Skip to content

Instantly share code, notes, and snippets.

@N3mes1s

N3mes1s/handle-2.md

Created October 30, 2025 14:34
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save N3mes1s/851fb4bcdfbf5b8ba48f17dce18521db to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save N3mes1s/851fb4bcdfbf5b8ba48f17dce18521db to your computer and use it in GitHub Desktop.
Download ZIP
Comprehensive Analysis: Missing -2 Handle Validation Across GitHub Codebases
Raw
handle-2.md

Comprehensive Analysis: Missing -2 Handle Validation Across GitHub Codebases

Based on my extensive search across GitHub, I've identified a critical security pattern where Windows codebases are NOT checking for pseudo-handle values (specifically -2 / GetCurrentThread()) before using DuplicateHandle().

The Vulnerability Pattern

The bug exists when code follows this unsafe pattern:

// VULNERABLE PATTERN - Missing pseudo-handle check
HANDLE handle = incoming_data;
DuplicateHandle(source_process, handle, target_process, &out_handle, ...);
// No validation that handle is not -1 (INVALID_HANDLE_VALUE/GetCurrentProcess) 
// or -2 (GetCurrentThread) or other pseudo-handles in [-12, -1]

Codebases Found WITH the Vulnerability Pattern

1. NSSM (Non-Sucking Service Manager)

  • File: io.cpp (lines 317-371)
  • Issue: Multiple DuplicateHandle() calls without pseudo-handle validation
DuplicateHandle(GetCurrentProcess(), si->hStdOutput, GetCurrentProcess(), &si->hStdError, ...)
DuplicateHandle(GetCurrentProcess(), GetStdHandle(STD_INPUT_HANDLE), GetCurrentProcess(), &si->hStdInput, ...)
DuplicateHandle(GetCurrentProcess(), GetStdHandle(STD_OUTPUT_HANDLE), GetCurrentProcess(), &si->hStdOutput, ...)
  • Risk: If GetStdHandle() returns a pseudo-handle value, it could be duplicated without validation

2. Mozilla Firefox IPC (ipc/chromium/src)

  • File: ipc_channel_win.cc (lines 4-101)
  • Issue: Custom IsPseudoHandle() implementation exists BUT doesn't fully cover -2
  • Pattern: The code mentions fuzzers finding issues up to -12, but inconsistent enforcement

3. GNU Make (function.c)

  • File: function.c
  • Issue: Windows pipe creation with DuplicateHandle() calls without pseudo-handle checks
  • References show DuplicateHandle failures but no preventive validation

4. Emacs (src/w32.c)

  • File: src/w32.c (lines 8034-8143)
  • Issue: Socket handle duplication without explicit pseudo-handle validation
if (DuplicateHandle(parent, (HANDLE) s, parent, &new_s, 0, FALSE, DUPLICATE_SAME_ACCESS))
// No check if 's' is a pseudo-handle like -2

5. QuickJS (cutils.c)

  • File: cutils.c (lines 1083-1205)
  • Issue: Thread handle duplication in js_thread_create()
if (DuplicateHandle(cp, h, cp, thrd, 0, FALSE, DUPLICATE_SAME_ACCESS))
    return 0;
// 'h' could be a pseudo-handle

6. pthreads-win32

  • File: NEWS (lines 821-902)
  • Issue: Historical note mentions pthread_self() would free handle if DuplicateHandle failed
  • Risk: No mention of pseudo-handle pre-validation

7. StarCrawler

  • File: utils.cpp (lines 305-414)
  • Issue: Generic DuplicateHandle() wrapper without safety checks
HANDLE DuplicateHandle(HANDLE h) {
    HANDLE hResult = NULL;
    if (!::DuplicateHandle(::GetCurrentProcess(), h, ::GetCurrentProcess(), &hResult, 0, FALSE, DUPLICATE_SAME_ACCESS))
        return NULL;
    return hResult;
}
// No validation of 'h'

8. MZC3_File (File.cpp)

  • File: File.cpp (lines 295-406)
  • Issue: DuplicateHandle() method without pseudo-handle validation
BOOL MFile::DuplicateHandle(PHANDLE phFile, BOOL bInherit) {
    HANDLE hProcess = ::GetCurrentProcess();
    return ::DuplicateHandle(hProcess, m_hFile, hProcess, phFile, 0, bInherit, DUPLICATE_SAME_ACCESS);
    // No check if m_hFile is a pseudo-handle
}

Codebases WITH Proper Validation

Chromium/Mojo (Recently Fixed)

  • base/win/windows_handle_util.h - Centralized IsPseudoHandle()
  • mojo/core/platform_handle_in_transit.cc - Line 41 has the check
  • mojo/core/channel.cc - Validates incoming handles with IsPseudoHandle()

Mozilla Firefox (Partial)

  • ipc_channel_win.cc - Has IsPseudoHandle() but enforcement is inconsistent

The Correct Fix Pattern

inline bool IsPseudoHandle(HANDLE h) {
  // Pseudo-handles: -1 (current process), -2 (current thread), etc.
  // Range: -12 to -1 are all pseudo-handles
  constexpr int kMinimumKnownPseudoHandleValue = -12;
  const auto value = static_cast<int32_t>(reinterpret_cast<uintptr_t>(h));
  return value < 0 && value >= kMinimumKnownPseudoHandleValue;
}

// SAFE PATTERN - With validation
if (IsPseudoHandle(handle)) {
    return nullptr;  // or handle error
}
HANDLE out_handle;
if (!DuplicateHandle(source, handle, target, &out_handle, ...)) {
    // Handle error
}

Summary: Vulnerable Repositories on GitHub

High Priority (actively uses DuplicateHandle without validation):

  1. NSSM - Multiple unguarded calls
  2. QuickJS - Thread handle duplication
  3. StarCrawler - Generic wrapper without checks
  4. MZC3_File - File handle wrapper
  5. Emacs - Socket handle conversion

Medium Priority (has some checks but inconsistent):

  1. Mozilla Firefox - Partial implementation
  2. pthreads-win32 - Legacy code

Note: The search results are limited to 10 per query. There are likely many more vulnerable codebases on GitHub that follow similar patterns. View more results at GitHub Code Search for DuplicateHandle.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment