[11] libpas MTE Lockdown Mode initialization bypass
Severity: Medium | Component: libpas (bmalloc) MTE configuration | 1b1e4d0
Rated Medium because the observable effect is MTE hardening being silently disabled for the CaptivePortal WebContent process even when the user has opted into Lockdown Mode — weakening a defense-in-depth mitigation rather than directly enabling exploitation, but in a process that handles untrusted network traffic.
The sysctl check for Lockdown Mode state was always returning 0 due to a sandbox restriction on the process. The fix adds a fallback process name check for the CaptivePortal WebContent process.
Source/bmalloc/libpas/src/libpas/pas_mte_config.c
uint64_t ldmState = 0;
size_t sysCtlLen = sizeof(ldmState);
- if (sysctlbyname("security.mac.lockdown_mode_state", &ldmState, &sysCtlLen, NULL, 0) >= 0 && ldmState == 1)
+ const char* lockdownModeProcName = "com.apple.WebKit.WebContent.CaptivePortal";
+ bool isLockdownModeWebContentProcess = !strncmp(getprogname(), lockdownModeProcName, strlen(lockdownModeProcName));
+ if ((sysctlbyname("security.mac.lockdown_mode_state", &ldmState, &sysCtlLen, NULL, 0) >= 0 && ldmState == 1) || isLockdownModeWebContentProcess)
config->is_lockdown_mode = true;
else
config->is_lockdown_mode = false;
Patch Details
The fix adds a secondary check: if the process name (via getprogname()) matches "com.apple.WebKit.WebContent.CaptivePortal", is_lockdown_mode is set to true regardless of the sysctl result. The two checks are OR'd together.
Silent failure of a privilege-gated system call causing a security hardening feature to be unconditionally disabled.
Background
ARM MTE (Memory Tagging Extensions) is a hardware feature that assigns random tags to memory allocations and checks them on every access, catching use-after-free and out-of-bounds accesses at the hardware level. Lockdown Mode (LDM) is an opt-in iOS/macOS security mode that enables additional hardening for high-risk users. In WebKit's libpas allocator, MTE tagging in the WebContent process is disabled by default for performance reasons, but is re-enabled when the process is considered "hardened" — which occurs when Lockdown Mode is active or the process is an EnhancedSecurity variant. The CaptivePortal WebContent process handles web content displayed in captive portal network authentication flows — untrusted network environments where exploitation risk is elevated.
Analysis
The sysctlbyname call to query security.mac.lockdown_mode_state was blocked by the sandbox policy applied to the WebContent process (as the commit message states). The call always returned a negative value, so the >= 0 check always failed, and ldmState was never read. As a result, config->is_lockdown_mode was always set to false, even when the device was actually in Lockdown Mode. Downstream, is_lockdown_mode determines whether MTE tagging should be enabled. With it stuck at false, the CaptivePortal WebContent process never received MTE hardening, defeating a key exploit mitigation for Lockdown Mode users.
Aaa Aaaaaaa Aaa Aaaaaaa Aaaaaaaaa Aa Aaaa Aaaa Aaaaaa Aaaaa Aaa Aaaaaaaaa Aaa Aaa Aaaaaaa Aaa Aaaaaaa Aa Aaaa Aa Aaa Aaaaaaa Aaaaaa Aaaa Aa Aaaaaaaa Aaaaaaaaa Aaa Aaaaaaa Aa Aaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaa a Aaaaaaaaaaa Aaaaaaaa a Aaaaaaaa Aaa Aaaa Aaaaaaaaaaa Aaaaa Aaaa Aaa Aaaaa Aaaaa a Aaaaa Aaaa Aaaa Aaaa Aaaaaaaaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaaaaa Aaaaaaaaa Aaaaaaaa Aaa Aaaaaaaa Aaaa Aaaaaa Aa Aaaaaaaa Aaaaaaaaaa a Aaaaaaaa Aaaaaa Aaaaaaaaaa Aaaaaaaaaaaaa Aa Aaa Aaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaa Aaaaa Aaaa Aa Aaa Aaa Aaaaaaa Aaaaaaaa a Aaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaaa Aaa Aaaaaaaaaaaaa Aaaaaaa Aaaaaaa Aaaaaaa Aaaaaaa Aa Aaaaaaaaa Aaaaaaa Aaaaaa Aaaaaaaaaaaaa Aaaaaa Aa a Aaaaaaaaaa Aaaaaaaaaaaa Aaaaaaa
Aaa Aaa Aaaaaa Aaaa Aaaaaaa Aaaa Aaaaaaaaa Aaaaa Aa Aaaaaaaaaa Aaaaa Aaa Aaaaaaaaaaa Aa Aaaaaaaaa Aaaaaa Aaaaaa Aaaaaaa Aaaaaa Aa Aaa Aaaaaaaaaa Aa Aaaaaaaaaaa Aaaaa Aaa Aaaaaa Aaaaaa Aaaaaaaaaaaa Aaaa Aaaaaaaa Aa Aaa Aaa Aaaaaaa
🔒Explores the downstream impact of this silent mitigation failure and what it means for exploit difficulty in the affected process
Subscribe to read more
Audit directions
a Aaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaa Aaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaa Aaaaaa Aaaaa Aaaa Aaaa Aaaaaaaaaaa Aaaaa Aaaaa Aaaaaa Aaa Aaaaaaa Aaaaaaaaaaaaaa Aaaaa Aaaa Aaa Aaaaaaaaaaaaaa Aa Aaaaaaa Aaaaaaaaaaaaaaa Aaaaaaa Aa Aaaaaaaaa Aaaaaaaa Aaaaaaaaa Aa Aaa Aaaaaaa Aaaaaaa Aaaaaa Aaa Aaaaa Aaa Aaaaaaa Aaaaaaaa Aa Aaa Aaaaaaaaaaa Aaaaaa Aaaaaa Aaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaaaaaaaaaa Aaaaa Aaa Aaaaa Aaaaaaaaaaaaaa Aaaaaa Aaa Aaaaaa Aaaaaaa Aaaaa Aaaaaaa Aaaaa Aaaaaaa Aa Aaaaaa Aa Aaaaaaaa Aaaaaaa
a Aaaaaaaaaaa Aa Aaaaaaaaaaa Aa Aaaaaaaaaa Aaaaaaaaaaaaaaaaa Aaaaaa Aaaaaaa Aaaaa Aaaaaa Aaaaaaaaa Aaaa Aaaaa Aaaaaa Aaaaa Aa Aaaaaa Aaaaaaa Aa Aaaaaa Aaaaaaaaa Aaaaaaaa Aaaaa Aaaaaaaa Aaa Aaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaaaa Aa Aaa Aaaa Aaaaa Aaa Aaaa Aaa Aa Aaaaaaa Aaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaaa Aa Aaaaaaaa Aaaaaaaaaaaa Aaaaaa Aaa Aaaaaaaa Aa Aaa Aaaa Aaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaaaaaaaaa Aaaaaaaaaaaaaa Aa Aaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaa
a Aaaaaaaaa Aaa Aaaaaaaaaaaaaaa Aaaaaaa Aaaa Aaaaa Aaaaa Aa Aaaaaaaaaaa Aa Aa Aaaaaaaa Aaa Aaaaaaaaa Aaa Aaaaaaa Aaaa Aaaaaaaaa Aa Aaaaaaaa Aaaaaaa Aaaaaa Aaa Aaaaa Aaaaaaaaaaa Aaa Aaa Aaaaaaaaa Aaaaa Aa Aaaaaaa Aa Aaaaaa Aaaaaaaaaa Aaaaaa Aaaa Aaaaaaaaaaaaaaa Aaaaaaa a Aaaaa Aaa Aa Aaa Aaaaaaaaaa Aaa Aaa Aaaaaaaaaaaa Aa Aaa Aaaaaaa Aa Aaaa
🔒Multiple audit patterns identified around silent security-feature initialization failures in sandboxed processes
Subscribe to read more