n-api: fix use-after-free with napi_remove_async_cleanup_hook

Fixes: https://github.com/nodejs/node/issues/34657 Refs: https://github.com/nodejs/node/pull/34572 PR-URL: https://github.com/nodejs/node/pull/34662 Reviewed-By: Gabriel Schulhof <gabriel.schulhof@intel.com> Reviewed-By: James M Snell <jasnell@gmail.com>
author: Anna Henningsen <anna@addaleax.net> 2020-08-07 13:48:45 +0300
committer: James M Snell <jasnell@gmail.com> 2020-08-07 21:25:42 +0300
commit: 262d0d0482ffd2fe7d654422df9df1f350045635 (patch)
tree: d70163c29a4d11259842b33e6047c89ba297349b /src/node_api.cc
parent: 09c5942bfd0efe92e0a4f6791681be915752283d (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/src/node_api.cc b/src/node_api.cc
index 8f5823d7820..4fbab771d58 100644
--- a/src/node_api.cc
+++ b/src/node_api.cc
@@ -533,6 +533,7 @@ napi_status napi_add_async_cleanup_hook(
   auto handle = node::AddEnvironmentCleanupHook(env->isolate, fun, arg);
   if (remove_handle != nullptr) {
     *remove_handle = new napi_async_cleanup_hook_handle__ { std::move(handle) };
+    env->Ref();
   }
 
   return napi_clear_last_error(env);
@@ -547,6 +548,11 @@ napi_status napi_remove_async_cleanup_hook(
   node::RemoveEnvironmentCleanupHook(std::move(remove_handle->handle));
   delete remove_handle;
 
+  // Release the `env` handle asynchronously since it would be surprising if
+  // a call to a N-API function would destroy `env` synchronously.
+  static_cast<node_napi_env>(env)->node_env()
+      ->SetImmediate([env](node::Environment*) { env->Unref(); });
+
   return napi_clear_last_error(env);
 }
author	Anna Henningsen <anna@addaleax.net>	2020-08-07 13:48:45 +0300
committer	James M Snell <jasnell@gmail.com>	2020-08-07 21:25:42 +0300
commit	262d0d0482ffd2fe7d654422df9df1f350045635 (patch)
tree	d70163c29a4d11259842b33e6047c89ba297349b /src/node_api.cc
parent	09c5942bfd0efe92e0a4f6791681be915752283d (diff)