Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SegFault in process while using inspector #31362

Closed
wesleytodd opened this issue Jan 15, 2020 · 5 comments
Closed

SegFault in process while using inspector #31362

wesleytodd opened this issue Jan 15, 2020 · 5 comments

Comments

@wesleytodd
Copy link
Member

wesleytodd commented Jan 15, 2020
edited

  • Version: 13.1.0
  • Platform: Darwin 19.0.0 Darwin Kernel Version 19.0.0: Thu Oct 17 16:17:15 PDT 2019; root:xnu-6153.41.3~29/RELEASE_X86_64 x86_64
  • Subsystem: Inspector (maybe?)

While stepping through a specific pattern in code I am reliably able to reproduce a segmentation fault error. I have produced a reduced test case which when run with --inspect --inspect-brk always segfaults when I step to a specific line.

I do not think this is an exploit, but I think that sometimes a segfault can be used as a security exploit, so I wanted to post here before adding details. What should my next step be? Post the reproduction test case here?

See the reproduction below:

'use strict'
// index.js

const init = function (Base, opts) {
  debugger
  return class Plugin extends Base {
    static name = 'foo'
  }
}

init(class Plugin { }, { foo: 'bar' })

if (process.argv.includes('test')) return

const cp = require('child_process')
const proc1 = cp.spawn('node', ['--inspect-brk', __filename, 'test'])
const proc2 = cp.spawn('node', ['inspect', '-p', proc1.pid])

proc1.on('exit', (code, signal) => {
  if (code) console.log('Exit code: ' + code.toString(16).toUpperCase())
  if (signal) console.log('Exit signal: ' + signal)
})

setTimeout(() => proc2.stdin.write('c\n'), 1000)
setTimeout(() => proc2.stdin.write('s\n'), 1100)
setTimeout(() => proc2.stdin.write('s\n'), 1200)
node index.js
@sam-github
Copy link
Contributor

It's unlikely to be a vulnerability, but if you have a repro, you could post to H1, at https://hackerone.com/nodejs, talk it over with the sec triage team, and we can bring in any v8 experts if that turns out to be necessary.

Most likely it'll end up back here in the public, but above is the safe way to have a private conversation about this.

@sam-github sam-github added the security Issues and PRs related to security. label Jan 15, 2020
@Hakerh400
Copy link
Contributor

There is an issue reported about a year ago: #27637, which still reproduces the segfault with the current Node.js v13.6.0 and both Node.js inspector and Chrome 79.0.3945.117 devtools inspector and which even has a fully automated repro...

@wesleytodd
Copy link
Member Author

It's unlikely to be a vulnerability

I agree, and looking at the issue posted by @Hakerh400 it looks like this might be the same or related.

which even has a fully automated repro...

I will follow your example and see if I can make this automated. Then I think I will post it here in the OP.

@addaleax addaleax removed the security Issues and PRs related to security. label Jan 16, 2020
@addaleax
Copy link
Member

I can reproduce using the code in #27637 but not this one. It crashes inside V8, so I’ll try to get a proper stack trace from a debug build.

@wesleytodd
Copy link
Member Author

Hm, the test case which I posted faithfully reproduced yesterday, today It does not. I will see if there is something else missing and re-open this if I can find it (and it looks separate from #27637). As you can see both are related to the inspector with a static class field, so there is a chance it is really the same issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sam-github @addaleax @wesleytodd @Hakerh400