Security: Null pointer dereference in snapshot.h:216 #1755
Comments
|
Changed the title to: "Security: Null pointer dereference in snapshot.h:216". |
|
Added Security label. |
|
Is this bug still valid? SendPortImpl does not exist anymore instead we have _SendPortImpl which is a private class and cannot be accessed here the way it was being done. |
|
Set owner to @turnidge. |
|
Hi Siva, I have written a new test which exhibits the old behavior... #import('dart:isolate'); main() { ...The crash is... random:runtime turnidge$ xcodebuild/DebugIA32/dart ~/dart/bug2.dart ... Essentially, the question is this: what should the vm do if the call to ::realloc in datastream.h:130 fails? Most of our allocations in the system use new, which will terminate the program, I believe. Since this allocation uses ::realloc (indirectly) it may return NULL. Set owner to @a-siva. |
|
Removed Priority-Medium label. |
|
Removed this from the M5 milestone. |
|
In our system we use new, malloc, calloc and realloc. I was under the impression that under chrome all these will terminate the program on failure to allocate memory. |
|
Marking bug as works as intended Added AsDesigned label. |
turnidge
added
Type-Defect
area-vm
…ptor, webdev collection (https://github.com/dart-lang/collection/compare/414ffa1..ca45fc4): ca45fc4 2022-10-07 Devon Carew update CI config; prep for publishing (#251) glob (https://github.com/dart-lang/glob/compare/1d51fcc..ee81279): ee81279 2022-10-10 Moritz Merge pull request #62 from dart-lang/bump_deps b6747a1 2022-10-10 moritz Add changelog entry d069e13 2022-10-10 moritz Bump depencies intl (https://github.com/dart-lang/intl/compare/7639a15..dda8ade): dda8ade 2022-10-10 Moritz GitHub Sync (#501) markdown (https://github.com/dart-lang/markdown/compare/f387340..d72ae07): d72ae07 2022-10-07 Sam Rawlins Use fewer empty lists; non-growable (#463) stack_trace (https://github.com/dart-lang/stack_trace/compare/17f09c2..2194227): 2194227 2022-10-10 Kevin Moore A bunch of cleanup, prepare for v1.11.0 (#118) test_descriptor (https://github.com/dart-lang/test_descriptor/compare/f392f85..66f14ce): 66f14ce 2022-10-07 Devon Carew update the CI configuration; prep for publishing (#44) webdev (https://github.com/dart-lang/webdev/compare/7416956..69aac60): 69aac60 2022-10-07 Parker Lougheed Update min SDK restraint mentioned to match pubspec (#1755) b175072 2022-10-07 Elliott Brooks (she/her) Start migration of WebDev to null-safety (#1756) Change-Id: I452b89a44cfcb7b0d9f36eeb1539ea362b29b6b8 Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/263521 Commit-Queue: Nate Bosch <nbosch@google.com> Auto-Submit: Devon Carew <devoncarew@google.com> Reviewed-by: Nate Bosch <nbosch@google.com>
NULL Pointer Dereference in runtime/vm/snapshot.h (line 216):
buffer_ = reinterpret_cast<uint8_t>(alloc_(NULL,
0,
kBufferIncrementSize));
ASSERT(*buffer_ != NULL);
triggered by the following PoC:
import("dart:coreimpl");
import("dart:core");
Math_rand()
{
return (Math.random() * 0x80000000).toInt();
}
rand(var range)
{
return ((Clock.now().toInt() + Math_rand()) % range);
}
main() {
var tab = new List();
for( int i = 0 ;; i++ )
{
tab.add(new SendPortImpl(rand(1000)));
if((i % 1024) == 0)
{
var portno = rand((tab.length / 100) + 1);
for( int j = 0; j < portno; j++ )
{
tab[j].send("w00t");
}
print("${tab.length}");
}
}
}
The text was updated successfully, but these errors were encountered: