Talk:SIGWINCH
From Wikipedia, the free encyclopedia
According to this mail archive, it can be a security risk when misused. Any insight? 62.167.117.242 (talk) 21:31, 28 April 2008 (UTC)
- For example this. What the comment means is that in the minds of some people, any bug can be construed as a security risk. In that regard, it's not relevant to this topic. Tedickey (talk) 23:32, 28 April 2008 (UTC)
-
- The misuse is in the ncurses-installed SIGWNCH handler modifying window-system internals (I think to insert a "SIGWNCH sent" message in the message chain). Because a signal can be received at any time, this could corrupt window-system internals leading to execution of arbitrary code. A possible attack could be a privilege-escalation on a suid root ncurses program (a package manager?); the attacker writes shellcode into a ncurses (keyboard?) buffer, puts the ncurses message loop under heavy load, then sends SIGWNCH at the right time to corrupt the message chain and transfer execution to the shellcode.
- This isn't really SIGWNCH-related, though; any unsafe signal handler is a potential security hole. The only (useful) safe things to do in a signal handler are: set a
sig_atomic_t
variable, or write to a non-blocking pipe. EdC (talk) 23:33, 29 April 2008 (UTC)
-
- By the way, the example given isn't "message chain", but "screen chain". Multiple screens are rare in curses applications (screens correspond to different terminals). Theo's secondhand comment (from Todd) is that some unpredictable memory corruption might occur as a result of interrupting the store of a pointer. Speculating on that as an exploitable bug is best done on Slashdot Tedickey (talk) 00:57, 30 April 2008 (UTC)