Headline
CVE-2022-27007: Fixed frame allocation from an awaited frame. · nginx/njs@ad48705
nginx njs 0.7.2 is affected suffers from Use-after-free in njs_function_frame_alloc() when it try to invoke from a restored frame saved with njs_function_frame_save().
Permalink
Browse files
Fixed frame allocation from an awaited frame.
njs_function_frame_save() is used to save the awaited frame when “await” instruction is encountered. The saving was done as a memcpy() of existing runtime frame.
njs_function_frame_alloc() is used to alloc a new function frame, this function tries to use a spare preallocated memory from the previous frame first. Previously, this function might result in “use-after-free” when invoked from a restored frame saved with njs_function_frame_save(). Because njs_function_frame_save() left pointers to the spare memory of the original frame which may be already free when saved frame is restored.
The fix is to erase fields for the spare memory from the saved frame.
This closes #469 issue on Github.
- Loading branch information
Showing with 31 additions and 1 deletion.
- +4 −0 src/njs_function.c
- +26 −0 test/js/async_recursive_large.t.js
- +1 −1 test/js/async_recursive_mid.t.js