From 868fa9566a855e316e79a3921ac0a55cd68a380f Mon Sep 17 00:00:00 2001 From: Teknium <127238744+teknium1@users.noreply.github.com> Date: Wed, 1 Jul 2026 02:14:14 -0700 Subject: [PATCH] fix(security): block /proc/*/auxv and /proc/*/pagemap read leaks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit auxv leaks AT_RANDOM (stack canary seed) + AT_BASE/AT_PHDR load addresses — an ASLR oracle on par with maps. pagemap exposes virtual->physical translation. Both slipped through the endswith tuple alongside the maps family covered by the salvaged commit. Adds regression coverage for auxv/pagemap and for the per-thread /proc//task// alias form (endswith catches both). Follow-up on #32238, closes #34430. --- tests/tools/test_file_read_guards.py | 15 +++++++++++++++ tools/file_tools.py | 16 +++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/tests/tools/test_file_read_guards.py b/tests/tools/test_file_read_guards.py index ad12dc78a..861ebc493 100644 --- a/tests/tools/test_file_read_guards.py +++ b/tests/tools/test_file_read_guards.py @@ -109,6 +109,21 @@ class TestDevicePathBlocking(unittest.TestCase): "/proc/1/numa_maps", "/proc/self/mem", "/proc/12345/mem", + "/proc/self/auxv", + "/proc/1/auxv", + "/proc/self/pagemap", + "/proc/99/pagemap", + ): + self.assertTrue(_is_blocked_device(path), f"{path} should be blocked") + + def test_proc_task_thread_sensitive_files_blocked(self): + """Per-thread /proc//task// aliases leak the same data.""" + for path in ( + "/proc/self/task/1234/maps", + "/proc/self/task/1234/smaps", + "/proc/self/task/1234/auxv", + "/proc/self/task/1234/pagemap", + "/proc/self/task/1234/environ", ): self.assertTrue(_is_blocked_device(path), f"{path} should be blocked") diff --git a/tools/file_tools.py b/tools/file_tools.py index b85ab9726..7bf51aa90 100644 --- a/tools/file_tools.py +++ b/tools/file_tools.py @@ -367,8 +367,22 @@ def _is_blocked_device_path(path: str) -> bool: # memory layout (ASLR bypass) from the host process (issue #4427). # /proc/*/mem exposes raw process memory; block it as defense-in-depth even # though it requires address knowledge to exploit usefully. + # /proc/*/auxv leaks AT_RANDOM (stack canary seed) plus AT_BASE/AT_PHDR + # load addresses — an ASLR oracle on par with maps. /proc/*/pagemap exposes + # virtual->physical translation. Both are blocked alongside the maps family. + # endswith matches both /proc//X and /proc//task//X. if normalized.startswith("/proc/") and normalized.endswith( - ("/environ", "/cmdline", "/maps", "/smaps", "/smaps_rollup", "/numa_maps", "/mem") + ( + "/environ", + "/cmdline", + "/maps", + "/smaps", + "/smaps_rollup", + "/numa_maps", + "/mem", + "/auxv", + "/pagemap", + ) ): return True return False