Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

src: fix TLSWrap lifetime bug in ALPN callback #49635

Merged
merged 1 commit into from
Oct 4, 2023

Conversation

bnoordhuis
Copy link
Member

Retrieve the TLSWrap from the SSL object, not SSL_CTX.

A SSL_CTX object is the parent of zero or more SSL objects. TLSWrap is a wrapper around SSL, SecureContext around SSL_CTX.

Node.js normally uses a SecureContext per TLSWrap but it is possible to use a SecureContext object more than once.

It was therefore possible for an ALPN callback to use the wrong (possibly already freed) TLSWrap object.

Having said that, while the bug is clear once you see it, I'm not able to trigger it (and hence no test, not for lack of trying.)

None of the bug reporters were able to reliably reproduce it either so the stars probably need to align just right in order to hit it.

Fixes: #47207

Retrieve the TLSWrap from the SSL object, not SSL_CTX.

A SSL_CTX object is the parent of zero or more SSL objects. TLSWrap is a
wrapper around SSL, SecureContext around SSL_CTX.

Node.js normally uses a SecureContext per TLSWrap but it is possible to
use a SecureContext object more than once.

It was therefore possible for an ALPN callback to use the wrong
(possibly already freed) TLSWrap object.

Having said that, while the bug is clear once you see it, I'm not able
to trigger it (and hence no test, not for lack of trying.)

None of the bug reporters were able to reliably reproduce it either so
the stars probably need to align just right in order to hit it.

Fixes: nodejs#47207
@bnoordhuis bnoordhuis added the tls Issues and PRs related to the tls subsystem. label Sep 13, 2023
@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. labels Sep 13, 2023
@sempi
Copy link

sempi commented Sep 29, 2023

This presumably fixes the crash at the following code location:

[pc=0x0000000000e69847, sp=0x00007ffd3c6aecb0] in node::crypto::(anonymous namespace)::SelectALPNCallback(ssl_st*, unsigned char const**, unsigned char*, unsigned char const*, unsigned int, void*)+0x87

We can confirm this is currently present on

node v20.7.0

and

node v18.18.0

The issue is causing 1 of about 2M HTTP request to segfault the server.

Once fix is available in v20, we will be able to confirm within a day of production usage if it addresses the core problem.

@sempi
Copy link

sempi commented Oct 1, 2023

We can confirm that this patch addresses the crashes in node 20.8.0.

@GaryWilber
Copy link

Is there anything blocking this PR from being merged? It would be great to see this fix included in the next v18 / v20 release.

@richardlau richardlau added the request-ci Add this label to start a Jenkins CI on a PR. label Oct 4, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Oct 4, 2023
@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@richardlau richardlau added commit-queue Add this label to land a pull request using GitHub Actions. lts-watch-v18.x PRs that may need to be released in v18.x. labels Oct 4, 2023
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Oct 4, 2023
@nodejs-github-bot nodejs-github-bot merged commit 1643adf into nodejs:main Oct 4, 2023
43 checks passed
@nodejs-github-bot
Copy link
Collaborator

Landed in 1643adf

@GEverding
Copy link

GEverding commented Oct 12, 2023

We were also seeing this issue in v18. Upgraded to v21 nightly and no segfaults in production for last 12 hrs where we usually see 1 or 2. Would be really good to get this in a v18 or v20 release.

@targos targos removed the lts-watch-v18.x PRs that may need to be released in v18.x. label Oct 28, 2023
@targos targos added the backported-to-v18.x PRs backported to the v18.x-staging branch. label Oct 28, 2023
targos pushed a commit that referenced this pull request Oct 28, 2023
Retrieve the TLSWrap from the SSL object, not SSL_CTX.

A SSL_CTX object is the parent of zero or more SSL objects. TLSWrap is a
wrapper around SSL, SecureContext around SSL_CTX.

Node.js normally uses a SecureContext per TLSWrap but it is possible to
use a SecureContext object more than once.

It was therefore possible for an ALPN callback to use the wrong
(possibly already freed) TLSWrap object.

Having said that, while the bug is clear once you see it, I'm not able
to trigger it (and hence no test, not for lack of trying.)

None of the bug reporters were able to reliably reproduce it either so
the stars probably need to align just right in order to hit it.

Fixes: #47207
PR-URL: #49635
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
alexfernandez pushed a commit to alexfernandez/node that referenced this pull request Nov 1, 2023
Retrieve the TLSWrap from the SSL object, not SSL_CTX.

A SSL_CTX object is the parent of zero or more SSL objects. TLSWrap is a
wrapper around SSL, SecureContext around SSL_CTX.

Node.js normally uses a SecureContext per TLSWrap but it is possible to
use a SecureContext object more than once.

It was therefore possible for an ALPN callback to use the wrong
(possibly already freed) TLSWrap object.

Having said that, while the bug is clear once you see it, I'm not able
to trigger it (and hence no test, not for lack of trying.)

None of the bug reporters were able to reliably reproduce it either so
the stars probably need to align just right in order to hit it.

Fixes: nodejs#47207
PR-URL: nodejs#49635
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
targos pushed a commit that referenced this pull request Nov 11, 2023
Retrieve the TLSWrap from the SSL object, not SSL_CTX.

A SSL_CTX object is the parent of zero or more SSL objects. TLSWrap is a
wrapper around SSL, SecureContext around SSL_CTX.

Node.js normally uses a SecureContext per TLSWrap but it is possible to
use a SecureContext object more than once.

It was therefore possible for an ALPN callback to use the wrong
(possibly already freed) TLSWrap object.

Having said that, while the bug is clear once you see it, I'm not able
to trigger it (and hence no test, not for lack of trying.)

None of the bug reporters were able to reliably reproduce it either so
the stars probably need to align just right in order to hit it.

Fixes: #47207
PR-URL: #49635
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
nromito added a commit to nromito/js2bin that referenced this pull request Nov 16, 2023
debadree25 pushed a commit to debadree25/node that referenced this pull request Apr 15, 2024
Retrieve the TLSWrap from the SSL object, not SSL_CTX.

A SSL_CTX object is the parent of zero or more SSL objects. TLSWrap is a
wrapper around SSL, SecureContext around SSL_CTX.

Node.js normally uses a SecureContext per TLSWrap but it is possible to
use a SecureContext object more than once.

It was therefore possible for an ALPN callback to use the wrong
(possibly already freed) TLSWrap object.

Having said that, while the bug is clear once you see it, I'm not able
to trigger it (and hence no test, not for lack of trying.)

None of the bug reporters were able to reliably reproduce it either so
the stars probably need to align just right in order to hit it.

Fixes: nodejs#47207
PR-URL: nodejs#49635
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
Retrieve the TLSWrap from the SSL object, not SSL_CTX.

A SSL_CTX object is the parent of zero or more SSL objects. TLSWrap is a
wrapper around SSL, SecureContext around SSL_CTX.

Node.js normally uses a SecureContext per TLSWrap but it is possible to
use a SecureContext object more than once.

It was therefore possible for an ALPN callback to use the wrong
(possibly already freed) TLSWrap object.

Having said that, while the bug is clear once you see it, I'm not able
to trigger it (and hence no test, not for lack of trying.)

None of the bug reporters were able to reliably reproduce it either so
the stars probably need to align just right in order to hit it.

Fixes: nodejs/node#47207
PR-URL: nodejs/node#49635
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
Retrieve the TLSWrap from the SSL object, not SSL_CTX.

A SSL_CTX object is the parent of zero or more SSL objects. TLSWrap is a
wrapper around SSL, SecureContext around SSL_CTX.

Node.js normally uses a SecureContext per TLSWrap but it is possible to
use a SecureContext object more than once.

It was therefore possible for an ALPN callback to use the wrong
(possibly already freed) TLSWrap object.

Having said that, while the bug is clear once you see it, I'm not able
to trigger it (and hence no test, not for lack of trying.)

None of the bug reporters were able to reliably reproduce it either so
the stars probably need to align just right in order to hit it.

Fixes: nodejs/node#47207
PR-URL: nodejs/node#49635
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backported-to-v18.x PRs backported to the v18.x-staging branch. c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ALPN callback function sometimes leads to segfault in node.js >= 18.13.0
9 participants