Skip to content

Fix worker port use-after-free #463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix worker port use-after-free #463

wants to merge 1 commit into from
+5 −0

Conversation

@nickva
Copy link
Contributor

@nickva nickva commented Nov 20, 2025

In #462 during exit we call js_std_free_handlers() then JS_FreeRuntime().

js_std_free_handlers() frees the JSThreadState memory. However, later in JS_FreeRuntime() we run GC, which runs js_worker_finalizer and that accesses the port list from the already freed JSThreadState, so it results in a use-after-free error.

To fix it try to run GC in js_std_free_handlers() just before before cleaning and freeing JSThreadState.

Fix #462

@nickva
Fix worker port use-after-free
7d49f08 
In bellard#462 during exit we call `js_std_free_handlers()` then `JS_FreeRuntime()`.

`js_std_free_handlers()` frees the `JSThreadState` memory. However, later in
`JS_FreeRuntime()` we run GC, which runs `js_worker_finalizer` and that
accesses the port list from the already freed `JSThreadState`, so it results in
a use-after-free error.

To fix it try to run GC in `js_std_free_handlers()` just before before cleaning and
freeing `JSThreadState`.

Fix bellard#462
@nickva
Copy link
Contributor Author

nickva commented Nov 20, 2025

Not sure if this entirely right, maybe it's better if the port list has a mutex and a reference count like message pipes...

It does trigger the UAF from #463 any longer at least:

% make CONFIG_ASAN=n qjs && ./qjs --std ./uaf.js
make: `qjs' is up to date.
qjs(74987,0x7ff85a0d5400) malloc: nano zone abandoned due to inability to reserve vm space.
ReferenceError: 'gc' is not defined
    at set (./uaf.js:9:7)
    at <anonymous> (./uaf.js:14:4)
    at <anonymous> (./uaf.js:15:3)
ReferenceError: could not load module filename 'non-exist.js'

@nickva nickva mentioned this pull request Nov 20, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use-After-Free in list_del

1 participant

@nickva