9

I have noticed that both browsers Firefox and Chromium on Linux do open the file /proc/self/mem for reading. No other program on my system reads this file, as far as I can tell.

/proc/self/mem is notorious for being vector for endless privilege escalation exploits, where usually memory is overwritten with malicious code and the program execution is hijacked.

This is even more sad, since browsers are the most exposed programs, with the most attack surface, because they take in untrusted input from the internet.

Is there a legitimate reason, why modern browsers need to read /proc/self/mem?

Peregrino69
  • 2,417
Martin Vegter
  • 358
  • 75
  • 236
  • 411
  • 2
    https://offlinemark.com/2021/05/12/an-obscure-quirk-of-proc/ – Artem S. Tashkinov Mar 24 '23 at 06:49
  • 6
    "open the file /proc/self/mem for reading" " endless privilege escalation exploits, where usually memory is overwritten" So is there a problem? – user71659 Mar 24 '23 at 07:11
  • 1
    I googled "what is /proc/self/mem" and got the link in the top comment. That appears to provide your answer. And since this appears to be a Linux kernel basics question, and not a security question, I'm migrating. – schroeder Mar 24 '23 at 08:12

1 Answers1

15

Browsers such as Firefox and Chromium use multiple processes, notably to reduce their attack surface. One aspect of this split into multiple processes is error handling: if a serious error occurs in a given process, it’s best to handle it in another process (because the crashed process may not be in a state compatible with allowing it to analyse itself, and to avoid a crashed process being owned).

So browsers keep handles open to /proc/self/mem so that they can pass those handles around, allowing a crash-handling process to read the memory of a crashed process, or a profiling process to read the memory of a process being profiled. This is used in particular for stack unwinding; see the Perfetto documentation for details (this is the unwinder used in Chromium).

Stephen Kitt
  • 434,908