electron/patches/node/support_v8_sandboxed_pointers.patch
electron-roller[bot] ab08803959
chore: bump node to v18.17.0 (main) (#39154)
* chore: bump node in DEPS to v18.17.0

* chore: update build_modify_js2c_py_to_allow_injection_of_original-fs_and_custom_embedder_js.patch

Xref: https://github.com/nodejs/node/pull/46930

manually sync patch to minor upstream code shear

* chore: update build_ensure_native_module_compilation_fails_if_not_using_a_new.patch

Xref: https://github.com/nodejs/node/pull/48248

manually sync patch to minor upstream code shear

* chore: update fix_expose_the_built-in_electron_module_via_the_esm_loader.patch

Xref: https://github.com/nodejs/node/pull/47824

chore: upstream func throwIfUnsupportedURLProtocol() has been removed, so no need to patch it

* chore: update api_pass_oomdetails_to_oomerrorcallback.patch

Xref: https://github.com/nodejs/node/pull/47695

manually sync patch to minor upstream code shear

* chore: remove fix_prevent_changing_functiontemplateinfo_after_publish.patch

Xref: https://github.com/nodejs/node/pull/46979 (upstreamed patch)

Xref: https://chromium-review.googlesource.com/c/v8/v8/+/2718147 (related)

* chore: update fix_adapt_debugger_tests_for_upstream_v8_changes.patch

Xref: https://github.com/nodejs/node/pull/47274

manually sync patch to minor upstream code shear

some tests moved from sequential to parallel

* chore: remove fix_libc_buffer_overflow_in_string_view_ctor.patch

Xref: fix_libc_buffer_overflow_in_string_view_ctor.patch

patch is no longer needed due to upstream bump to ada 2.2.0

* chore: remove fix_preventing_potential_oob_in_ada_no_scheme_parsing.patch

Xref: https://github.com/nodejs/node/pull/47339

patch is no longer needed due to upstream bump to ada 2.2.0

* chore: rebuild filenames.json

several files removed/added/changed upstream

* chore: update build_add_gn_build_files.patch

upstream dep histogram 0.11.7 moved its include path from src/ to include/

Xref: https://github.com/nodejs/node/pull/47742

* chore: update fix_crypto_tests_to_run_with_bssl.patch

Xref: https://github.com/nodejs/node/pull/47160

BoringSSL doesn't support BIO_s_secmem() (a secure heap variant of
BIO_s_mem()), so use BIO_s_mem() instead.

Related discussion of secure heap support in BoringSSL:
https://boringssl-review.googlesource.com/c/boringssl/+/54309

* fix: ftbfs in node dep ada

* fix: ftbfs in node dep uvwasi

* chore: rebuild patches

* chore: update fix_handle_boringssl_and_openssl_incompatibilities.patch

Upstream used `BIO_s_secmem()`, a secure heap variant of `BIO_s_mem()`.
BoringSSL doesn't support it, so this PR opts for `BIO_s_mem()` instead.

Upstream Node.js change that prompted this:
https://github.com/nodejs/node/pull/47160

Related discussion of BoringSSL support of secure heap:
https://boringssl-review.googlesource.com/c/boringssl/+/54309

* fix: work around Node 18 isURL() regression

* chore: sort script/node-disabled-tests.json alphabetically

* test: add parallel/test-snapshot-argv1 to disabled list

test: add parallel/test-snapshot-namespaced-builtin to disabled list

We don't support that type of snapshotting at the moment.

* chore: disable flaky node test parallel/test-dgram-send-cb-quelches-error

fails upstream in v18.x on my box as well

* ci: ensure spawned node tests have ELECTRON_RUN_AS_NODE set

* fixup! fix: work around Node 18 isURL() regression

fix: infinite loop regression

* fixup! fix: work around Node 18 isURL() regression

* chore: patch fixtures/errors/force_colors.snapshot

The line numbers in the stacktrace from our v8 build don't match what
Node's tests are expecting, so update the stacktrace to match our build.

The specific numbers probably aren't t needed for the force_colors test,
which is trying to see whether or not the lines are greyed out. One option
is to upstream a test change to stop hardcoding the stacktrace.

* fixup! fix: work around Node 18 isURL() regression

fix; pull in upstream bugfix

* fixup! ci: ensure spawned node tests have ELECTRON_RUN_AS_NODE set

chore: do not inject ELECTRON_RUN_AS_NODE in test-assert-colors.js

* chore: disable flaky node test parallel/test-debugger-random-port-with-inspect-port

---------

Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com>
Co-authored-by: Charles Kerr <charles@charleskerr.com>
2023-08-08 17:52:51 -05:00

250 lines
10 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeremy Rose <japthorp@slack-corp.com>
Date: Tue, 21 Jun 2022 10:04:21 -0700
Subject: support V8 sandboxed pointers
This refactors several allocators to allocate within the V8 memory cage,
allowing them to be compatible with the V8_SANDBOXED_POINTERS feature.
diff --git a/src/api/environment.cc b/src/api/environment.cc
index 7ef6d04794c31064c70dbbb0bfc1dd7bf4d1b8fc..d5a03d5e10faaa204b3f9f290fed79be824c78b1 100644
--- a/src/api/environment.cc
+++ b/src/api/environment.cc
@@ -87,6 +87,14 @@ MaybeLocal<Value> PrepareStackTraceCallback(Local<Context> context,
return result;
}
+NodeArrayBufferAllocator::NodeArrayBufferAllocator() {
+ zero_fill_field_ = static_cast<uint32_t*>(allocator_->Allocate(sizeof(*zero_fill_field_)));
+}
+
+NodeArrayBufferAllocator::~NodeArrayBufferAllocator() {
+ allocator_->Free(zero_fill_field_, sizeof(*zero_fill_field_));
+}
+
void* NodeArrayBufferAllocator::Allocate(size_t size) {
void* ret;
if (zero_fill_field_ || per_process::cli_options->zero_fill_all_buffers)
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 4d79fbb4a30a7e57a7456413685706d9af36b1b3..13e4d8b532cdb4c39fab30a8f4118ff8d2bca33c 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -349,10 +349,35 @@ ByteSource& ByteSource::operator=(ByteSource&& other) noexcept {
return *this;
}
-std::unique_ptr<BackingStore> ByteSource::ReleaseToBackingStore() {
+std::unique_ptr<BackingStore> ByteSource::ReleaseToBackingStore(Environment* env) {
// It's ok for allocated_data_ to be nullptr but
// only if size_ is zero.
CHECK_IMPLIES(size_ > 0, allocated_data_ != nullptr);
+#if defined(V8_ENABLE_SANDBOX)
+ // When V8 sandboxed pointers are enabled, we have to copy into the memory
+ // cage. We still want to ensure we erase the data on free though, so
+ // provide a custom deleter that calls OPENSSL_cleanse.
+ if (!size())
+ return ArrayBuffer::NewBackingStore(env->isolate(), 0);
+ std::unique_ptr<ArrayBuffer::Allocator> allocator(ArrayBuffer::Allocator::NewDefaultAllocator());
+ void* v8_data = allocator->Allocate(size());
+ CHECK(v8_data);
+ memcpy(v8_data, allocated_data_, size());
+ OPENSSL_clear_free(allocated_data_, size());
+ std::unique_ptr<BackingStore> ptr = ArrayBuffer::NewBackingStore(
+ v8_data,
+ size(),
+ [](void* data, size_t length, void*) {
+ OPENSSL_cleanse(data, length);
+ std::unique_ptr<ArrayBuffer::Allocator> allocator(ArrayBuffer::Allocator::NewDefaultAllocator());
+ allocator->Free(data, length);
+ }, nullptr);
+ CHECK(ptr);
+ allocated_data_ = nullptr;
+ data_ = nullptr;
+ size_ = 0;
+ return ptr;
+#else
std::unique_ptr<BackingStore> ptr = ArrayBuffer::NewBackingStore(
allocated_data_,
size(),
@@ -364,10 +389,11 @@ std::unique_ptr<BackingStore> ByteSource::ReleaseToBackingStore() {
data_ = nullptr;
size_ = 0;
return ptr;
+#endif // defined(V8_ENABLE_SANDBOX)
}
Local<ArrayBuffer> ByteSource::ToArrayBuffer(Environment* env) {
- std::unique_ptr<BackingStore> store = ReleaseToBackingStore();
+ std::unique_ptr<BackingStore> store = ReleaseToBackingStore(env);
return ArrayBuffer::New(env->isolate(), std::move(store));
}
@@ -696,6 +722,16 @@ namespace {
// in which case this has the same semantics as
// using OPENSSL_malloc. However, if the secure heap is
// initialized, SecureBuffer will automatically use it.
+#if defined(V8_ENABLE_SANDBOX)
+// When V8 sandboxed pointers are enabled, the secure heap cannot be used as
+// all ArrayBuffers must be allocated inside the V8 memory cage.
+void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
+ CHECK(args[0]->IsUint32());
+ uint32_t len = args[0].As<Uint32>()->Value();
+ Local<ArrayBuffer> buffer = ArrayBuffer::New(args.GetIsolate(), len);
+ args.GetReturnValue().Set(Uint8Array::New(buffer, 0, len));
+}
+#else
void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
CHECK(args[0]->IsUint32());
Environment* env = Environment::GetCurrent(args);
@@ -717,6 +753,7 @@ void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
Local<ArrayBuffer> buffer = ArrayBuffer::New(env->isolate(), store);
args.GetReturnValue().Set(Uint8Array::New(buffer, 0, len));
}
+#endif // defined(V8_ENABLE_SANDBOX)
void SecureHeapUsed(const FunctionCallbackInfo<Value>& args) {
#ifndef OPENSSL_IS_BORINGSSL
diff --git a/src/crypto/crypto_util.h b/src/crypto/crypto_util.h
index bf19334cf61fa497c9325c1d2e996a16545f1b7f..333039b3b7cdf29e911a9c09932b2588d4cccf1a 100644
--- a/src/crypto/crypto_util.h
+++ b/src/crypto/crypto_util.h
@@ -280,7 +280,7 @@ class ByteSource {
// Creates a v8::BackingStore that takes over responsibility for
// any allocated data. The ByteSource will be reset with size = 0
// after being called.
- std::unique_ptr<v8::BackingStore> ReleaseToBackingStore();
+ std::unique_ptr<v8::BackingStore> ReleaseToBackingStore(Environment* env);
v8::Local<v8::ArrayBuffer> ToArrayBuffer(Environment* env);
diff --git a/src/node_i18n.cc b/src/node_i18n.cc
index bb810632ee6617759d9cbd24c84a5d1a3a6081aa..3faf9840eddf2db993baef0866bc8854b49c0700 100644
--- a/src/node_i18n.cc
+++ b/src/node_i18n.cc
@@ -104,7 +104,7 @@ namespace {
template <typename T>
MaybeLocal<Object> ToBufferEndian(Environment* env, MaybeStackBuffer<T>* buf) {
- MaybeLocal<Object> ret = Buffer::New(env, buf);
+ MaybeLocal<Object> ret = Buffer::Copy(env, reinterpret_cast<char*>(buf->out()), buf->length() * sizeof(T));
if (ret.IsEmpty())
return ret;
diff --git a/src/node_internals.h b/src/node_internals.h
index 427cfab4eebcab0aed33e42915f4a0e5a9db7cdf..d174b2720b0b2561ebe30437df609e0366388527 100644
--- a/src/node_internals.h
+++ b/src/node_internals.h
@@ -102,7 +102,9 @@ v8::Maybe<bool> InitializePrimordials(v8::Local<v8::Context> context);
class NodeArrayBufferAllocator : public ArrayBufferAllocator {
public:
- inline uint32_t* zero_fill_field() { return &zero_fill_field_; }
+ NodeArrayBufferAllocator();
+ ~NodeArrayBufferAllocator() override;
+ inline uint32_t* zero_fill_field() { return zero_fill_field_; }
void* Allocate(size_t size) override; // Defined in src/node.cc
void* AllocateUninitialized(size_t size) override;
@@ -121,7 +123,7 @@ class NodeArrayBufferAllocator : public ArrayBufferAllocator {
}
private:
- uint32_t zero_fill_field_ = 1; // Boolean but exposed as uint32 to JS land.
+ uint32_t* zero_fill_field_ = nullptr; // Boolean but exposed as uint32 to JS land.
std::atomic<size_t> total_mem_usage_ {0};
// Delegate to V8's allocator for compatibility with the V8 memory cage.
diff --git a/src/node_serdes.cc b/src/node_serdes.cc
index 6864f2d88b34abfa4090780d6993684cd0b366a3..0249574c4431fb5b98852699f1368f71b49691c1 100644
--- a/src/node_serdes.cc
+++ b/src/node_serdes.cc
@@ -29,6 +29,11 @@ using v8::ValueSerializer;
namespace serdes {
+v8::ArrayBuffer::Allocator* GetAllocator() {
+ static v8::ArrayBuffer::Allocator* allocator = v8::ArrayBuffer::Allocator::NewDefaultAllocator();
+ return allocator;
+}
+
class SerializerContext : public BaseObject,
public ValueSerializer::Delegate {
public:
@@ -37,10 +42,15 @@ class SerializerContext : public BaseObject,
~SerializerContext() override = default;
+ // v8::ValueSerializer::Delegate
void ThrowDataCloneError(Local<String> message) override;
Maybe<bool> WriteHostObject(Isolate* isolate, Local<Object> object) override;
Maybe<uint32_t> GetSharedArrayBufferId(
Isolate* isolate, Local<SharedArrayBuffer> shared_array_buffer) override;
+ void* ReallocateBufferMemory(void* old_buffer,
+ size_t old_length,
+ size_t* new_length) override;
+ void FreeBufferMemory(void* buffer) override;
static void SetTreatArrayBufferViewsAsHostObjects(
const FunctionCallbackInfo<Value>& args);
@@ -61,6 +71,7 @@ class SerializerContext : public BaseObject,
private:
ValueSerializer serializer_;
+ size_t last_length_ = 0;
};
class DeserializerContext : public BaseObject,
@@ -144,6 +155,24 @@ Maybe<uint32_t> SerializerContext::GetSharedArrayBufferId(
return id.ToLocalChecked()->Uint32Value(env()->context());
}
+void* SerializerContext::ReallocateBufferMemory(void* old_buffer,
+ size_t requested_size,
+ size_t* new_length) {
+ *new_length = std::max(static_cast<size_t>(4096), requested_size);
+ if (old_buffer) {
+ void* ret = GetAllocator()->Reallocate(old_buffer, last_length_, *new_length);
+ last_length_ = *new_length;
+ return ret;
+ } else {
+ last_length_ = *new_length;
+ return GetAllocator()->Allocate(*new_length);
+ }
+}
+
+void SerializerContext::FreeBufferMemory(void* buffer) {
+ GetAllocator()->Free(buffer, last_length_);
+}
+
Maybe<bool> SerializerContext::WriteHostObject(Isolate* isolate,
Local<Object> input) {
MaybeLocal<Value> ret;
@@ -209,9 +238,14 @@ void SerializerContext::ReleaseBuffer(const FunctionCallbackInfo<Value>& args) {
// Note: Both ValueSerializer and this Buffer::New() variant use malloc()
// as the underlying allocator.
std::pair<uint8_t*, size_t> ret = ctx->serializer_.Release();
- auto buf = Buffer::New(ctx->env(),
- reinterpret_cast<char*>(ret.first),
- ret.second);
+ std::unique_ptr<v8::BackingStore> bs =
+ v8::ArrayBuffer::NewBackingStore(reinterpret_cast<char*>(ret.first), ret.second,
+ [](void* data, size_t length, void* deleter_data) {
+ if (data) GetAllocator()->Free(reinterpret_cast<char*>(data), length);
+ }, nullptr);
+ Local<ArrayBuffer> ab = v8::ArrayBuffer::New(ctx->env()->isolate(), std::move(bs));
+
+ auto buf = Buffer::New(ctx->env(), ab, 0, ret.second);
if (!buf.IsEmpty()) {
args.GetReturnValue().Set(buf.ToLocalChecked());
diff --git a/test/parallel/test-v8-serialize-leak.js b/test/parallel/test-v8-serialize-leak.js
index 696dbfea65ba95b1157cb6f469762d4a6e196199..b342ec59100809187689d0770a462b0b99e75e58 100644
--- a/test/parallel/test-v8-serialize-leak.js
+++ b/test/parallel/test-v8-serialize-leak.js
@@ -25,5 +25,5 @@ if (process.config.variables.asan) {
} else if (process.config.variables.node_builtin_modules_path) {
assert(after < before * 4, `node_builtin_modules_path: before=${before} after=${after}`);
} else {
- assert(after < before * 2, `before=${before} after=${after}`);
+ assert(after < before * 3, `before=${before} after=${after}`);
}