-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
_stream_wrap: prevent use after free in TLS #1910
Conversation
cc @nodejs/crypto |
@bnoordhuis : let's review it anyway, even without @EricTheOne's feedback the fix that it does is still relevant |
cc @EricTheOne |
@@ -10,9 +10,11 @@ function StreamWrap(stream) { | |||
|
|||
this.stream = stream; | |||
|
|||
this.queue = null; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Totally a noob question. Why are we not implementing this with an array instead of this complex enqueue and dequeue logic?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is queue
supposed to be accessed directly from outside of the class?
Should it be prefixed or not?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thefourtheye because I'd like to avoid lookup cost when removing elements from it
@ChALkeR Should be prefixed, thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@indutny I am trying to understand this better. Theoretically, there will be no lookup in a queue, the first-in will be dequeued, right? If we are going to arbitrarily remove, then why not a Map
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thefourtheye there is no promise of FIFO here, and I like linked lists pretty much :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ChALkeR fixed
cc @trevnorris @shigeki @bnoordhuis @chrisdickinson maybe? Let's land this thing! |
@indutny this really seems to fix the original issue - no more segfaults and no more runaway memory allocations, thank you very much! I've been running my server for a while, and found a few errors which I haven't seen before:
Maybe it's in my code, but I don't see it in the stack traces. The patch was applied over master (0f68377) |
|
||
StreamWrap.prototype._dequeue = function dequeue(req) { | ||
var next = req._next; | ||
var prev = req._prev; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we const
these, as we don't reassign anything to them?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
Patch looks good. I'd have to give it a closer look, but don't let that hold up merging it if more devs sign off before then. |
Fixed the first problem, please take a look @EricTheOne |
@indutny thanks, the original onImmediate issue seemed to be due to my code (passed a function() instead of function in to setImmediate).
Seems to be due to _handle being null in _stream_wrap.js:
|
@indutny two more issues found, in addition to finishShutdown error:
By far the most frequent is the finishShutdown error, second to it is EINVAL, and last is the assertion. |
@indutny is there any more info I can extract to help with the above three issues? |
Fixed |
@EricTheOne hopefully fixed the last ones two, thank you for reporting them! Please give it a try ;) |
@indutny this is excellent news! I applied the pull request over v2.3.1 and ran the server twice. The first thing to notice is that the server behaves much better:
We're very close to resolving this, however two issues still appear:
They happen at roughly the same time (less than 20 seconds apart) and then the server crashes. I use multiple processes so the errors may come from different child processes. I may have a clue - visually inspecting the logs, it seems that the two errors and a memory leak appear on reconnects. Especially I notice a lot of reconnects due to timeouts. I generally dispose of the sockets and create new ones. There is no kernel socket leak. |
@EricTheOne may I ask you to provide a fresh stack trace for EINVAL? (Maybe both of read/write?) |
@EricTheOne pushed one more fix, hope it helps |
@indutny with some more testing I found another issue (causing a crash). Not related to the latest commit (cb4a005):
|
@EricTheOne Could you try the latest HEAD of master? I bleave it was fixed in #2064. |
@shigeki thanks, checking now, so far seems stable |
@shigeki @indutny #2064 indeed fixes the assertion, thanks. @indutny I have reduced the rate of reconnects on the server, and neither of the two errors happen even without cb4a005. It seems like cause was either a race condition or incorrect handling of edge cases. From my point of view this work solves the original issues and does not introduce new ones, hence I'd like to see it merged. |
cc @trevnorris please do one more pass over it. @shigeki may I ask you to take a look too? |
Queued write requests should be invoked on handle close, otherwise the "consumer" might be already destroyed when the write callbacks of the "consumed" handle will be invoked. Fix: nodejs#1696
debug('end'); | ||
if (self._handle) | ||
self._handle.emitEOF(); | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: throw in a comment on why the setImmediate()
is necessary. future proofing for new devs. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, let's drop it out, and revert it back only in case of any troubles. I no longer think that it might be reasonable. (@EricTheOne: I hope you don't mind)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@indutny I don't understand the code enough to comment on the code level, but I'll retest the final version and let you know if anything new comes up.
btw just to further my understanding, why would setImmediate be resolving possible troubles there?
Left comments about cosmetic stuff, but LGTM. |
Queued write requests should be invoked on handle close, otherwise the "consumer" might be already destroyed when the write callbacks of the "consumed" handle will be invoked. Same applies to the shutdown requests. Make sure to "move" away socket from server to not break the `connections` counter in `net.js`. Otherwise it might not call `close` callback, or call it too early. Fix: #1696 PR-URL: #1910 Reviewed-By: Trevor Norris <[email protected]>
Landed in 9180140, thank you! (Decided to squash everything into one commit, because I forgot what this hotfixes belonged too) |
@indutny thanks, I'll retest with master as soon as possible. |
Queued write requests should be invoked on handle close, otherwise the "consumer" might be already destroyed when the write callbacks of the "consumed" handle will be invoked. Same applies to the shutdown requests. Make sure to "move" away socket from server to not break the `connections` counter in `net.js`. Otherwise it might not call `close` callback, or call it too early. Fix: nodejs#1696 PR-URL: nodejs#1910 Reviewed-By: Trevor Norris <[email protected]>
Queued write requests should be invoked on handle close, otherwise the
"consumer" might be already destroyed when the write callbacks of the
"consumed" handle will be invoked.
Fix: #1696
cc @EricTheOne