fix(parse): fix use-after-free due to misusing rewind_guard

strager · strager · commit 51a2ba73dae2 · 2022-06-14T21:00:04.000-07:00
rewind_guard unconditionally rewinds. Lexer transactions use
rewind_guard, so committed transactions will cause
buffering_diag_reporter memory to be freed. This causes a use-after-free
bug (detected by fuzzing and ASAN) with the following input:

    const g = async () =&gt; {
      await (() =&gt; {
        h##
        await f({ ####### });

Fix the bug by rewinding only if the transaction was rolled back.
diff --git a/src/lex.cpp b/src/lex.cpp
@@ -1135,6 +1135,7 @@ void lexer::roll_back_transaction(lexer_transaction&& transaction) {
   this->last_last_token_end_ = transaction.old_last_last_token_end;
   this->input_ = transaction.old_input;
   this->diag_reporter_ = transaction.old_diag_reporter;
+  transaction.allocator_rewind.rewind_on_destruct();
 }
 
 bool lexer::transaction_has_lex_diagnostics(const lexer_transaction&) const
diff --git a/src/quick-lint-js/lex.h b/src/quick-lint-js/lex.h
@@ -331,7 +331,7 @@ struct lexer_transaction {
 
   // Rewinds memory allocated by 'reporter'. Must be constructed before
   // 'reporter' (thus destructed after 'reporter').
-  allocator_type::rewind_guard allocator_rewind;
+  allocator_type::conditional_rewind_guard allocator_rewind;
 
   token old_last_token;
   const char8* old_last_last_token_end;
diff --git a/src/quick-lint-js/linked-bump-allocator.h b/src/quick-lint-js/linked-bump-allocator.h
@@ -86,6 +86,34 @@ class linked_bump_allocator : public boost::container::pmr::memory_resource {
     rewind_state rewind_;
   };
 
+  // Calls allocator->rewind() when destructed iff rewind_on_destruct() was
+  // called.
+  class conditional_rewind_guard {
+   public:
+    explicit conditional_rewind_guard(linked_bump_allocator* allocator)
+        : allocator_(allocator), rewind_(allocator->prepare_for_rewind()) {}
+
+    conditional_rewind_guard(const conditional_rewind_guard&) = delete;
+    conditional_rewind_guard& operator=(const conditional_rewind_guard&) =
+        delete;
+
+    conditional_rewind_guard(conditional_rewind_guard&&) = delete;
+    conditional_rewind_guard& operator=(conditional_rewind_guard&&) = delete;
+
+    ~conditional_rewind_guard() {
+      if (this->should_rewind_) {
+        this->allocator_->rewind(std::move(this->rewind_));
+      }
+    }
+
+    void rewind_on_destruct() { this->should_rewind_ = true; }
+
+   private:
+    linked_bump_allocator* allocator_;
+    rewind_state rewind_;
+    bool should_rewind_ = false;
+  };
+
   rewind_state prepare_for_rewind() {
     return rewind_state{
         .chunk_ = this->chunk_,

Original file line number	Diff line number	Diff line change
`@@ -1135,6 +1135,7 @@ void lexer::roll_back_transaction(lexer_transaction&& transaction) {`
`1135`	`1135`	`this->last_last_token_end_ = transaction.old_last_last_token_end;`
`1136`	`1136`	`this->input_ = transaction.old_input;`
`1137`	`1137`	`this->diag_reporter_ = transaction.old_diag_reporter;`
	`1138`	`+ transaction.allocator_rewind.rewind_on_destruct();`
`1138`	`1139`	`}`
`1139`	`1140`
`1140`	`1141`	`bool lexer::transaction_has_lex_diagnostics(const lexer_transaction&) const`