fix(napi): some of the unsoundness in Buffer (#1294)

* fix leaked napi refcount in `Buffer` when cloning

Cloning unconditionally increased the refcount in `Buffer::clone`, but only called `napi_reference_unref` on dropping the last Buffer (the one with `strong_count == 1`). This means that the refcount will never drop back to zero after cloning, leaking the Buffer.

This commit changes it to also unconditionally unref the buffer.

* fix multiple sources of UB in `Buffer`

- `slice::from_raw_parts` may never be created with a null pointer, but `napi_get_buffer_info` was not sufficiently checked → UB when passing an empty Buffer
- `&'static mut [u8],` is invalid, as it certainly doesn't live for `'static`

Switching to `NonNull<u8>` and a `len` field fixes both of these.

- I also don't really understand how the `impl ToNapiValue for &mut Buffer` could have been sound. It creates an entirely new `Arc`, but reuses the same `Vec` allocation, leading to... a double free of the `Vec` on drop? I have replaced it with a simple call to `clone` instead.

* remove overcomplicated bool and drop impl

As far as I can tell, by just removing the bool and letting the drop code do its thing we clean up correctly in all cases. Because `napi_create_external_buffer` gets an owned `Buffer` attached to it via the Box, we can rely on `from_raw` retrieving it in the `drop_buffer` function.
This commit is contained in:
Dennis Duda 2022-09-05 07:04:43 +02:00 committed by GitHub
parent 26f6c926d3
commit fc63ba8b52
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 55 additions and 63 deletions

View file

@ -3,9 +3,8 @@ use std::collections::HashSet;
use std::ffi::c_void; use std::ffi::c_void;
use std::mem; use std::mem;
use std::ops::{Deref, DerefMut}; use std::ops::{Deref, DerefMut};
use std::ptr; use std::ptr::{self, NonNull};
use std::slice; use std::slice;
use std::sync::atomic::{AtomicBool, Ordering};
use std::sync::Arc; use std::sync::Arc;
#[cfg(debug_assertions)] #[cfg(debug_assertions)]
use std::sync::Mutex; use std::sync::Mutex;
@ -22,16 +21,16 @@ thread_local! {
/// So it is safe to use it in `async fn`, the `&[u8]` under the hood will not be dropped until the `drop` called. /// So it is safe to use it in `async fn`, the `&[u8]` under the hood will not be dropped until the `drop` called.
/// Clone will create a new `Reference` to the same underlying `JavaScript Buffer`. /// Clone will create a new `Reference` to the same underlying `JavaScript Buffer`.
pub struct Buffer { pub struct Buffer {
pub(crate) inner: &'static mut [u8], pub(crate) inner: NonNull<u8>,
pub(crate) len: usize,
pub(crate) capacity: usize, pub(crate) capacity: usize,
raw: Option<(sys::napi_ref, sys::napi_env)>, raw: Option<(sys::napi_ref, sys::napi_env)>,
// use it as ref count // use it as ref count
pub(crate) drop_in_vm: Arc<AtomicBool>, pub(crate) drop_in_vm: Arc<()>,
} }
impl Drop for Buffer { impl Drop for Buffer {
fn drop(&mut self) { fn drop(&mut self) {
if Arc::strong_count(&self.drop_in_vm) == 1 {
if let Some((ref_, env)) = self.raw { if let Some((ref_, env)) = self.raw {
check_status_or_throw!( check_status_or_throw!(
env, env,
@ -40,19 +39,15 @@ impl Drop for Buffer {
); );
return; return;
} }
// Drop in Rust side
// ```rust if Arc::strong_count(&self.drop_in_vm) == 1 {
// #[napi] unsafe { Vec::from_raw_parts(self.inner.as_ptr(), self.len, self.capacity) };
// fn buffer_len() -> u32 {
// Buffer::from(vec![1, 2, 3]).len() as u32
// }
if !self.drop_in_vm.load(Ordering::Acquire) {
unsafe { Vec::from_raw_parts(self.inner.as_mut_ptr(), self.inner.len(), self.capacity) };
}
} }
} }
} }
// SAFETY: This is undefined behavior, as the JS side may always modify the underlying buffer,
// without synchronization. Also see the docs for the `AsMut` impl.
unsafe impl Send for Buffer {} unsafe impl Send for Buffer {}
impl Buffer { impl Buffer {
@ -67,7 +62,8 @@ impl Buffer {
None None
}; };
Ok(Self { Ok(Self {
inner: unsafe { slice::from_raw_parts_mut(self.inner.as_mut_ptr(), self.inner.len()) }, inner: self.inner,
len: self.len,
capacity: self.capacity, capacity: self.capacity,
raw, raw,
drop_in_vm: self.drop_in_vm.clone(), drop_in_vm: self.drop_in_vm.clone(),
@ -92,17 +88,21 @@ impl From<Vec<u8>> for Buffer {
let capacity = data.capacity(); let capacity = data.capacity();
mem::forget(data); mem::forget(data);
Buffer { Buffer {
inner: unsafe { slice::from_raw_parts_mut(inner_ptr, len) }, // SAFETY: `Vec`'s docs guarantee that its pointer is never null (it's a dangling ptr if not
// allocated):
// > The pointer will never be null, so this type is null-pointer-optimized.
inner: unsafe { NonNull::new_unchecked(inner_ptr) },
len,
capacity, capacity,
raw: None, raw: None,
drop_in_vm: Arc::new(AtomicBool::new(false)), drop_in_vm: Arc::new(()),
} }
} }
} }
impl From<Buffer> for Vec<u8> { impl From<Buffer> for Vec<u8> {
fn from(buf: Buffer) -> Self { fn from(buf: Buffer) -> Self {
buf.inner.to_vec() buf.as_ref().to_vec()
} }
} }
@ -114,13 +114,17 @@ impl From<&[u8]> for Buffer {
impl AsRef<[u8]> for Buffer { impl AsRef<[u8]> for Buffer {
fn as_ref(&self) -> &[u8] { fn as_ref(&self) -> &[u8] {
self.inner // SAFETY: the pointer is guaranteed to be non-null, and guaranteed to be valid if `len` is not 0.
unsafe { slice::from_raw_parts(self.inner.as_ptr(), self.len) }
} }
} }
impl AsMut<[u8]> for Buffer { impl AsMut<[u8]> for Buffer {
fn as_mut(&mut self) -> &mut [u8] { fn as_mut(&mut self) -> &mut [u8] {
self.inner // SAFETY: This is literally undefined behavior. `Buffer::clone` allows you to create shared
// access to the underlying data, but `as_mut` and `deref_mut` allow unsynchronized mutation of
// that data (not to speak of the JS side having write access as well, at the same time).
unsafe { slice::from_raw_parts_mut(self.inner.as_ptr(), self.len) }
} }
} }
@ -128,13 +132,13 @@ impl Deref for Buffer {
type Target = [u8]; type Target = [u8];
fn deref(&self) -> &Self::Target { fn deref(&self) -> &Self::Target {
self.inner self.as_ref()
} }
} }
impl DerefMut for Buffer { impl DerefMut for Buffer {
fn deref_mut(&mut self) -> &mut Self::Target { fn deref_mut(&mut self) -> &mut Self::Target {
self.inner self.as_mut()
} }
} }
@ -159,14 +163,28 @@ impl FromNapiValue for Buffer {
)?; )?;
check_status!( check_status!(
unsafe { sys::napi_get_buffer_info(env, napi_val, &mut buf, &mut len as *mut usize) }, unsafe { sys::napi_get_buffer_info(env, napi_val, &mut buf, &mut len as *mut usize) },
"Failed to convert napi buffer into rust Vec<u8>" "Failed to get Buffer pointer and length"
)?; )?;
// From the docs of `napi_get_buffer_info`:
// > [out] data: The underlying data buffer of the node::Buffer. If length is 0, this may be
// > NULL or any other pointer value.
//
// In order to guarantee that `slice::from_raw_parts` is sound, the pointer must be non-null, so
// let's make sure it always is, even in the case of `napi_get_buffer_info` returning a null
// ptr.
let buf = NonNull::new(buf as *mut u8);
let inner = match buf {
Some(buf) if len != 0 => buf,
_ => NonNull::dangling(),
};
Ok(Self { Ok(Self {
inner: unsafe { slice::from_raw_parts_mut(buf as *mut _, len) }, inner,
len,
capacity: len, capacity: len,
raw: Some((ref_, env)), raw: Some((ref_, env)),
drop_in_vm: Arc::new(AtomicBool::new(true)), drop_in_vm: Arc::new(()),
}) })
} }
} }
@ -182,8 +200,7 @@ impl ToNapiValue for Buffer {
)?; )?;
return Ok(buf); return Ok(buf);
} }
let len = val.inner.len(); let len = val.len;
val.drop_in_vm.store(true, Ordering::Release);
let mut ret = ptr::null_mut(); let mut ret = ptr::null_mut();
check_status!( check_status!(
if len == 0 { if len == 0 {
@ -192,12 +209,11 @@ impl ToNapiValue for Buffer {
// the same data pointer if it's 0x0. // the same data pointer if it's 0x0.
unsafe { sys::napi_create_buffer(env, len, ptr::null_mut(), &mut ret) } unsafe { sys::napi_create_buffer(env, len, ptr::null_mut(), &mut ret) }
} else { } else {
let val_ptr = val.inner.as_mut_ptr();
unsafe { unsafe {
sys::napi_create_external_buffer( sys::napi_create_external_buffer(
env, env,
len, len,
val_ptr as *mut c_void, val.inner.as_ptr() as *mut c_void,
Some(drop_buffer), Some(drop_buffer),
Box::into_raw(Box::new(val)) as *mut c_void, Box::into_raw(Box::new(val)) as *mut c_void,
&mut ret, &mut ret,
@ -213,25 +229,10 @@ impl ToNapiValue for Buffer {
impl ToNapiValue for &mut Buffer { impl ToNapiValue for &mut Buffer {
unsafe fn to_napi_value(env: sys::napi_env, val: Self) -> Result<sys::napi_value> { unsafe fn to_napi_value(env: sys::napi_env, val: Self) -> Result<sys::napi_value> {
// From Node.js value, not from `Vec<u8>` let buf = val.clone(&Env::from(env))?;
if let Some((ref_, _)) = val.raw {
let mut buf = ptr::null_mut();
check_status!(
unsafe { sys::napi_get_reference_value(env, ref_, &mut buf) },
"Failed to get Buffer value from reference"
)?;
Ok(buf)
} else {
let buf = Buffer {
inner: unsafe { slice::from_raw_parts_mut(val.inner.as_mut_ptr(), val.capacity) },
capacity: val.capacity,
raw: None,
drop_in_vm: Arc::new(AtomicBool::new(true)),
};
unsafe { ToNapiValue::to_napi_value(env, buf) } unsafe { ToNapiValue::to_napi_value(env, buf) }
} }
} }
}
impl ValidateNapiValue for Buffer { impl ValidateNapiValue for Buffer {
unsafe fn validate(env: sys::napi_env, napi_val: sys::napi_value) -> Result<sys::napi_value> { unsafe fn validate(env: sys::napi_env, napi_val: sys::napi_value) -> Result<sys::napi_value> {

View file

@ -1,7 +1,5 @@
use std::ffi::c_void; use std::ffi::c_void;
use std::mem;
use std::rc::Rc; use std::rc::Rc;
use std::sync::Arc;
pub use callback_info::*; pub use callback_info::*;
pub use ctor::ctor; pub use ctor::ctor;
@ -86,13 +84,6 @@ pub unsafe extern "C" fn drop_buffer(
}); });
} }
unsafe { unsafe {
let buf = Box::from_raw(finalize_hint as *mut Buffer); drop(Box::from_raw(finalize_hint as *mut Buffer));
if Arc::strong_count(&buf.drop_in_vm) == 1 {
mem::drop(Vec::from_raw_parts(
finalize_data as *mut u8,
buf.inner.len(),
buf.capacity,
));
}
} }
} }