Internal domain function can be used to cause segfaults
tniessen opened this issue · 0 comments
tniessen commented
- Version: master
- Platform: all
- Subsystem: process / domain
The following snippet will cause a segmentation fault on master:
// This is an evil array
const array = [0];
Object.defineProperty(array, '0', {
get() {
throw new Error();
}
});
// Trick the environment into thinking it is inside a domain
process._setupDomainUse(array, [])[0] = 1;
// This call will try to use the pretended domain and segfault
require('crypto').randomBytes(1024, () => { });
// The process will segfault above so this never gets printed
console.log('Still working');
This is caused by using env->domain_array->Get(0)
instead of the safe variant of the Get
function. This is not limited to randomBytes
, there is a number of files with similar code.
The priority of this issue is very low as it uses undocumented internal functions to intentionally cause a segmentation fault. I am documenting this for the sake of completeness.