Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v8.deserialize: Fix out of bounds write #55269

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

v8.deserialize: Fix out of bounds write #55269

wants to merge 1 commit into from

Conversation

arneg
Copy link

@arneg arneg commented Oct 4, 2024

When v8.deserialized is passed a Buffer with non-zero byteOffset, it will call copy and try to copy more bytes than are allocated in the destination buffer. This will then call the SlowCopy method which will call memmove and write bytes after the buffer.

This crash has been observed with the parcel tool.

@arneg
v8.deserialize: Fix out of bounds write
b61f85b 
When v8.deserialized is passed a Buffer with non-zero byteOffset,
it will call copy and try to copy more bytes than are allocated
in the destination buffer. This will then call the SlowCopy method
which will call memmove and write bytes after the buffer.

This bug has been observed with the parcel tool.
@nodejs-github-bot nodejs-github-bot added the needs-ci PRs that need a full CI run. label Oct 4, 2024
@arneg
Copy link
Author

arneg commented Oct 4, 2024

While debugging this I also ended up adding this check to SlowCopy

CHECK(to_copy <= (target_length - target_start));

Is it worth adding checks like that?

@arneg
Copy link
Author

arneg commented Oct 4, 2024

PR #55261 is an attempt to fix the same issue.

@RedYetiDev
Copy link
Member

@ronag is this a duplicate of your PR? If so, feel free to close it as such :-)

@codecov Codecov
Copy link

codecov bot commented Oct 5, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.40%. Comparing base (d2ad9b4) to head (b61f85b).
Report is 3 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #55269      +/-   ##
==========================================
- Coverage   88.41%   88.40%   -0.02%     
==========================================
  Files         652      652              
  Lines      186594   186589       -5     
  Branches    36054    36060       +6     
==========================================
- Hits       164980   164954      -26     
- Misses      14883    14900      +17     
- Partials     6731     6735       +4
Files with missing lines Coverage Δ
lib/v8.js 99.32% <100.00%> (ø)

... and 24 files with indirect coverage changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
needs-ci PRs that need a full CI run.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@arneg @RedYetiDev @nodejs-github-bot