Node.js Security Release of v0.10.30 and v0.8.28 (V8 Memory Corruption and Stack Overflow)
162 views
Skip to first unread message
Timothy J Fontaine
Jul 31, 2014, 6:18:06 PM7/31/14
to nod...@googlegroups.com, nodej...@googlegroups.com
A memory corruption vulnerability, which results in a
denial-of-service, was identified in the versions of V8 that ship with
Node.js 0.8 and 0.10. In certain circumstances, a particularly deep
recursive workload that may trigger a GC and receive an interrupt may
overflow the stack and result in a segmentation fault. For instance,
if your work load involves successive `JSON.parse` calls and the
parsed objects are significantly deep, you may experience the process
aborting while parsing.
This issue was identified by Tom Steele of [^Lift
Security](https://liftsecurity.io/) and Fedor Indunty, Node.js Core
Team member worked closely with the V8 team to find our resolution.
The V8 issue is described here https://codereview.chromium.org/339883002
It has landed in the Node repository here:
https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356
And has been released in the following versions:
* [v0.10.30](http://nodejs.org/dist/v0.10.30)
http://blog.nodejs.org/2014/07/31/node-v0-10-30-stable/
* [v0.8.28](http://nodejs.org/dist/v0.8.28)
http://blog.nodejs.org/2014/07/31/node-v0-8-28-maintenance/
### The Fix
The backport of the fix for Node.js is
```diff
diff --git a/deps/v8/src/isolate.h b/deps/v8/src/isolate.h
index b90191d..2769ca7 100644
--- a/deps/v8/src/isolate.h
+++ b/deps/v8/src/isolate.h
@@ -1392,14 +1392,9 @@ class StackLimitCheck BASE_EMBEDDED {
public:
explicit StackLimitCheck(Isolate* isolate) : isolate_(isolate) { }
- bool HasOverflowed() const {
+ inline bool HasOverflowed() const {
StackGuard* stack_guard = isolate_->stack_guard();
- // Stack has overflowed in C++ code only if stack pointer exceeds the C++
- // stack guard and the limits are not set to interrupt values.
- // TODO(214): Stack overflows are ignored if a interrupt is pending. This
- // code should probably always use the initial C++ limit.
- return (reinterpret_cast<uintptr_t>(this) < stack_guard->climit()) &&
- stack_guard->IsStackOverflow();
+ return reinterpret_cast<uintptr_t>(this) < stack_guard->real_climit();
}
private:
Isolate* isolate_;
```
### Remediation
The best course of action is to patch or upgrade Node.js.
### Mitigation
To mitigate against deep JSON parsing you can limit the size of the
string you parse against, or ban clients who trigger a `RangeError`
for parsing JSON.
There is no specific maximum size of a JSON string, though keeping the
max to the size of your known message bodies is suggested. If your
message bodies cannot be over 20K, there's no reason to accept 1MB
bodies.
For web frameworks that do automatic JSON parsing, you may need to
configure the routes that accept JSON payloads to have a maximum body
size.
* [expressjs](http://expressjs.com) and
[krakenjs](http://krakenjs.com) used with the
[body-parser](https://github.com/expressjs/body-parser#bodyparserjsonoptions)
plugin accepts a `limit` parameter in your JSON config
* [Hapi.js](http://hapijs.com) has `payload.maxBytes`
https://github.com/spumko/hapi/blob/master/docs/Reference.md
* [restify](http://mcavage.me/node-restify/#Bundled-Plugins) bundled
`bodyParser` accepts a `maxBodySize`
denial-of-service, was identified in the versions of V8 that ship with
Node.js 0.8 and 0.10. In certain circumstances, a particularly deep
recursive workload that may trigger a GC and receive an interrupt may
overflow the stack and result in a segmentation fault. For instance,
if your work load involves successive `JSON.parse` calls and the
parsed objects are significantly deep, you may experience the process
aborting while parsing.
This issue was identified by Tom Steele of [^Lift
Security](https://liftsecurity.io/) and Fedor Indunty, Node.js Core
Team member worked closely with the V8 team to find our resolution.
The V8 issue is described here https://codereview.chromium.org/339883002
It has landed in the Node repository here:
https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356
And has been released in the following versions:
* [v0.10.30](http://nodejs.org/dist/v0.10.30)
http://blog.nodejs.org/2014/07/31/node-v0-10-30-stable/
* [v0.8.28](http://nodejs.org/dist/v0.8.28)
http://blog.nodejs.org/2014/07/31/node-v0-8-28-maintenance/
### The Fix
The backport of the fix for Node.js is
```diff
diff --git a/deps/v8/src/isolate.h b/deps/v8/src/isolate.h
index b90191d..2769ca7 100644
--- a/deps/v8/src/isolate.h
+++ b/deps/v8/src/isolate.h
@@ -1392,14 +1392,9 @@ class StackLimitCheck BASE_EMBEDDED {
public:
explicit StackLimitCheck(Isolate* isolate) : isolate_(isolate) { }
- bool HasOverflowed() const {
+ inline bool HasOverflowed() const {
StackGuard* stack_guard = isolate_->stack_guard();
- // Stack has overflowed in C++ code only if stack pointer exceeds the C++
- // stack guard and the limits are not set to interrupt values.
- // TODO(214): Stack overflows are ignored if a interrupt is pending. This
- // code should probably always use the initial C++ limit.
- return (reinterpret_cast<uintptr_t>(this) < stack_guard->climit()) &&
- stack_guard->IsStackOverflow();
+ return reinterpret_cast<uintptr_t>(this) < stack_guard->real_climit();
}
private:
Isolate* isolate_;
```
### Remediation
The best course of action is to patch or upgrade Node.js.
### Mitigation
To mitigate against deep JSON parsing you can limit the size of the
string you parse against, or ban clients who trigger a `RangeError`
for parsing JSON.
There is no specific maximum size of a JSON string, though keeping the
max to the size of your known message bodies is suggested. If your
message bodies cannot be over 20K, there's no reason to accept 1MB
bodies.
For web frameworks that do automatic JSON parsing, you may need to
configure the routes that accept JSON payloads to have a maximum body
size.
* [expressjs](http://expressjs.com) and
[krakenjs](http://krakenjs.com) used with the
[body-parser](https://github.com/expressjs/body-parser#bodyparserjsonoptions)
plugin accepts a `limit` parameter in your JSON config
* [Hapi.js](http://hapijs.com) has `payload.maxBytes`
https://github.com/spumko/hapi/blob/master/docs/Reference.md
* [restify](http://mcavage.me/node-restify/#Bundled-Plugins) bundled
`bodyParser` accepts a `maxBodySize`
Paul Cheeseman
Aug 1, 2014, 6:35:06 AM8/1/14
to nod...@googlegroups.com, nodej...@googlegroups.com
Has a CVE / CVSS score been assigned for this vulnerability?
Reply all
Reply to author
Forward
0 new messages