Skip to content

child_process.spawnSync is memory unsafe and can be used to dump core #8539

New issue
New issue
Closed
#8312
Closed
child_process.spawnSync is memory unsafe and can be used to dump core#8539
#8312
Labels
c++Issues and PRs that require attention from people who are familiar with C++.child_processIssues and PRs related to the child_process subsystem.
@deian

Description

@deian
deian
opened on Sep 14, 2016
  • Version: 6.5.0
  • Platform:
  • Subsystem: child_process

child_process.spawnSync is memory unsafe and segfaults when given an array/object for the file argument with a throwing toString definition.

This doesn't seem like a serious security vulnerability (hence my reporting here), but can certainly be used to cause DOS and it might be nice to have a stdlib that is memory safe.

const file = {};
file.toString = () => { throw 'w00t'; };
const child_process = require('child_process');
child_process.spawnSync(file);
// causes ToString in src/spawn_sync.cc:933 to return empty handle which is then
// used on line 933 and thus leads to SEGFAULT

Related to: #8537, #8538, #7902

Metadata

Metadata

Assignees

No one assigned

    Labels

    c++Issues and PRs that require attention from people who are familiar with C++.child_processIssues and PRs related to the child_process subsystem.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions