mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-09 13:21:42 +00:00
fix(security): extend /proc read block to smaps, smaps_rollup, numa_maps, mem
PR #4609 blocked /proc/*/maps to prevent ASLR layout leakage, but the endswith("/maps") check does not match /proc/*/smaps or /proc/*/smaps_rollup — both expose the same virtual-address layout and bypass the guard. /proc/*/numa_maps carries the same data with NUMA annotations and is equally bypassed. /proc/*/mem (raw process memory) is added as defence-in-depth; it requires address knowledge to exploit but is blocked for consistency. Extends the endswith tuple in _is_blocked_device_path() to cover all four variants and adds regression assertions for all new paths to test_proc_sensitive_pseudo_files_blocked. Partially addresses #4427.
This commit is contained in:
parent
275e293f54
commit
64e6b98ba8
2 changed files with 15 additions and 4 deletions
|
|
@ -93,7 +93,7 @@ class TestDevicePathBlocking(unittest.TestCase):
|
|||
self.assertFalse(_is_blocked_device_path("/proc/self/fd/3"))
|
||||
|
||||
def test_proc_sensitive_pseudo_files_blocked(self):
|
||||
"""environ/cmdline/maps under /proc/<pid> must be blocked (issue #4427)."""
|
||||
"""environ/cmdline/maps (and maps variants) under /proc/<pid> must be blocked (issue #4427)."""
|
||||
for path in (
|
||||
"/proc/self/environ",
|
||||
"/proc/12345/environ",
|
||||
|
|
@ -101,6 +101,14 @@ class TestDevicePathBlocking(unittest.TestCase):
|
|||
"/proc/99/cmdline",
|
||||
"/proc/self/maps",
|
||||
"/proc/1/maps",
|
||||
"/proc/self/smaps",
|
||||
"/proc/12345/smaps",
|
||||
"/proc/self/smaps_rollup",
|
||||
"/proc/99/smaps_rollup",
|
||||
"/proc/self/numa_maps",
|
||||
"/proc/1/numa_maps",
|
||||
"/proc/self/mem",
|
||||
"/proc/12345/mem",
|
||||
):
|
||||
self.assertTrue(_is_blocked_device(path), f"{path} should be blocked")
|
||||
|
||||
|
|
|
|||
|
|
@ -362,10 +362,13 @@ def _is_blocked_device_path(path: str) -> bool:
|
|||
("/fd/0", "/fd/1", "/fd/2")
|
||||
):
|
||||
return True
|
||||
# /proc/*/environ, /proc/*/cmdline, /proc/*/maps can leak secrets,
|
||||
# command-line args, and memory layout from the host process (issue #4427)
|
||||
# /proc/*/environ, /proc/*/cmdline, /proc/*/maps (and the maps variants
|
||||
# smaps, smaps_rollup, numa_maps) can leak secrets, command-line args, and
|
||||
# memory layout (ASLR bypass) from the host process (issue #4427).
|
||||
# /proc/*/mem exposes raw process memory; block it as defense-in-depth even
|
||||
# though it requires address knowledge to exploit usefully.
|
||||
if normalized.startswith("/proc/") and normalized.endswith(
|
||||
("/environ", "/cmdline", "/maps")
|
||||
("/environ", "/cmdline", "/maps", "/smaps", "/smaps_rollup", "/numa_maps", "/mem")
|
||||
):
|
||||
return True
|
||||
return False
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue