From 37479e92b5e80df9422e2568cfe5116364120ea5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Fri, 7 Oct 2022 12:02:53 +0000 Subject: [PATCH] process: fix uid/gid validation to avoid crash id |= 0 turns unsigned 32-bit integer values exceeding the unsigned 31-bit range into negative integers, causing a crash. Use id >>>= 0 instead, which works properly for all unsigned 32-bit integers. Refs: https://github.com/nodejs/node/pull/36786 --- .../switches/does_own_process_state.js | 2 +- test/parallel/test-process-uid-gid.js | 18 +++++++----------- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/lib/internal/bootstrap/switches/does_own_process_state.js b/lib/internal/bootstrap/switches/does_own_process_state.js index 2924e7f8cc17fa..0185a75e788fda 100644 --- a/lib/internal/bootstrap/switches/does_own_process_state.js +++ b/lib/internal/bootstrap/switches/does_own_process_state.js @@ -76,7 +76,7 @@ function wrapPosixCredentialSetters(credentials) { function wrapIdSetter(type, method) { return function(id) { validateId(id, 'id'); - if (typeof id === 'number') id |= 0; + if (typeof id === 'number') id >>>= 0; // Result is 0 on success, 1 if credential is unknown. const result = method(id); if (result === 1) { diff --git a/test/parallel/test-process-uid-gid.js b/test/parallel/test-process-uid-gid.js index 23c51936e0c893..54e87a6ff5c6e0 100644 --- a/test/parallel/test-process-uid-gid.js +++ b/test/parallel/test-process-uid-gid.js @@ -53,17 +53,13 @@ assert.throws(() => { // Passing -0 shouldn't crash the process // Refs: https://github.com/nodejs/node/issues/32750 -try { process.setuid(-0); } catch { - // Continue regardless of error. -} -try { process.seteuid(-0); } catch { - // Continue regardless of error. -} -try { process.setgid(-0); } catch { - // Continue regardless of error. -} -try { process.setegid(-0); } catch { - // Continue regardless of error. +// And neither should values exceeding 2 ** 31 - 1. +for (const id of [-0, 2 ** 31, 2 ** 32 - 1]) { + for (const fn of [process.setuid, process.setuid, process.setgid, process.setegid]) { + try { fn(id); } catch { + // Continue regardless of error. + } + } } // If we're not running as super user...