cherry-pick various memory buffer handling fixes#483
Open
hramrach wants to merge 4 commits intobellard:masterfrom
Open
cherry-pick various memory buffer handling fixes#483hramrach wants to merge 4 commits intobellard:masterfrom
hramrach wants to merge 4 commits intobellard:masterfrom
Conversation
The Atomics operations (add, sub, and, or, xor, exchange, compareExchange,
store) capture a pointer to the buffer element before calling JS_ToUint32()
or JS_ToBigInt64() on the value arguments. These conversion functions can
execute arbitrary JavaScript via valueOf() callbacks, which may resize the
underlying ArrayBuffer.
After the value conversion, only a detached check was performed, but not a
bounds re-validation. If the buffer was resized (not detached), the stale
pointer would still be used, leading to a heap-use-after-free.
The fix re-validates the atomic access by calling js_atomics_get_ptr() again
after the value conversions. This follows the RevalidateAtomicAccess()
pattern already present in js_atomics_get_ptr() itself.
Proof of Concept:
let ab = new ArrayBuffer(1024, { maxByteLength: 2048 });
let int32Array = new Int32Array(ab);
let malicious = { valueOf: () => { ab.resize(8); return 1; } };
Atomics.add(int32Array, 200, malicious); // heap-use-after-free
philiptaron
added a commit
to philiptaron/nixpkgs
that referenced
this pull request
Jan 28, 2026
These vulnerabilities affect quickjs 2025-09-13-2 and earlier: - CVE-2026-1144: use-after-free in Atomics Ops Handler - CVE-2026-1145: heap-based buffer overflow in js_typed_array_constructor_ta Upstream fix is pending: bellard/quickjs#483 Once the PR is merged and a new release is available, this package should be updated and the knownVulnerabilities removed.
nixpkgs-ci bot
pushed a commit
to NixOS/nixpkgs
that referenced
this pull request
Feb 3, 2026
These vulnerabilities affect quickjs 2025-09-13-2 and earlier: - CVE-2026-1144: use-after-free in Atomics Ops Handler - CVE-2026-1145: heap-based buffer overflow in js_typed_array_constructor_ta Upstream fix is pending: bellard/quickjs#483 Once the PR is merged and a new release is available, this package should be updated and the knownVulnerabilities removed. (cherry picked from commit 4da05a7)
|
any update on this? |
13 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix from #480 with tests from quickjs-ng/quickjs#1301 and quickjs-ng/quickjs#1302
Fixes from quickjs-ng/quickjs#1305 and quickjs-ng/quickjs#1296