Fix use-after-free on error during module evaluation#26
Merged
Conversation
E.g. if during evaluation of module A, we start loading module B and an error occurs. This results in a call to js_free_modules() with JS_FREE_MODULE_NOT_EVALUATED, and since module A isn't yet evaluated, it gets freed prematurely. To solve this we improve js_free_modules() to ensure `eval_mark` is not set. Once js_evaluate_module() returns for module A, it will notice that an exception occurred and call js_free_modules() with JS_FREE_MODULE_NOT_EVALUATED. Since `eval_mark` has been cleared by then, module A gets cleaned up as well.
Contributor
Author
|
Borrowed from the Frida fork, I noticed it fixes a bug I was facing in txiki.js! |
saghul
added a commit
to saghul/txiki.js
that referenced
this pull request
Nov 7, 2023
bnoordhuis
approved these changes
Nov 7, 2023
Contributor
bnoordhuis
left a comment
There was a problem hiding this comment.
LGTM but does this mean the module isn't freed until JS_FreeContext() is called?
Contributor
Author
|
I can check that. I think it will be freed when the dependent module is freed. So if A imports B then B fails first B is freed then A after the eval is done. |
saghul
added a commit
to saghul/txiki.js
that referenced
this pull request
Nov 7, 2023
Contributor
Author
I tested and yeah, it's only freed at the end. Are we ok merging this still? |
Contributor
Author
|
Pushed a fixup, which does free the non-evaluated modules now! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
E.g. if during evaluation of module A, we start loading module B and an error occurs. This results in a call to js_free_modules() with JS_FREE_MODULE_NOT_EVALUATED, and since module A isn't yet evaluated, it gets freed prematurely.
To solve this we improve js_free_modules() to ensure
eval_markis not set. Once js_evaluate_module() returns for module A, it will notice that an exception occurred and call js_free_modules() with JS_FREE_MODULE_NOT_EVALUATED. Sinceeval_markhas been cleared by then, module A gets cleaned up as well.