child_process.spawnSync is memory unsafe and can be used to dump core #8539
Labels
c++
Issues and PRs that require attention from people who are familiar with C++.
child_process
Issues and PRs related to the child_process subsystem.
Comments
deian
changed the title
child_process.spawnSync is memory unsafe and segfaults when given an array/object for the file argument with a throwing toString definition. child_process.spawnSync is memory unsafe and can be used to dump core
This was referenced Sep 14, 2016
deian
changed the title
child_process.spawnSync is memory unsafe and can be used to dump core
mscdex
added
the
child_process
imyller
added a commit
to imyller/node
that referenced
this issue
Sep 15, 2016
child_process.spawnSync segfaults when given an array/object for the file argument with a throwing toString definition. Refs: nodejs#8539 Signed-off-by: Ilkka Myller <[email protected]>
3 tasks
|
@deian Thank you for reporting this. Ideas for fixing this /cc @bnoordhuis, @cjihrig |
|
This is a known issue and affects most C++ API functions accepting non-primitive values. For more information: |
imyller
added
c++
I'm working on some validation in #8312. I can add a check that the file is a string there. |
3 tasks
cjihrig
added a commit
to cjihrig/node
that referenced
this issue
Dec 25, 2016
This commit verifies that the child process handle is of the correct type before trying to close it in CloseHandlesAndDeleteLoop(). This catches the case where input validation failed, and the child process was never actually spawned. Fixes: nodejs#8096 Fixes: nodejs#8539 Refs: nodejs#9722 PR-URL: nodejs#8312 Reviewed-By: Ben Noordhuis <[email protected]>
cjihrig
added a commit
to cjihrig/node
that referenced
this issue
Dec 25, 2016
This commit applies stricter input validation in normalizeSpawnArguments(), which is run by all of the child_process methods. Additional checks are added for spawnSync() specific inputs. Fixes: nodejs#8096 Fixes: nodejs#8539 Refs: nodejs#9722 PR-URL: nodejs#8312 Reviewed-By: Ben Noordhuis <[email protected]>
cjihrig
added a commit
to cjihrig/node
that referenced
this issue
Dec 25, 2016
This commit removes C++ checks from spawn() and spawnSync() that are duplicates of the JavaScript type checking. Fixes: nodejs#8096 Fixes: nodejs#8539 Refs: nodejs#9722 PR-URL: nodejs#8312 Reviewed-By: Ben Noordhuis <[email protected]>
italoacasas
pushed a commit
to italoacasas/node
that referenced
this issue
Jan 18, 2017
This commit verifies that the child process handle is of the correct type before trying to close it in CloseHandlesAndDeleteLoop(). This catches the case where input validation failed, and the child process was never actually spawned. Fixes: nodejs#8096 Fixes: nodejs#8539 Refs: nodejs#9722 PR-URL: nodejs#8312 Reviewed-By: Ben Noordhuis <[email protected]>
italoacasas
pushed a commit
to italoacasas/node
that referenced
this issue
Jan 18, 2017
This commit applies stricter input validation in normalizeSpawnArguments(), which is run by all of the child_process methods. Additional checks are added for spawnSync() specific inputs. Fixes: nodejs#8096 Fixes: nodejs#8539 Refs: nodejs#9722 PR-URL: nodejs#8312 Reviewed-By: Ben Noordhuis <[email protected]>
italoacasas
pushed a commit
to italoacasas/node
that referenced
this issue
Jan 18, 2017
This commit removes C++ checks from spawn() and spawnSync() that are duplicates of the JavaScript type checking. Fixes: nodejs#8096 Fixes: nodejs#8539 Refs: nodejs#9722 PR-URL: nodejs#8312 Reviewed-By: Ben Noordhuis <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
child_process.spawnSyncis memory unsafe and segfaults when given an array/object for the file argument with a throwing toString definition.This doesn't seem like a serious security vulnerability (hence my reporting here), but can certainly be used to cause DOS and it might be nice to have a stdlib that is memory safe.
Related to: #8537, #8538, #7902
The text was updated successfully, but these errors were encountered: