Skip to content
Permalink
Browse files
buffer: avoid overrun on UCS-2 string write
CVE-2018-12115
Discovered by ChALkeR - Сковорода Никита Андреевич
Fix by Anna Henningsen

Writing to the second-to-last byte with UCS-2 encoding will cause a -1
length to be send to String::Write(), writing all of the provided Buffer
from that point and beyond.

Fixes: nodejs-private/security#203
PR-URL: nodejs-private/node-private#138
  • Loading branch information
rvagg committed Aug 16, 2018
1 parent 40a7bee commit 88105c998ef9d3f54aa8f22b82ec8cc31cbfac95
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 1 deletion.
@@ -265,7 +265,11 @@ size_t StringBytes::WriteUCS2(char* buf,
size_t* chars_written) {
uint16_t* const dst = reinterpret_cast<uint16_t*>(buf);

size_t max_chars = (buflen / sizeof(*dst));
size_t max_chars = buflen / sizeof(*dst);
if (max_chars == 0) {
return 0;
}

size_t nchars;
size_t alignment = reinterpret_cast<uintptr_t>(dst) % sizeof(*dst);
if (alignment == 0) {
@@ -70,3 +70,24 @@ for (let i = 1; i < 10; i++) {
assert.ok(!Buffer.isEncoding(encoding));
assert.throws(() => Buffer.alloc(9).write('foo', encoding), error);
}

// UCS-2 overflow CVE-2018-12115
for (let i = 1; i < 4; i++) {
// Allocate two Buffers sequentially off the pool. Run more than once in case
// we hit the end of the pool and don't get sequential allocations
const x = Buffer.allocUnsafe(4).fill(0);
const y = Buffer.allocUnsafe(4).fill(1);
// Should not write anything, pos 3 doesn't have enough room for a 16-bit char
assert.strictEqual(x.write('ыыыыыы', 3, 'ucs2'), 0);
// CVE-2018-12115 experienced via buffer overrun to next block in the pool
assert.strictEqual(Buffer.compare(y, Buffer.alloc(4, 1)), 0);
}

// Should not write any data when there is no space for 16-bit chars
const z = Buffer.alloc(4, 0);
assert.strictEqual(z.write('\u0001', 3, 'ucs2'), 0);
assert.strictEqual(Buffer.compare(z, Buffer.alloc(4, 0)), 0);

// Large overrun could corrupt the process
assert.strictEqual(Buffer.alloc(4)
.write('ыыыыыы'.repeat(100), 3, 'utf16le'), 0);

0 comments on commit 88105c9

Please sign in to comment.