asadbek064/quickjs
1
Fork 0
mirror of https://github.com/bellard/quickjs.git synced 2026-03-31 12:18:01 +00:00
Code Issues Actions Projects Releases Wiki Activity

Fix worker port use-after-free

Browse Source 
In #462 during exit we call `js_std_free_handlers()` then `JS_FreeRuntime()`.

`js_std_free_handlers()` frees the `JSThreadState` memory. However, later in
`JS_FreeRuntime()` we run GC, which runs `js_worker_finalizer` and that
accesses the port list from the already freed `JSThreadState`, so it results in
a use-after-free error.

To fix it try to run GC in `js_std_free_handlers()` just before before cleaning and
freeing `JSThreadState`.

Fix #462
This commit is contained in:
Nick Vatamaniuc 2025-11-20 15:08:07 -05:00
parent fcbf5ea2a6
commit 7d49f083d7
No known key found for this signature in database
GPG Key ID: FC04DFBC9657A78E
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
quickjs-libc.c
View File

@ -4116,6 +4116,11 @@ void js_std_free_handlers(JSRuntime *rt)
JSThreadState *ts = JS_GetRuntimeOpaque(rt);
struct list_head *el, *el1;
/* Run GC before freeing the JSThreadState. The JSThreadState */
/* contains the worker port_list and JS_FreeRuntime migth reference */
/* it when it does worker defered finalization in JS_FreeRuntime */
JS_RunGC(rt);
list_for_each_safe(el, el1, &ts->os_rw_handlers) {
JSOSRWHandler *rh = list_entry(el, JSOSRWHandler, link);
free_rw_handler(rt, rh);