dns.setServers is memory unsafe and can be used to dump core #8538

deian · 2016-09-14T20:27:45Z

Version: 6.5.0
Platform:
Subsystem:

dns.setServers is memory unsafe and can be used to dump core.

This doesn't seem like a serious security vulnerability (hence my reporting here), but can certainly be used to cause DOS and it might be nice to have a stdlib that is memory safe.

const dns = require('dns');
const servers = [];
servers[0] = '127.0.0.1';
servers[2] = '0.0.0.0';
dns.setServers(servers);
// causes the CHECK src/cares_wrap.cc:1241 to dump core

another variant:

const dns = require('dns');
const servers = ['127.0.0.1','192.168.1.1'];
servers[3] = '127.1.0.1';
servers[4] = '127.1.0.1';
servers[5] = '127.1.1.1';
Object.defineProperty(servers, 2, {
  enumerable: true,
  get: () => {
    servers.length = 3;
    return '0.0.0.0';
  }
});
dns.setServers(servers);
// causes the CHECK src/cares_wrap.cc:1241 to dump core

Related to: #8539, #8537, #7902

@mlfbrown

The text was updated successfully, but these errors were encountered:

imyller · 2016-09-15T08:37:49Z

This is a known issue and affects most C++ API functions accepting non-primitive values.

For more information:

#7902 (comment)

deian · 2016-09-17T07:26:39Z

Like #8537, I also don' think this will be resolved by using the Maybe API. This is deliberately abusing the CHECK to dump core.

cjihrig · 2016-09-17T13:33:27Z

See #8567 for a fix for this one.

This commit adds better handling of exceptional array formats passed to dns.setServers(). Prior to this commit, the input array was validated using map(), which preserves holes, allowing them to be passed to c-ares, crashing Node. This commit replaces map() with forEach(), which skips holes. Fixes: nodejs#8538 PR-URL: nodejs#8567 Reviewed-By: Ilkka Myller <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]>

This commit adds better handling of exceptional array formats passed to dns.setServers(). Prior to this commit, the input array was validated using map(), which preserves holes, allowing them to be passed to c-ares, crashing Node. This commit replaces map() with forEach(), which skips holes. Fixes: #8538 PR-URL: #8567 Reviewed-By: Ilkka Myller <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]>

This was referenced Sep 14, 2016

child_process.spawnSync is memory unsafe and can be used to dump core #8539

Closed

vm.runInContext is memory unsafe and can be used to dump core #8537

Closed

deian changed the title ~~dns.setServers is memory unsafe and can be used to dump core~~ dns.setServers is memory unsafe and can be used to dump core Sep 14, 2016

mscdex added the dns Issues and PRs related to the dns subsystem. label Sep 14, 2016

imyller mentioned this issue Sep 15, 2016

test: add known issue test for child_process.spawnSync segfault #8543

Closed

3 tasks

imyller added the c++ Issues and PRs that require attention from people who are familiar with C++. label Sep 15, 2016

cjihrig mentioned this issue Sep 16, 2016

dns: handle array holes in setServers() #8567

Merged

3 tasks

cjihrig closed this as completed in #8567 Sep 21, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

dns.setServers is memory unsafe and can be used to dump core #8538

dns.setServers is memory unsafe and can be used to dump core #8538

deian commented Sep 14, 2016 •

edited

Loading

imyller commented Sep 15, 2016

deian commented Sep 17, 2016

cjihrig commented Sep 17, 2016

dns.setServers is memory unsafe and can be used to dump core #8538

dns.setServers is memory unsafe and can be used to dump core #8538

Comments

deian commented Sep 14, 2016 • edited Loading

imyller commented Sep 15, 2016

deian commented Sep 17, 2016

cjihrig commented Sep 17, 2016

deian commented Sep 14, 2016 •

edited

Loading