Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Close specified fd may cause a double free #38365

Closed
zyscoder opened this issue Apr 23, 2021 · 5 comments
Closed

Close specified fd may cause a double free #38365

zyscoder opened this issue Apr 23, 2021 · 5 comments
Labels
fs Issues and PRs related to the fs subsystem / file system. process Issues and PRs related to the process subsystem.

Comments

@zyscoder
Copy link

What steps will reproduce the bug?

Setup a node instance,

» node

and run the following javascript code.

fs.closeSync(8);
// fs.close(8, (err)=>{}) works too.
process.exit();

Then the node instance occurs an abort.
If invoking fs.closeSync(8) twice, then a "bad file descriptor" error message would be alert.
However, when exiting the process with process.exit(), an abort occurs. I'm not sure if any other way to trigger this problem.
This issue is almost the same as #37874, but since a double-free may have been triggered, maybe security risk should be considered.
Feel free to close this issue if you think nothing important.

How often does it reproduce? Is there a required condition?

This abort can always be triggered following the steps above.

What is the expected behavior?

If any error occurs, an exception or other similar error-reporting stuff should be thrown. There is no reason to abort the whole node process.

What do you see instead?

» node
Welcome to Node.js v16.0.0-pre.
Type ".help" for more information.
> fs.closeSync(8);
undefined
> process.exit()
[1]    95516 abort (core dumped)  /home/zys/Toolchains/node/node

Additional information
@Ayase-252 Ayase-252 added fs Issues and PRs related to the fs subsystem / file system. process Issues and PRs related to the process subsystem. labels Apr 23, 2021
@XadillaX
Copy link
Contributor

I think we should gather all the fds that are not created by exposed Node.js API and then protect them from closeing.

@jasnell
Copy link
Member

jasnell commented Apr 23, 2021

/cc @addaleax

I'd flip that a bit @XadillaX ... instead of protecting fd's that are not opened by the current Node.js process we should track and handle those that have been opened by the current process. I believe @addaleax has suggested extending the tracked fd capability that she implemented for worker threads to also cover fds opened in the main thread.

@XadillaX XadillaX mentioned this issue Apr 24, 2021
Closed
@addaleax
Copy link
Member

Yeah, #37874 (comment) would be my suggestion here. I'd also suggest closing this and #38377 as duplicates of that issue, there's no real point in tracking the behavior for different file descriptors separately.

@XadillaX
Copy link
Contributor

Yeah, #37874 (comment) would be my suggestion here. I'd also suggest closing this and #38377 as duplicates of that issue, there's no real point in tracking the behavior for different file descriptors separately.

/cc @jasnell

I mean we should trace the fd like epoll eventfd / async handle fd, etc. And throw errors when we try to use those fds in Node.js userland manually.

@addaleax addaleax mentioned this issue Apr 25, 2021
Open
@jasnell
Copy link
Member

jasnell commented Apr 27, 2021

Closing this as a duplicate of #37874.

@jasnell jasnell closed this as completed Apr 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fs Issues and PRs related to the fs subsystem / file system. process Issues and PRs related to the process subsystem.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jasnell @addaleax @XadillaX @Ayase-252 @zyscoder and others