crypto: fix memory leaks in cert validation#12089

Nibbler999 · 2017-03-28T10:42:07Z

The additional validity checks applied to StartCom and WoSign certificates failed to free memory before returning.

Checklist

make -j4 test (UNIX), or vcbuild test (Windows) passes
commit message follows [commit guidelines][]

Affected core subsystem(s)

crypto

gibfahn · 2017-03-28T11:15:34Z

cc/ @nodejs/crypto

shigeki · 2017-03-28T11:17:07Z

I will take a look at this right now.

addaleax · 2017-03-28T11:21:12Z

Maybe Fixes: #12033?

CI: https://ci.nodejs.org/job/node-test-commit/8728/

shigeki · 2017-03-28T11:23:13Z

@addaleax Probably, yes.

seishun · 2017-03-28T11:28:51Z

Have we ever considered adding RAII wrappers for such functions to prevent memory leaks in the future?

shigeki · 2017-03-28T11:53:37Z

The fix is good. I will check the memory usage to see if there is no other memory growth.

indutny

One minor nit, otherwise LGTM. Good catch!

indutny · 2017-03-28T11:54:42Z

src/node_crypto.cc

Should we just store the result to int cmp and free before the condition test?

cjihrig

I like @indutny's suggestion.

The additional validity checks applied to StartCom and WoSign certificates failed to free memory before returning. Refs: #9469Fixes: #12033

Nibbler999 · 2017-03-28T12:19:51Z

Updated as suggested.

shigeki · 2017-03-28T16:25:37Z

Here are the graph of rss profile up to 100,000 tls.connect to two servers (verify ok and revoked with SmartCom filter). It obviously shows that this fixes the memory leaks.

@Nibbler999 Thanks for finding and fixing this.
A new CI is running on https://ci.nodejs.org/job/node-test-pull-request/7074/.
After it is green, I would like to land this and ask for a new release.
Do we need to wait for 48 hours?

shigeki · 2017-03-28T17:32:06Z

CI results are all green.

indutny

LGTM

MylesBorins

Rubber Stamp LGTM

CI is green.

MylesBorins · 2017-03-28T18:00:35Z

I vote that we skip 48 hours and land immediately so we can do a v7.x release with this asap. Then we can backport to v4.x and v6.x and get a new release out for LTS ASAP as well

shigeki · 2017-03-28T18:13:13Z

Okay, @MylesBorins , @sam-github , @addaleax and I agree it and this have enough approvals. I'll make landing this. [Edited]

The additional validity checks applied to StartCom and WoSign certificates failed to free memory before returning. Refs: #9469Fixes: #12033 PR-URL: #12089 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Colin Ihrig <[email protected]>

shigeki · 2017-03-28T18:24:10Z

Thanks for everyone making reviewing so quickly. Landed in a6f9494.
@Nibbler999 I really appreciate your fix.

@MylesBorins I would like to ask you to prepare new releases.

The additional validity checks applied to StartCom and WoSign certificates failed to free memory before returning. Refs: #9469Fixes: #12033 PR-URL: #12089 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Colin Ihrig <[email protected]>

MylesBorins · 2017-03-29T03:14:17Z

This has now been release in v7.8.0.

Will release v4.8.2-rc.1 and v6.10.2-rc.1 tomorrow

The additional validity checks applied to StartCom and WoSign certificates failed to free memory before returning. Refs: #9469Fixes: #12033 PR-URL: #12089 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Colin Ihrig <[email protected]>

This is a special LTS to fix a memory leak that was introduced in 4.8.1. It also includes an upgrade to zlib 1.2.11 to fix a number of low severity CVEs that were present in zlib 1.2.8. http://seclists.org/oss-sec/2016/q4/602 Notable changes: * crypto: - fix memory leak if certificate is revoked (Tom Atkinson) #12089 * deps: - upgrade zlib to 1.2.11 (Sam Roberts) #10980

This is a special LTS to fix a number of regressions that were found on the 6.10.x release line. This includes: * a fix for memory leak in the crypto module that was introduced in 6.10.1 * a fix for a regression introduced to the windows repl in 6.10.0 * a backported fix for V8 to stop a segfault that could occur when using spread syntax It also includes an upgrade to zlib 1.2.11 to fix a numberof low severity CVEs that were present in zlib 1.2.8. http://seclists.org/oss-sec/2016/q4/602 Notable changes * crypto: - fix memory leak if certificate is revoked (Tom Atkinson) #12089 * deps: - upgrade zlib to 1.2.11 (Sam Roberts) #10980 - backport V8 fixes for spread syntax regression causing segfaults (Michaël Zasso) #12037 * repl: - Revert commit that broke REPL display on Windows (Myles Borins) #12123

This is a maintenance release to fix a memory leak that was introduced in 4.8.1. It also includes an upgrade to zlib 1.2.11 to fix a number of low severity CVEs that were present in zlib 1.2.8. http://seclists.org/oss-sec/2016/q4/602 Notable changes: * crypto: - fix memory leak if certificate is revoked (Tom Atkinson) #12089 * deps: - upgrade zlib to 1.2.11 (Sam Roberts) #10980

This is a special LTS to fix a number of regressions that were found on the 6.10.x release line. This includes: * a fix for memory leak in the crypto module that was introduced in 6.10.1 * a fix for a regression introduced to the windows repl in 6.10.0 * a backported fix for V8 to stop a segfault that could occur when using spread syntax It also includes an upgrade to zlib 1.2.11 to fix a numberof low severity CVEs that were present in zlib 1.2.8. http://seclists.org/oss-sec/2016/q4/602 Notable changes * crypto: - fix memory leak if certificate is revoked (Tom Atkinson) #12089 * deps: - upgrade zlib to 1.2.11 (Sam Roberts) #10980 - backport V8 fixes for spread syntax regression causing segfaults (Michaël Zasso) #12037 * repl: - Revert commit that broke REPL display on Windows (Myles Borins) #12123

This is a special LTS to fix a number of regressions that were found on the 6.10.x release line. This includes: * a fix for memory leak in the crypto module that was introduced in 6.10.1 * a fix for a regression introduced to the windows repl in 6.10.0 * a backported fix for V8 to stop a segfault that could occur when using spread syntax It also includes an upgrade to zlib 1.2.11 to fix a numberof low severity CVEs that were present in zlib 1.2.8. http://seclists.org/oss-sec/2016/q4/602 Notable changes * crypto: - fix memory leak if certificate is revoked (Tom Atkinson) nodejs#12089 * deps: - upgrade zlib to 1.2.11 (Sam Roberts) nodejs#10980 - backport V8 fixes for spread syntax regression causing segfaults (Michaël Zasso) nodejs#12037 * repl: - Revert commit that broke REPL display on Windows (Myles Borins) nodejs#12123

This is a maintenance release to fix a memory leak that was introduced in 4.8.1. It also includes an upgrade to zlib 1.2.11 to fix a number of low severity CVEs that were present in zlib 1.2.8. http://seclists.org/oss-sec/2016/q4/602 Notable changes: * crypto: - fix memory leak if certificate is revoked (Tom Atkinson) nodejs#12089 * deps: - upgrade zlib to 1.2.11 (Sam Roberts) nodejs#10980

This is a maintenance release to fix a memory leak that was introduced in 4.8.1. It also includes an upgrade to zlib 1.2.11 to fix a number of low severity CVEs that were present in zlib 1.2.8. http://seclists.org/oss-sec/2016/q4/602 Notable changes: * crypto: - fix memory leak if certificate is revoked (Tom Atkinson) nodejs/node#12089 * deps: - upgrade zlib to 1.2.11 (Sam Roberts) nodejs/node#10980 Signed-off-by: Ilkka Myller <[email protected]>

This is a special LTS to fix a number of regressions that were found on the 6.10.x release line. This includes: * a fix for memory leak in the crypto module that was introduced in 6.10.1 * a fix for a regression introduced to the windows repl in 6.10.0 * a backported fix for V8 to stop a segfault that could occur when using spread syntax It also includes an upgrade to zlib 1.2.11 to fix a numberof low severity CVEs that were present in zlib 1.2.8. http://seclists.org/oss-sec/2016/q4/602 Notable changes * crypto: - fix memory leak if certificate is revoked (Tom Atkinson) nodejs/node#12089 * deps: - upgrade zlib to 1.2.11 (Sam Roberts) nodejs/node#10980 - backport V8 fixes for spread syntax regression causing segfaults (Michaël Zasso) nodejs/node#12037 * repl: - Revert commit that broke REPL display on Windows (Myles Borins) nodejs/node#12123 Signed-off-by: Ilkka Myller <[email protected]>

Notable changes: * buffer: - do not segfault on out-of-range index (Timothy Gu) nodejs/node#11927 * crypto: - Fix memory leak if certificate is revoked (Tom Atkinson) nodejs/node#12089 * deps: * upgrade npm to 4.2.0 (Kat Marchán) nodejs/node#11389 * fix async await desugaring in V8 (Michaël Zasso) nodejs/node#12004 * readline: - add option to stop duplicates in history (Danny Nemer) nodejs/node#2982 * src: - add native URL class (James M Snell) nodejs/node#11801 PR-URL: nodejs/node#12104 Signed-off-by: Ilkka Myller <[email protected]>

This is a maintenance release to fix a memory leak that was introduced in 4.8.1. It also includes an upgrade to zlib 1.2.11 to fix a number of low severity CVEs that were present in zlib 1.2.8. http://seclists.org/oss-sec/2016/q4/602 Notable changes: * crypto: - fix memory leak if certificate is revoked (Tom Atkinson) nodejs/node#12089 * deps: - upgrade zlib to 1.2.11 (Sam Roberts) nodejs/node#10980 Signed-off-by: Ilkka Myller <[email protected]>

This is a special LTS to fix a number of regressions that were found on the 6.10.x release line. This includes: * a fix for memory leak in the crypto module that was introduced in 6.10.1 * a fix for a regression introduced to the windows repl in 6.10.0 * a backported fix for V8 to stop a segfault that could occur when using spread syntax It also includes an upgrade to zlib 1.2.11 to fix a numberof low severity CVEs that were present in zlib 1.2.8. http://seclists.org/oss-sec/2016/q4/602 Notable changes * crypto: - fix memory leak if certificate is revoked (Tom Atkinson) nodejs/node#12089 * deps: - upgrade zlib to 1.2.11 (Sam Roberts) nodejs/node#10980 - backport V8 fixes for spread syntax regression causing segfaults (Michaël Zasso) nodejs/node#12037 * repl: - Revert commit that broke REPL display on Windows (Myles Borins) nodejs/node#12123 Signed-off-by: Ilkka Myller <[email protected]>

The additional validity checks applied to StartCom and WoSign certificates failed to free memory before returning. Refs: nodejs/node#9469Fixes: nodejs/node#12033 PR-URL: nodejs/node#12089 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Colin Ihrig <[email protected]>

nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. labels Mar 28, 2017

addaleax mentioned this pull request Mar 28, 2017
Suspect memory leak in v6.10.1 #12033
Closed

addaleax added the memory Issues and PRs related to the memory management or memory footprint. label Mar 28, 2017

indutny approved these changes Mar 28, 2017
View reviewed changes

src/node_crypto.cc Outdated
Copy link
Member
indutnyMar 28, 2017
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we just store the result to int cmp and free before the condition test?

cjihrig approved these changes Mar 28, 2017
View reviewed changes

crypto: fix memory leak if certificate is revoked
785b766
The additional validity checks applied to StartCom and WoSign certificates failed to free memory before returning. Refs: #9469Fixes: #12033

shigeki approved these changes Mar 28, 2017
View reviewed changes

bnoordhuis approved these changes Mar 28, 2017
View reviewed changes

MylesBorins added lts-watch-v4.x labels Mar 28, 2017

indutny approved these changes Mar 28, 2017
View reviewed changes

sam-github approved these changes Mar 28, 2017
View reviewed changes

MylesBorins approved these changes Mar 28, 2017
View reviewed changes

MylesBorins mentioned this pull request Mar 28, 2017
Regressions in v4.8.1 and v6.10.1 nodejs/Release#193
Closed

shigeki closed this Mar 28, 2017

philippevk mentioned this pull request Mar 29, 2017
Memory leak with https axios/axios#791
Closed

MylesBorins mentioned this pull request Mar 29, 2017
V6.10.2 proposal #12128
Merged

MylesBorins mentioned this pull request Mar 29, 2017
v4.8.2 proposal #12129
Merged

coox mentioned this pull request Mar 31, 2017
Node v7.6.0+ memory leak #12019
Closed

italoacasas mentioned this pull request Apr 10, 2017
v7.9.0 Release Proposal #12319
Merged
2 tasks

mjmasn mentioned this pull request Apr 25, 2017
Memory Leak in Node 4.8.1 meteor/meteor#8630
Closed

Uh oh!

crypto: fix memory leaks in cert validation#12089

crypto: fix memory leaks in cert validation #12089

Uh oh!

Conversation

Nibbler999 commented Mar 28, 2017

Checklist

Affected core subsystem(s)

Uh oh!

gibfahn commented Mar 28, 2017

Uh oh!

shigeki commented Mar 28, 2017

Uh oh!

addaleax commented Mar 28, 2017

Uh oh!

shigeki commented Mar 28, 2017

Uh oh!

seishun commented Mar 28, 2017

Uh oh!

shigeki commented Mar 28, 2017

Uh oh!

indutny left a comment

Choose a reason for hiding this comment

Uh oh!

indutnyMar 28, 2017

Choose a reason for hiding this comment

Uh oh!

cjihrig left a comment

Choose a reason for hiding this comment

Uh oh!

Nibbler999 commented Mar 28, 2017

Uh oh!

shigeki commented Mar 28, 2017

Uh oh!

shigeki commented Mar 28, 2017

Uh oh!

indutny left a comment

Choose a reason for hiding this comment

Uh oh!

MylesBorins left a comment

Choose a reason for hiding this comment

Uh oh!

MylesBorins commented Mar 28, 2017

Uh oh!

shigeki commented Mar 28, 2017• edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

shigeki commented Mar 28, 2017

Uh oh!

MylesBorins commented Mar 29, 2017

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

11 participants

shigeki commented Mar 28, 2017•
edited
Loading