View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0010106 | Taler | qtart | public | 2025-06-15 13:05 | 2025-06-17 00:36 |
| Reporter | oec | Assigned To | Florian Dold | ||
| Priority | urgent | Severity | crash | Reproducibility | random |
| Status | resolved | Resolution | fixed | ||
| Product Version | git (master) | ||||
| Target Version | 1.0 stretch goals | ||||
| Summary | 0010106: memory freed based on uninitialized counter | ||||
| Description | In quickjs-libc.c: ``` 4082 static void js_free_host_message_pipe(JSHostMessagePipe *ps) 4083 { 4084 struct list_head *el, *el1; 4085 JSHostMessage *msg; 4086 int ref_count; 4087 4088 if (!ps) 4089 return; 4090 4091 assert(ref_count >= 0); 4092 if (ref_count == 0) { 4093 list_for_each_safe(el, el1, &ps->msg_queue) { 4094 msg = list_entry(el, JSHostMessage, link); 4095 js_free_host_message(msg); 4096 } 4097 pthread_mutex_destroy(&ps->mutex); 4098 close(ps->read_fd); 4099 close(ps->write_fd); 4100 free(ps); 4101 } 4102 } ``` `ref_count` is never initialized. Yet, it's value is used to free a message pipe. As this is a reference counted object, chances are that it _might_ be freed while there are still consumers, leading to a (random) use-after-free. In fact, looking at the function `js_free_message_pipe`, `ref_count` should probably set to (but I'm not sure): ``` ref_count = atomic_add_int(&ps->ref_count, -1); ``` | ||||
| Additional Information | The compiler had warned me. Why has this not been fixed already!? | ||||
| Tags | security | ||||
|
|
commit 5c437a2649d0a18e0a4c944d4f2986bbe3bd6705 (HEAD -> master) Author: Florian Dold <florian@dold.me> Date: Tue Jun 17 00:28:01 2025 +0200 fix 0010106: memory freed based on uninitialized counter |
|
|
The object is actually *not* reference-counted. However, the uninitialized variable could've led to crashes due to the assert and a (constant size) memory leak. |
|
|
Looks like only clang detects this with default warnings, gcc doesn't! That's why we didn't notice/fix this earlier. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-06-15 13:05 | oec | New Issue | |
| 2025-06-15 13:17 | oec | Description Updated | |
| 2025-06-15 14:59 | Christian Grothoff | Assigned To | => Florian Dold |
| 2025-06-15 14:59 | Christian Grothoff | Priority | normal => urgent |
| 2025-06-15 14:59 | Christian Grothoff | Status | new => assigned |
| 2025-06-15 14:59 | Christian Grothoff | Target Version | => 1.0 stretch goals |
| 2025-06-15 14:59 | Christian Grothoff | Tag Attached: security | |
| 2025-06-17 00:28 | Florian Dold | Note Added: 0025264 | |
| 2025-06-17 00:30 | Florian Dold | Note Added: 0025265 | |
| 2025-06-17 00:31 | Florian Dold | Status | assigned => resolved |
| 2025-06-17 00:31 | Florian Dold | Resolution | open => fixed |
| 2025-06-17 00:36 | Florian Dold | Note Added: 0025268 |
