`crypto.createDiffieHellman` results in an abort #32738

Lancern · 2020-04-09T08:24:09Z

Version: 12.16.0
Platform: Linux vul337 4.15.0-91-generic new design of error handling #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Subsystem: crypto

What steps will reproduce the bug?

Directly run the following code snippet using node:

require('crypto').createDiffieHellman(0.123)

How often does it reproduce? Is there a required condition?

No. This potential bug can always be reproduced.

What is the expected behavior?

The argument to crypto.createDiffieHellman should be an integer, but we passed a floating point number into it. The function should throw an exception or other similar error-reporting stuff rather than crash the whole nodejs process.

What do you see instead?

This is the stack dump produced during abort:

node[55090]: ../src/node_buffer.cc:211:char *node::Buffer::Data(Local<v8::Value>): Assertion `val->IsArrayBufferView()' failed.
 1: 0x10003c597 node::Abort() [/usr/local/bin/node]
 2: 0x10003b5b9 node::AddEnvironmentCleanupHook(v8::Isolate*, void (*)(void*), void*) [/usr/local/bin/node]
 3: 0x10004e3dd node::Buffer::Data(v8::Local<v8::Object>) [/usr/local/bin/node]
 4: 0x10011f6c3 node::crypto::DiffieHellman::New(v8::FunctionCallbackInfo<v8::Value> const&) [/usr/local/bin/node]
 5: 0x10023663f v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*) [/usr/local/bin/node]
 6: 0x1002357db v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<true>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) [/usr/local/bin/node]
 7: 0x1002351f7 v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) [/usr/local/bin/node]
 8: 0x2b916465be3d
[1]    55090 abort      node

Additional information

The text was updated successfully, but these errors were encountered:

The JS code accepted any value where `typeof sizeOrKey === 'number'` was true but the C++ code checked that `args[0]->IsInt32()` and subsequently aborted. Fixes: nodejs#32738

Validate the generator argument in `crypto.createDiffieHellman(key, g)`. When it's a number, it should be an int32. Fixes: #32748 PR-URL: #32739 Fixes: #32738 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Zeyu Yang <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: James M Snell <[email protected]>

It's possible to pass in the prime and generator params as buffers but that mode of input wasn't as rigorously checked as numeric input. PR-URL: #32739 Fixes: #32738 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Zeyu Yang <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: James M Snell <[email protected]>

The JS code accepted any value where `typeof sizeOrKey === 'number'` was true but the C++ code checked that `args[0]->IsInt32()` and subsequently aborted. Fixes: #32738 PR-URL: #32739 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Zeyu Yang <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: James M Snell <[email protected]>