There was a recent(ish) PoC where someone exploited a file write to /proc/self/fd/<n> to manipulate libuv's signal pipe. (I lost the link; it's in node's bug tracker somewhere but that place is such a swamp...)
Libuv's signal handler writes pointers to said pipe (something I never liked in the first place) and that's enough to get a jump-off point for further exploitation.
I've wanted for a long time to redo our signal handling and I did a work-in-progress first pass in bnoordhuis@120cf7c (tl;dr use atomics and per-signal queues of interested event loops)
If anyone has concerns about that approach, LMK. No ETA unless you want to sponsor me :-)
There was a recent(ish) PoC where someone exploited a file write to
/proc/self/fd/<n>to manipulate libuv's signal pipe. (I lost the link; it's in node's bug tracker somewhere but that place is such a swamp...)Libuv's signal handler writes pointers to said pipe (something I never liked in the first place) and that's enough to get a jump-off point for further exploitation.
I've wanted for a long time to redo our signal handling and I did a work-in-progress first pass in bnoordhuis@120cf7c (tl;dr use atomics and per-signal queues of interested event loops)
If anyone has concerns about that approach, LMK. No ETA unless you want to sponsor me :-)