On my Debian GNU/Linux 9 system, when a binary is executed,
- the stack is uninitialized but
- the heap is zero-initialized.
Why?
I assume that zero-initialization promotes security but, if for the heap, then why not also for the stack? Does the stack, too, not need security?
My question is not specific to Debian as far as I know.
Sample C code:
#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>
const size_t n = 8;
// --------------------------------------------------------------------
// UNINTERESTING CODE
// --------------------------------------------------------------------
static void print_array(
const int *const p, const size_t size, const char *const name
)
{
printf("%s at %p: ", name, p);
for (size_t i = 0; i < size; ++i) printf("%d ", p[i]);
printf("\n");
}
// --------------------------------------------------------------------
// INTERESTING CODE
// --------------------------------------------------------------------
int main()
{
int a[n];
int *const b = malloc(n*sizeof(int));
print_array(a, n, "a");
print_array(b, n, "b");
free(b);
return 0;
}
Output:
a at 0x7ffe118997e0: 194 0 294230047 32766 294230046 32766 -550453275 32713
b at 0x561d4bbfe010: 0 0 0 0 0 0 0 0
The C standard does not ask malloc() to clear memory before allocating it, of course, but my C program is merely for illustration. The question is not a question about C or about C's standard library. Rather, the question is a question about why the kernel and/or run-time loader are zeroing the heap but not the stack.
ANOTHER EXPERIMENT
My question regards observable GNU/Linux behavior rather than the requirements of standards documents. If unsure what I mean, then try this code, which invokes further undefined behavior (undefined, that is, as far as the C standard is concerned) to illustrate the point:
#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>
const size_t n = 4;
int main()
{
for (size_t i = n; i; --i) {
int *const p = malloc(sizeof(int));
printf("%p %d ", p, *p);
++*p;
printf("%d\n", *p);
free(p);
}
return 0;
}
Output from my machine:
0x555e86696010 0 1
0x555e86696010 0 1
0x555e86696010 0 1
0x555e86696010 0 1
As far as the C standard is concerned, behavior is undefined, so my question does not regard the C standard. A call to malloc() need not return the same address each time but, since this call to malloc() does indeed happen to return the same address each time, it is interesting to notice that the memory, which is on the heap, is zeroed each time.
The stack, by contrast, had not seemed to be zeroed.
I do not know what the latter code will do on your machine, since I do not know which layer of the GNU/Linux system is causing the observed behavior. You can but try it.
UPDATE
@Kusalananda has observed in comments:
For what it's worth, your most recent code returns different addresses and (occasional) uninitialised (non-zero) data when run on OpenBSD. This obviously does not say anything about the behaviour that you are witnessing on Linux.
That my result differs from the result on OpenBSD is indeed interesting. Apparently, my experiments were discovering not a kernel (or linker) security protocol, as I had thought, but a mere implementational artifact.
In this light, I believe that, together, the answers below of @mosvy, @StephenKitt and @AndreasGrapentin settle my question.
See also on Stack Overflow: Why does malloc initialize the values to 0 in gcc? (credit: @bta).
Best Answer
The storage returned by malloc() is not zero-initialized. Do not ever assume it is.
In your test program, it's just a fluke: I guess the
malloc()just got a fresh block offmmap(), but don't rely on that, either.For an example, if I run your program on my machine this way:
Your second example is simply exposing an artifact of the
mallocimplementation in glibc; if you do that repeatedmalloc/freewith a buffer larger than 8 bytes, you will clearly see that only the first 8 bytes are zeroed, as in the following sample code.Output: