 printf("%d:", p[j]);
 ++p[j];
 printf("%d ", p[j]);
 
 free(p);
 printf("n");
 
 return 0;



Output:



0x55be12864010 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 0:1 
0x55be12864010 0:1 0:1 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 1:2 
0x55be12864010 0:1 0:1 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 2:3 
0x55be12864010 0:1 0:1 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4 3:4






share|improve this answer














share|improve this answer



share|improve this answer








edited 4 hours ago









thb

548415




548415










answered 8 hours ago









mosvymosvy

8,7021733




8,7021733












  • Well, yes, but this is why I have asked the question here rather than on Stack Overflow. My question was not about the C standard but about the way modern GNU/Linux systems typically link and load binaries. Your LD_PRELOAD is humorous but answers another question than the question I had meant to ask.

    – thb
    6 hours ago






  • 6





    I'm happy I made you laugh, but your assumptions and prejudices aren't funny at all. On a "modern GNU/Linux system", binaries are typically loaded by a dynamic linker, which is running constructors from dynamic libraries before getting to the main() function from your program. On your very Debian GNU/Linux 9 system, both malloc() and free() will be called more than once before the main() function from your program, even when not using any preloaded libraries.

    – mosvy
    6 hours ago


















  • Well, yes, but this is why I have asked the question here rather than on Stack Overflow. My question was not about the C standard but about the way modern GNU/Linux systems typically link and load binaries. Your LD_PRELOAD is humorous but answers another question than the question I had meant to ask.

    – thb
    6 hours ago






  • 6





    I'm happy I made you laugh, but your assumptions and prejudices aren't funny at all. On a "modern GNU/Linux system", binaries are typically loaded by a dynamic linker, which is running constructors from dynamic libraries before getting to the main() function from your program. On your very Debian GNU/Linux 9 system, both malloc() and free() will be called more than once before the main() function from your program, even when not using any preloaded libraries.

    – mosvy
    6 hours ago

















Well, yes, but this is why I have asked the question here rather than on Stack Overflow. My question was not about the C standard but about the way modern GNU/Linux systems typically link and load binaries. Your LD_PRELOAD is humorous but answers another question than the question I had meant to ask.

– thb
6 hours ago





Well, yes, but this is why I have asked the question here rather than on Stack Overflow. My question was not about the C standard but about the way modern GNU/Linux systems typically link and load binaries. Your LD_PRELOAD is humorous but answers another question than the question I had meant to ask.

– thb
6 hours ago




6




6





I'm happy I made you laugh, but your assumptions and prejudices aren't funny at all. On a "modern GNU/Linux system", binaries are typically loaded by a dynamic linker, which is running constructors from dynamic libraries before getting to the main() function from your program. On your very Debian GNU/Linux 9 system, both malloc() and free() will be called more than once before the main() function from your program, even when not using any preloaded libraries.

– mosvy
6 hours ago






I'm happy I made you laugh, but your assumptions and prejudices aren't funny at all. On a "modern GNU/Linux system", binaries are typically loaded by a dynamic linker, which is running constructors from dynamic libraries before getting to the main() function from your program. On your very Debian GNU/Linux 9 system, both malloc() and free() will be called more than once before the main() function from your program, even when not using any preloaded libraries.

– mosvy
6 hours ago














13














Regardless of how the stack is initialised, you’re not seeing a pristine stack, because the C library does a number of things before calling main, and they touch the stack.



With the GNU C library, on x86-64, execution starts at the _start entry point, which calls __libc_start_main to set things up, and the latter ends up calling main. But before calling main, it calls a number of other functions, which causes various pieces of data to be written to the stack. The stack’s contents aren’t cleared in between function calls, so when you get into main, your stack contains leftovers from the previous function calls.



This only explains the results you get from the stack, see the other answers regarding your general approach and assumptions.






share|improve this answer

























  • Note that by the time main() is called, initialization routines may very well have modified memory returned by malloc() - especially if C++ libraries are linked in. Assuming the "heap" is initialized to anything is a really, really bad assumption.

    – Andrew Henle
    6 hours ago











  • Your answer together with the Mosvy's settle my question. The system unfortunately allows me to accept only one of the two; otherwise, I would accept both.

    – thb
    4 hours ago















13














Regardless of how the stack is initialised, you’re not seeing a pristine stack, because the C library does a number of things before calling main, and they touch the stack.



With the GNU C library, on x86-64, execution starts at the _start entry point, which calls __libc_start_main to set things up, and the latter ends up calling main. But before calling main, it calls a number of other functions, which causes various pieces of data to be written to the stack. The stack’s contents aren’t cleared in between function calls, so when you get into main, your stack contains leftovers from the previous function calls.



This only explains the results you get from the stack, see the other answers regarding your general approach and assumptions.






share|improve this answer

























  • Note that by the time main() is called, initialization routines may very well have modified memory returned by malloc() - especially if C++ libraries are linked in. Assuming the "heap" is initialized to anything is a really, really bad assumption.

    – Andrew Henle
    6 hours ago











  • Your answer together with the Mosvy's settle my question. The system unfortunately allows me to accept only one of the two; otherwise, I would accept both.

    – thb
    4 hours ago













13












13








13







Regardless of how the stack is initialised, you’re not seeing a pristine stack, because the C library does a number of things before calling main, and they touch the stack.



With the GNU C library, on x86-64, execution starts at the _start entry point, which calls __libc_start_main to set things up, and the latter ends up calling main. But before calling main, it calls a number of other functions, which causes various pieces of data to be written to the stack. The stack’s contents aren’t cleared in between function calls, so when you get into main, your stack contains leftovers from the previous function calls.



This only explains the results you get from the stack, see the other answers regarding your general approach and assumptions.






share|improve this answer















Regardless of how the stack is initialised, you’re not seeing a pristine stack, because the C library does a number of things before calling main, and they touch the stack.



With the GNU C library, on x86-64, execution starts at the _start entry point, which calls __libc_start_main to set things up, and the latter ends up calling main. But before calling main, it calls a number of other functions, which causes various pieces of data to be written to the stack. The stack’s contents aren’t cleared in between function calls, so when you get into main, your stack contains leftovers from the previous function calls.



This only explains the results you get from the stack, see the other answers regarding your general approach and assumptions.







share|improve this answer














share|improve this answer



share|improve this answer








edited 6 hours ago

























answered 10 hours ago









Stephen KittStephen Kitt

178k24406484




178k24406484












  • Note that by the time main() is called, initialization routines may very well have modified memory returned by malloc() - especially if C++ libraries are linked in. Assuming the "heap" is initialized to anything is a really, really bad assumption.

    – Andrew Henle
    6 hours ago











  • Your answer together with the Mosvy's settle my question. The system unfortunately allows me to accept only one of the two; otherwise, I would accept both.

    – thb
    4 hours ago

















  • Note that by the time main() is called, initialization routines may very well have modified memory returned by malloc() - especially if C++ libraries are linked in. Assuming the "heap" is initialized to anything is a really, really bad assumption.

    – Andrew Henle
    6 hours ago











  • Your answer together with the Mosvy's settle my question. The system unfortunately allows me to accept only one of the two; otherwise, I would accept both.

    – thb
    4 hours ago
















Note that by the time main() is called, initialization routines may very well have modified memory returned by malloc() - especially if C++ libraries are linked in. Assuming the "heap" is initialized to anything is a really, really bad assumption.

– Andrew Henle
6 hours ago





Note that by the time main() is called, initialization routines may very well have modified memory returned by malloc() - especially if C++ libraries are linked in. Assuming the "heap" is initialized to anything is a really, really bad assumption.

– Andrew Henle
6 hours ago













Your answer together with the Mosvy's settle my question. The system unfortunately allows me to accept only one of the two; otherwise, I would accept both.

– thb
4 hours ago





Your answer together with the Mosvy's settle my question. The system unfortunately allows me to accept only one of the two; otherwise, I would accept both.

– thb
4 hours ago











8














In both cases, you get uninitialized memory, and you can't make any assumptions about its contents.



When the OS has to apportion a new page to your process (whether that's for its stack or for the arena used by malloc()), it guarantees that it won't expose data from other processes; the usual way to ensure that is to fill it with zeros (but it's equally valid to overwrite with anything else, including even a page worth of /dev/urandom - in fact some debugging malloc() implementations write non-zero patterns, to catch mistaken assumptions such as yours).



If malloc() can satisfy the request from memory already used and released by this process, its contents won't be cleared (in fact, the clearing is nothing to do with malloc() and it can't be - it has to happen before the memory is mapped into your address space). You may get memory that has previously been written by your process/program (e.g. before main()).



In your example program, you're seeing a malloc() region that hasn't yet been written by this process (i.e. it's direct from a new page) and a stack that has been written to (by pre-main() code in your program). If you examine more of the stack, you'll find it's zero-filled further down (in its direction of growth).



If you really want to understand what's happening at the OS level, I recommend that you bypass the C Library layer and interact using system calls such as brk() and mmap() instead.






share|improve this answer

























  • Your answer is good as far as it goes, +1, but my question has lent itself to misunderstanding. I have edited the question to clarify that I am not asking not about the requirements of the C standard (if I were asking that, I would ask on Stack Overflow) but about the observed behavior of GNU/Linux systems.

    – thb
    6 hours ago






  • 1





    A week or two ago, I tried a different experiment, calling malloc() and free() repeatedly. Though nothing requires malloc() to reuse the same storage recently freed, in the experiment, malloc() did happen to do that. It happened to return the same address each time, but also nulled the memory each time, which I had not expected. This was interesting to me. Further experiments have led to today's question.

    – thb
    6 hours ago












  • Uhh, if you call a low enough level call it is indeed guaranteed to be filled with zeros.

    – Joshua
    6 hours ago






  • 1





    @thb, Perhaps I'm not being clear enough - most implementations of malloc() do absolutely nothing with the memory they hand you - it's either previously-used, or freshly-assigned (and therefore zeroed by the OS). In your test, you evidently got the latter. Similarly, the stack memory is given to your process in the cleared state, but you don't examine it far enough to see parts your process hasn't yet touched. Your stack memory is cleared before it's given to your process.

    – Toby Speight
    5 hours ago







  • 1





    @TobySpeight: brk and sbrk are obsoleted by mmap. pubs.opengroup.org/onlinepubs/7908799/xsh/brk.html says LEGACY right at the top.

    – Joshua
    4 hours ago
















8














In both cases, you get uninitialized memory, and you can't make any assumptions about its contents.



When the OS has to apportion a new page to your process (whether that's for its stack or for the arena used by malloc()), it guarantees that it won't expose data from other processes; the usual way to ensure that is to fill it with zeros (but it's equally valid to overwrite with anything else, including even a page worth of /dev/urandom - in fact some debugging malloc() implementations write non-zero patterns, to catch mistaken assumptions such as yours).



If malloc() can satisfy the request from memory already used and released by this process, its contents won't be cleared (in fact, the clearing is nothing to do with malloc() and it can't be - it has to happen before the memory is mapped into your address space). You may get memory that has previously been written by your process/program (e.g. before main()).



In your example program, you're seeing a malloc() region that hasn't yet been written by this process (i.e. it's direct from a new page) and a stack that has been written to (by pre-main() code in your program). If you examine more of the stack, you'll find it's zero-filled further down (in its direction of growth).



If you really want to understand what's happening at the OS level, I recommend that you bypass the C Library layer and interact using system calls such as brk() and mmap() instead.






share|improve this answer

























  • Your answer is good as far as it goes, +1, but my question has lent itself to misunderstanding. I have edited the question to clarify that I am not asking not about the requirements of the C standard (if I were asking that, I would ask on Stack Overflow) but about the observed behavior of GNU/Linux systems.

    – thb
    6 hours ago






  • 1





    A week or two ago, I tried a different experiment, calling malloc() and free() repeatedly. Though nothing requires malloc() to reuse the same storage recently freed, in the experiment, malloc() did happen to do that. It happened to return the same address each time, but also nulled the memory each time, which I had not expected. This was interesting to me. Further experiments have led to today's question.

    – thb
    6 hours ago












  • Uhh, if you call a low enough level call it is indeed guaranteed to be filled with zeros.

    – Joshua
    6 hours ago






  • 1





    @thb, Perhaps I'm not being clear enough - most implementations of malloc() do absolutely nothing with the memory they hand you - it's either previously-used, or freshly-assigned (and therefore zeroed by the OS). In your test, you evidently got the latter. Similarly, the stack memory is given to your process in the cleared state, but you don't examine it far enough to see parts your process hasn't yet touched. Your stack memory is cleared before it's given to your process.

    – Toby Speight
    5 hours ago







  • 1





    @TobySpeight: brk and sbrk are obsoleted by mmap. pubs.opengroup.org/onlinepubs/7908799/xsh/brk.html says LEGACY right at the top.

    – Joshua
    4 hours ago














8












8








8







In both cases, you get uninitialized memory, and you can't make any assumptions about its contents.



When the OS has to apportion a new page to your process (whether that's for its stack or for the arena used by malloc()), it guarantees that it won't expose data from other processes; the usual way to ensure that is to fill it with zeros (but it's equally valid to overwrite with anything else, including even a page worth of /dev/urandom - in fact some debugging malloc() implementations write non-zero patterns, to catch mistaken assumptions such as yours).



If malloc() can satisfy the request from memory already used and released by this process, its contents won't be cleared (in fact, the clearing is nothing to do with malloc() and it can't be - it has to happen before the memory is mapped into your address space). You may get memory that has previously been written by your process/program (e.g. before main()).



In your example program, you're seeing a malloc() region that hasn't yet been written by this process (i.e. it's direct from a new page) and a stack that has been written to (by pre-main() code in your program). If you examine more of the stack, you'll find it's zero-filled further down (in its direction of growth).



If you really want to understand what's happening at the OS level, I recommend that you bypass the C Library layer and interact using system calls such as brk() and mmap() instead.






share|improve this answer















In both cases, you get uninitialized memory, and you can't make any assumptions about its contents.



When the OS has to apportion a new page to your process (whether that's for its stack or for the arena used by malloc()), it guarantees that it won't expose data from other processes; the usual way to ensure that is to fill it with zeros (but it's equally valid to overwrite with anything else, including even a page worth of /dev/urandom - in fact some debugging malloc() implementations write non-zero patterns, to catch mistaken assumptions such as yours).



If malloc() can satisfy the request from memory already used and released by this process, its contents won't be cleared (in fact, the clearing is nothing to do with malloc() and it can't be - it has to happen before the memory is mapped into your address space). You may get memory that has previously been written by your process/program (e.g. before main()).



In your example program, you're seeing a malloc() region that hasn't yet been written by this process (i.e. it's direct from a new page) and a stack that has been written to (by pre-main() code in your program). If you examine more of the stack, you'll find it's zero-filled further down (in its direction of growth).



If you really want to understand what's happening at the OS level, I recommend that you bypass the C Library layer and interact using system calls such as brk() and mmap() instead.







share|improve this answer














share|improve this answer



share|improve this answer








edited 5 hours ago

























answered 7 hours ago









Toby SpeightToby Speight

5,45711133




5,45711133












  • Your answer is good as far as it goes, +1, but my question has lent itself to misunderstanding. I have edited the question to clarify that I am not asking not about the requirements of the C standard (if I were asking that, I would ask on Stack Overflow) but about the observed behavior of GNU/Linux systems.

    – thb
    6 hours ago






  • 1





    A week or two ago, I tried a different experiment, calling malloc() and free() repeatedly. Though nothing requires malloc() to reuse the same storage recently freed, in the experiment, malloc() did happen to do that. It happened to return the same address each time, but also nulled the memory each time, which I had not expected. This was interesting to me. Further experiments have led to today's question.

    – thb
    6 hours ago












  • Uhh, if you call a low enough level call it is indeed guaranteed to be filled with zeros.

    – Joshua
    6 hours ago






  • 1





    @thb, Perhaps I'm not being clear enough - most implementations of malloc() do absolutely nothing with the memory they hand you - it's either previously-used, or freshly-assigned (and therefore zeroed by the OS). In your test, you evidently got the latter. Similarly, the stack memory is given to your process in the cleared state, but you don't examine it far enough to see parts your process hasn't yet touched. Your stack memory is cleared before it's given to your process.

    – Toby Speight
    5 hours ago







  • 1





    @TobySpeight: brk and sbrk are obsoleted by mmap. pubs.opengroup.org/onlinepubs/7908799/xsh/brk.html says LEGACY right at the top.

    – Joshua
    4 hours ago


















  • Your answer is good as far as it goes, +1, but my question has lent itself to misunderstanding. I have edited the question to clarify that I am not asking not about the requirements of the C standard (if I were asking that, I would ask on Stack Overflow) but about the observed behavior of GNU/Linux systems.

    – thb
    6 hours ago






  • 1





    A week or two ago, I tried a different experiment, calling malloc() and free() repeatedly. Though nothing requires malloc() to reuse the same storage recently freed, in the experiment, malloc() did happen to do that. It happened to return the same address each time, but also nulled the memory each time, which I had not expected. This was interesting to me. Further experiments have led to today's question.

    – thb
    6 hours ago












  • Uhh, if you call a low enough level call it is indeed guaranteed to be filled with zeros.

    – Joshua
    6 hours ago






  • 1





    @thb, Perhaps I'm not being clear enough - most implementations of malloc() do absolutely nothing with the memory they hand you - it's either previously-used, or freshly-assigned (and therefore zeroed by the OS). In your test, you evidently got the latter. Similarly, the stack memory is given to your process in the cleared state, but you don't examine it far enough to see parts your process hasn't yet touched. Your stack memory is cleared before it's given to your process.

    – Toby Speight
    5 hours ago







  • 1





    @TobySpeight: brk and sbrk are obsoleted by mmap. pubs.opengroup.org/onlinepubs/7908799/xsh/brk.html says LEGACY right at the top.

    – Joshua
    4 hours ago

















Your answer is good as far as it goes, +1, but my question has lent itself to misunderstanding. I have edited the question to clarify that I am not asking not about the requirements of the C standard (if I were asking that, I would ask on Stack Overflow) but about the observed behavior of GNU/Linux systems.

– thb
6 hours ago





Your answer is good as far as it goes, +1, but my question has lent itself to misunderstanding. I have edited the question to clarify that I am not asking not about the requirements of the C standard (if I were asking that, I would ask on Stack Overflow) but about the observed behavior of GNU/Linux systems.

– thb
6 hours ago




1




1





A week or two ago, I tried a different experiment, calling malloc() and free() repeatedly. Though nothing requires malloc() to reuse the same storage recently freed, in the experiment, malloc() did happen to do that. It happened to return the same address each time, but also nulled the memory each time, which I had not expected. This was interesting to me. Further experiments have led to today's question.

– thb
6 hours ago






A week or two ago, I tried a different experiment, calling malloc() and free() repeatedly. Though nothing requires malloc() to reuse the same storage recently freed, in the experiment, malloc() did happen to do that. It happened to return the same address each time, but also nulled the memory each time, which I had not expected. This was interesting to me. Further experiments have led to today's question.

– thb
6 hours ago














Uhh, if you call a low enough level call it is indeed guaranteed to be filled with zeros.

– Joshua
6 hours ago





Uhh, if you call a low enough level call it is indeed guaranteed to be filled with zeros.

– Joshua
6 hours ago




1




1





@thb, Perhaps I'm not being clear enough - most implementations of malloc() do absolutely nothing with the memory they hand you - it's either previously-used, or freshly-assigned (and therefore zeroed by the OS). In your test, you evidently got the latter. Similarly, the stack memory is given to your process in the cleared state, but you don't examine it far enough to see parts your process hasn't yet touched. Your stack memory is cleared before it's given to your process.

– Toby Speight
5 hours ago






@thb, Perhaps I'm not being clear enough - most implementations of malloc() do absolutely nothing with the memory they hand you - it's either previously-used, or freshly-assigned (and therefore zeroed by the OS). In your test, you evidently got the latter. Similarly, the stack memory is given to your process in the cleared state, but you don't examine it far enough to see parts your process hasn't yet touched. Your stack memory is cleared before it's given to your process.

– Toby Speight
5 hours ago





1




1





@TobySpeight: brk and sbrk are obsoleted by mmap. pubs.opengroup.org/onlinepubs/7908799/xsh/brk.html says LEGACY right at the top.

– Joshua
4 hours ago






@TobySpeight: brk and sbrk are obsoleted by mmap. pubs.opengroup.org/onlinepubs/7908799/xsh/brk.html says LEGACY right at the top.

– Joshua
4 hours ago


















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f509232%2fif-the-heap-is-initialized-for-security-then-why-is-the-stack-uninitialized%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

How to create a command for the “strange m” symbol in latex? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)How do you make your own symbol when Detexify fails?Writing bold small caps with mathpazo packageplus-minus symbol with parenthesis around the minus signGreek character in Beamer document titleHow to create dashed right arrow over symbol?Currency symbol: Turkish LiraDouble prec as a single symbol?Plus Sign Too Big; How to Call adfbullet?Is there a TeX macro for three-legged pi?How do I get my integral-like symbol to align like the integral?How to selectively substitute a letter with another symbol representing the same letterHow do I generate a less than symbol and vertical bar that are the same height?

Image
Why does BitLocker not use RSA? Why do people think Winterfell crypts is the safest place for women, children & old people? Why can't I add a governing law to my terms of service to avoid GDPR? tikz: drawing arrow How to renew schengen visas Unix AIX passing variable and arguments to expect and spawn Why did Bronn offer to be Tyrion Lannister's champion in trial by combat? Why not use the yoke to control yaw, as well as pitch and roll? How is an IPA symbol that lacks a name (e.g. ɲ) called? Raising a bilingual kid. When should we introduce the majority language? How to get a single big right brace? How do you cope with tons of web fonts when copying and pasting from web pages? How do I overlay a PNG over two videos (one video overlays another) in one command using FFmpeg? Cutting branch and stick it in pot? Flameskull resistant to magical piercing damage? When speaking, how do you change your mind mid-sentence? Can I take recommendation from
Read more

Българска екзархия Съдържание История | Български екзарси | Вижте също | Външни препратки | Литература | Бележки | НавигацияУстав за управлението на българската екзархия. Цариград, 1870Слово на Ловешкия митрополит Иларион при откриването на Българския народен събор в Цариград на 23. II. 1870 г.Българската правда и гръцката кривда. От С. М. (= Софийски Мелетий). Цариград, 1872Предстоятели на Българската екзархияПодмененият ВеликденИнформационна агенция „Фокус“Димитър Ризов. Българите в техните исторически, етнографически и политически граници (Атлас съдържащ 40 карти). Berlin, Königliche Hoflithographie, Hof-Buch- und -Steindruckerei Wilhelm Greve, 1917Report of the International Commission to Inquire into the Causes and Conduct of the Balkan Wars

Image
История на Българската православна църкваПравославие в Османската империя1870-те в БългарияБългарско възраждане Българската православна църквафермансултанАбдул АзисСкопиеСамоковВселенската патриаршияТракияМакедонияМизияЦариградската патриаршияферманцърковно-народния съборЦариградОсманската империяИларионАнтим IплебисцитСкопскаОхридскаБитолскаНеврокопскаСтарозагорска90-те годиниМакедонияАприлското въстаниеРуско-турската войнаЦариградската патриаршиясхизматичнаРуско-турската освободителна войнаАнтим IМала АзияРусияЙосиф IБерлинския договорЙосифОдринскосръбскатагръцката пропагандаБалканската войнаБитолскаДебърскаСтрумишкаНеврокопскаКостурскаЛеринскаВоденскаСолунскаПоленинскаСерскаМелнишкаДрамскаОдринскаМеждусъюзническата войнаСофияСвети синодСтефан IНародно-църковен съборКирилМаксим Българска екзархия от Уикипедия, свободната енциклопедия Направо към навигацията Направо към търсенето Българска екзархия „Свети Стефан“ в Цариград – катедрален храм на Б
Read more

Чепеларе Съдържание География | История | Население | Спортни и природни забележителности | Културни и исторически обекти | Религии | Обществени институции | Известни личности | Редовни събития | Галерия | Източници | Литература | Външни препратки | Навигация41°43′23.99″ с. ш. 24°41′09.99″ и. д. / 41.723333° с. ш. 24.686111° и. д.*ЧепелареЧепеларски Linux fest 2002Начало на Зимен сезон 2005/06Национални хайдушки празници „Капитан Петко Войвода“Град ЧепелареЧепеларе – народният ски курортbgrod.orgwww.terranatura.hit.bgСправка за населението на гр. Исперих, общ. Исперих, обл. РазградМузей на родопския карстМузей на спорта и скитеЧепеларебългарскибългарскианглийскитукИстория на градаСки писти в ЧепелареВремето в ЧепелареРадио и телевизия в ЧепелареЧепеларе мами с родопски чар и добри пистиЕвтин туризъм и снежни атракции в ЧепелареМестоположениеИнформация и снимки от музея на родопския карст3D панорами от ЧепелареЧепелареррр

Image
ЧепелареСки курорти в България градБългарияобласт СмолянПловдивСмолянПампоровообщина ЧепелареРодопитеБългарияДоспатрека ЧепеларсканекрополинеолитакърджалиитеПетко войводаМакедонската организацияВълчо СарафовКонстантин АнтоновПетър КузмановПрогледШирока лъкаМанастирКрънкаОсманската империяпощенска станциятелеграфтуристическопещеренскиорскаМечи чалалпийски скиЯгодинската пещераЕкатерина Дафовскабългари1964град Чепеларе от Уикипедия, свободната енциклопедия Направо към навигацията Направо към търсенето Тази статия е за града . За върха в Антарктика вижте Чепеларе (връх). Чепеларе Чепеларе Координати: 41°43′23.99″ с. ш. 24°41′09.99″ и. д.  /  41.723333° с. ш. 24.686111° и. д. 41.723333 , 24.686111 Чепеларе Чепеларе Общи данни Население 5 310  (ГРАО, 2015-03-15) * 5020 (НСИ) Землище 73,861 km² Надм. височина 1232±1 m Пощ. код 4850 Тел. код 03051 МПС код СМ ЕКАТТЕ 80371 Администрация Държава България Област Смолян Община     - кмет Чепеларе Слав
Read more