fs.fstat results in an abort with some arguments

[zyscoder]

Version

v22.11.0

Platform

Linux u24vm 6.8.0-48-generic #48-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 27 14:04:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Subsystem

fs.fstat, v8

What steps will reproduce the bug?

0. Sorry that the abort occurs from a third-party library, and I'm not sure if it's proper to report the crash to nodejs community.
1. npm version: 10.9.0
2. Try to install the package: lzma-native.

a. npm init -y
{
  "name": "package-cf2b3d61d5de70b987170d0fe1c84397",
  "version": "1.0.0",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "description": ""
}

b. npm shrinkwrap

c. npm install --save lzma-native
added 8 packages, and audited 9 packages in 4s

1 package is looking for funding
  run `npm fund` for details

found 0 vulnerabilities

d. npm audit fix
added 8 packages, and audited 9 packages in 4s

1 package is looking for funding
  run `npm fund` for details

found 0 vulnerabilities

the final package.json is as follows:

{
  "name": "package-cf2b3d61d5de70b987170d0fe1c84397",
  "version": "1.0.0",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "description": "",
  "dependencies": {
    "lzma-native": "^8.0.6"
  }
}

2. Setup a node instance,

node

3. and run the following javascript code.

(async function() {
    var lib = await import('lzma-native');
    var result = lib.parseFileIndexFD(Symbol("adjlyxzmfd"));;
})();

Then the node instance occurs an abort.

How often does it reproduce? Is there a required condition?

This abort can always be triggered following the steps above.

What is the expected behavior? Why is that the expected behavior?

If any error occurs, an exception or other similar error-reporting stuff should be thrown. There is no reason to abort the whole node process.

What do you see instead?

» node
Welcome to Node.js v22.11.0.
Type ".help" for more information.

(async function() {
... var lib = await import('lzma-native');
... var result = lib.parseFileIndexFD(Symbol("adjlyxzmfd"));;
... })();
Promise {
,
[Symbol(async_id_symbol)]: 28,
[Symbol(trigger_async_id_symbol)]: 6
}
FATAL ERROR: v8::ToLocalChecked Empty MaybeLocal
----- Native stack trace -----

1: 0xe19ca5 node::OnFatalError(char const*, char const*) [node]
2: 0x123f996 v8::Utils::ReportApiFailure(char const*, char const*) [node]
3: 0x10e8085 node::DetermineSpecificErrorType[abi:cxx11](node::Environment*, v8::Localv8::Value) [node]
4: 0xe38f71 [node]
5: 0xf8d068 [node]
6: 0x7d22ff20f5e2

----- JavaScript stack trace -----

1: fstat (node:fs:1531:11)
2: exports.parseFileIndexFD (/home/u24vm/Projects/nodejsfuzz/packages/package-cf2b3d61d5de70b987170d0fe1c84397/node_modules/lzma-native/index.js:526:13)
3: REPL4:3:22

[1] 742850 IOT instruction (core dumped) node

Additional information

No response

[jazelly]

IIUC, a minimum reproducible example is like this.

const fs = require('node:fs');
const fd = Symbol("adjlyxzmfd");
fs.fstat(fd, () => {});

I think we should validate fd either in JS or C++