fix(security): block /proc/*/auxv and /proc/*/pagemap read leaks
auxv leaks AT_RANDOM (stack canary seed) + AT_BASE/AT_PHDR load addresses — an ASLR oracle on par with maps. pagemap exposes virtual->physical translation. Both slipped through the endswith tuple alongside the maps family covered by the salvaged commit. Adds regression coverage for auxv/pagemap and for the per-thread /proc/<pid>/task/<tid>/<file> alias form (endswith catches both). Follow-up on #32238, closes #34430.
This commit is contained in:
parent
64e6b98ba8
commit
868fa9566a
2 changed files with 30 additions and 1 deletions
|
|
@ -109,6 +109,21 @@ class TestDevicePathBlocking(unittest.TestCase):
|
|||
"/proc/1/numa_maps",
|
||||
"/proc/self/mem",
|
||||
"/proc/12345/mem",
|
||||
"/proc/self/auxv",
|
||||
"/proc/1/auxv",
|
||||
"/proc/self/pagemap",
|
||||
"/proc/99/pagemap",
|
||||
):
|
||||
self.assertTrue(_is_blocked_device(path), f"{path} should be blocked")
|
||||
|
||||
def test_proc_task_thread_sensitive_files_blocked(self):
|
||||
"""Per-thread /proc/<pid>/task/<tid>/<file> aliases leak the same data."""
|
||||
for path in (
|
||||
"/proc/self/task/1234/maps",
|
||||
"/proc/self/task/1234/smaps",
|
||||
"/proc/self/task/1234/auxv",
|
||||
"/proc/self/task/1234/pagemap",
|
||||
"/proc/self/task/1234/environ",
|
||||
):
|
||||
self.assertTrue(_is_blocked_device(path), f"{path} should be blocked")
|
||||
|
||||
|
|
|
|||
|
|
@ -367,8 +367,22 @@ def _is_blocked_device_path(path: str) -> bool:
|
|||
# memory layout (ASLR bypass) from the host process (issue #4427).
|
||||
# /proc/*/mem exposes raw process memory; block it as defense-in-depth even
|
||||
# though it requires address knowledge to exploit usefully.
|
||||
# /proc/*/auxv leaks AT_RANDOM (stack canary seed) plus AT_BASE/AT_PHDR
|
||||
# load addresses — an ASLR oracle on par with maps. /proc/*/pagemap exposes
|
||||
# virtual->physical translation. Both are blocked alongside the maps family.
|
||||
# endswith matches both /proc/<pid>/X and /proc/<pid>/task/<tid>/X.
|
||||
if normalized.startswith("/proc/") and normalized.endswith(
|
||||
("/environ", "/cmdline", "/maps", "/smaps", "/smaps_rollup", "/numa_maps", "/mem")
|
||||
(
|
||||
"/environ",
|
||||
"/cmdline",
|
||||
"/maps",
|
||||
"/smaps",
|
||||
"/smaps_rollup",
|
||||
"/numa_maps",
|
||||
"/mem",
|
||||
"/auxv",
|
||||
"/pagemap",
|
||||
)
|
||||
):
|
||||
return True
|
||||
return False
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue