nodejs/node

Internal domain function can be used to cause segfaults

tniessen opened this issue · 0 comments

  • Version: master
  • Platform: all
  • Subsystem: process / domain

The following snippet will cause a segmentation fault on master:

// This is an evil array
const array = [0];
Object.defineProperty(array, '0', {
  get() {
    throw new Error();
  }
});

// Trick the environment into thinking it is inside a domain
process._setupDomainUse(array, [])[0] = 1;

// This call will try to use the pretended domain and segfault
require('crypto').randomBytes(1024, () => { });

// The process will segfault above so this never gets printed
console.log('Still working');

This is caused by using env->domain_array->Get(0) instead of the safe variant of the Get function. This is not limited to randomBytes, there is a number of files with similar code.

The priority of this issue is very low as it uses undocumented internal functions to intentionally cause a segmentation fault. I am documenting this for the sake of completeness.