Type confusion bug in WriteFloatGeneric #12179
Comments
mscdex
added
buffer
|
See #12119 for a PR that just proposes dropping the Also, tbh it seems like a bit of a stretch to call this a security issue. If you have access to the |
|
That was actually brought up by my email to security@nodejs.org on 3/27, but I didn't want to create a redundant issue. The snippet for that the OOB write I had was: const buf = Buffer.from('w00t');
buf.writeFloatLE(0, 4, true);But this is a different kind of bug: it's a type confusion bug. It just so happens to be in the same code. I think dropping the |
|
Saw that you're on top of these! Thanks @TimothyGu! That fixed the oob issues (didn't check, but I trust). The type confusion remains, I think. On 2d039ff, this will segfault: function FB() {this.x=33; this.y=44;}
require('util').inherits(FB, Buffer);
Buffer.prototype.writeFloatLE.call(new FB(), 0, 0, true); |
|
You are right. I'm not sure how performance-heavy it would be to check for validity in all the write*() functions, though it does look necessary. |
|
@TimothyGu I think the real solution is to work with the V8 team to make these V8 compiler intrinsics. Then the JIT could eliminate the overhead. If only V8 had a LuaJIT-style integrated FFI... |
|
Dropping |
|
Accidentally closed it... reopening |
This ports the Buffer#write(Double|Float)(B|L)E functions to JS. This fixes a security issue concerning type confusion and fixes another possible crash in combination with `noAssert`. In addition to that it will also significantly improve the write performance. Fixes: nodejs#12179 Fixes: nodejs#8724
This ports the Buffer#write(Double|Float)(B|L)E functions to JS. This fixes a security issue concerning type confusion and fixes another possible crash in combination with `noAssert`. In addition to that it will also significantly improve the write performance. Fixes: nodejs#12179 Fixes: nodejs#8724 PR-URL: nodejs#18395 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
The buffer writeFloatLE family functions are prone to code [remote] execution attacks via type confusion. The binding layer WriteFloatGeneric function just casts the first argument:
node/src/node_buffer.cc
Line 826 in 0e6c336
Few methods are called on the ts_obj after which if you choose a good argument means executing code with some choice.
For example, the following doesn't crash until the memcpy on my machine:
The text was updated successfully, but these errors were encountered: