-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Out of bounds memory write via child_process.spawn #15622
Labels
child_process
Issues and PRs related to the child_process subsystem.
Comments
On older versions of Node, this seems to reliably cause the following error as well:
On newer versions, it seems like it only crashes like this after the optimizer runs (from what I can tell, always seems to crash after the third time you call the function) |
mscdex
added
the
child_process
Issues and PRs related to the child_process subsystem.
label
Sep 26, 2017
2 tasks
cjihrig
added a commit
to cjihrig/node
that referenced
this issue
Nov 7, 2017
This commit adds checks for overflow to args and env in Spawn(). It seems extremely unlikely that either of these values would overflow from a valid use case. Fixes: nodejs#15622 PR-URL: nodejs#16761 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In process wrap, the length of the array is not checked for potential overflows before it is passed to
new
.With a very long array,
argc + 1
would overflow to zero, causing a null value to be written&options.args[0xffffffffffffffff]
, despite the fact that we callednew [0]
Test JS function:
Using this test code, eax (array length) ends up being set to 0xFFFFFF and rolls over to 0 before calling
new
:The text was updated successfully, but these errors were encountered: