src: prepare for v8 sandboxing

codebytere · codebytere · commit 391bde2f1810 · 2025-10-20T19:17:42.000+02:00
nodejs/node#58376
diff --git a/patches/node/support_v8_sandboxed_pointers.patch b/patches/node/support_v8_sandboxed_pointers.patch
@@ -7,10 +7,10 @@ This refactors several allocators to allocate within the V8 memory cage,
 allowing them to be compatible with the V8_SANDBOXED_POINTERS feature.
 
 diff --git a/src/api/environment.cc b/src/api/environment.cc
-index fd71ceac65ccef1d2832b45b0b5612877cee22c1..cb37fa080fc8e8d524cfa2758c4a8c2c5652324d 100644
+index d10f861c969..4fad275c865 100644
 --- a/src/api/environment.cc
 +++ b/src/api/environment.cc
-@@ -106,6 +106,14 @@ MaybeLocal<Value> PrepareStackTraceCallback(Local<Context> context,
+@@ -109,6 +109,14 @@ MaybeLocal<Value> PrepareStackTraceCallback(Local<Context> context,
    return result;
  }
  
@@ -25,99 +25,19 @@ index fd71ceac65ccef1d2832b45b0b5612877cee22c1..cb37fa080fc8e8d524cfa2758c4a8c2c
  void* NodeArrayBufferAllocator::Allocate(size_t size) {
    void* ret;
    if (zero_fill_field_ || per_process::cli_options->zero_fill_all_buffers)
-diff --git a/src/crypto/crypto_dh.cc b/src/crypto/crypto_dh.cc
-index f23cedf4f2449d8edc9a8de1b70332e75d693cdd..976653dd1e9363e046788fc3419a9b649ceb2ea4 100644
---- a/src/crypto/crypto_dh.cc
-+++ b/src/crypto/crypto_dh.cc
-@@ -55,13 +55,32 @@ void DiffieHellman::MemoryInfo(MemoryTracker* tracker) const {
- 
- namespace {
- MaybeLocal<Value> DataPointerToBuffer(Environment* env, DataPointer&& data) {
-+#if defined(V8_ENABLE_SANDBOX)
-+  std::unique_ptr<v8::BackingStore> backing;
-+  if (data.size() > 0) {
-+    std::unique_ptr<ArrayBuffer::Allocator> allocator(ArrayBuffer::Allocator::NewDefaultAllocator());
-+    void* v8_data = allocator->Allocate(data.size());
-+    CHECK(v8_data);
-+    memcpy(v8_data, data.get(), data.size());
-+    backing = ArrayBuffer::NewBackingStore(
-+        v8_data,
-+        data.size(),
-+        [](void* data, size_t length, void*) {
-+          std::unique_ptr<ArrayBuffer::Allocator> allocator(ArrayBuffer::Allocator::NewDefaultAllocator());
-+          allocator->Free(data, length);
-+        }, nullptr);
-+  } else {
-+    NoArrayBufferZeroFillScope no_zero_fill_scope(env->isolate_data());
-+    backing = v8::ArrayBuffer::NewBackingStore(env->isolate(), data.size());
-+  }
-+#else
-   auto backing = ArrayBuffer::NewBackingStore(
-       data.get(),
-       data.size(),
-       [](void* data, size_t len, void* ptr) { DataPointer free_me(data, len); },
-       nullptr);
-   data.release();
--
-+#endif
-   auto ab = ArrayBuffer::New(env->isolate(), std::move(backing));
-   return Buffer::New(env, ab, 0, ab->ByteLength()).FromMaybe(Local<Value>());
- }
 diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
-index 6346f8f7199cf7b7d3736c59571606fff102fbb6..7eea2eaefcad5780663a6b87985925ae5d70a5f9 100644
+index 12b0d804c6f..768208f2802 100644
 --- a/src/crypto/crypto_util.cc
 +++ b/src/crypto/crypto_util.cc
-@@ -359,10 +359,35 @@ ByteSource& ByteSource::operator=(ByteSource&& other) noexcept {
-   return *this;
- }
- 
--std::unique_ptr<BackingStore> ByteSource::ReleaseToBackingStore() {
-+std::unique_ptr<BackingStore> ByteSource::ReleaseToBackingStore(Environment* env) {
-   // It's ok for allocated_data_ to be nullptr but
-   // only if size_ is zero.
-   CHECK_IMPLIES(size_ > 0, allocated_data_ != nullptr);
-+#if defined(V8_ENABLE_SANDBOX)
-+  // When V8 sandboxed pointers are enabled, we have to copy into the memory
-+  // cage. We still want to ensure we erase the data on free though, so
-+  // provide a custom deleter that calls OPENSSL_cleanse.
-+  if (!size())
-+    return ArrayBuffer::NewBackingStore(env->isolate(), 0);
-+  std::unique_ptr<ArrayBuffer::Allocator> allocator(ArrayBuffer::Allocator::NewDefaultAllocator());
-+  void* v8_data = allocator->Allocate(size());
-+  CHECK(v8_data);
-+  memcpy(v8_data, allocated_data_, size());
-+  OPENSSL_clear_free(allocated_data_, size());
-+  std::unique_ptr<BackingStore> ptr = ArrayBuffer::NewBackingStore(
-+      v8_data,
-+      size(),
-+      [](void* data, size_t length, void*) {
-+        OPENSSL_cleanse(data, length);
-+        std::unique_ptr<ArrayBuffer::Allocator> allocator(ArrayBuffer::Allocator::NewDefaultAllocator());
-+        allocator->Free(data, length);
-+      }, nullptr);
-+  CHECK(ptr);
-+  allocated_data_ = nullptr;
-+  data_ = nullptr;
-+  size_ = 0;
-+  return ptr;
-+#else
-   std::unique_ptr<BackingStore> ptr = ArrayBuffer::NewBackingStore(
-       allocated_data_,
-       size(),
-@@ -374,10 +399,11 @@ std::unique_ptr<BackingStore> ByteSource::ReleaseToBackingStore() {
+@@ -377,6 +377,7 @@ std::unique_ptr<BackingStore> ByteSource::ReleaseToBackingStore(
    data_ = nullptr;
    size_ = 0;
    return ptr;
 +#endif  // defined(V8_ENABLE_SANDBOX)
  }
  
  Local<ArrayBuffer> ByteSource::ToArrayBuffer(Environment* env) {
--  std::unique_ptr<BackingStore> store = ReleaseToBackingStore();
-+  std::unique_ptr<BackingStore> store = ReleaseToBackingStore(env);
-   return ArrayBuffer::New(env->isolate(), std::move(store));
- }
- 
-@@ -674,6 +700,16 @@ namespace {
+@@ -661,6 +662,16 @@ namespace {
  // in which case this has the same semantics as
  // using OPENSSL_malloc. However, if the secure heap is
  // initialized, SecureBuffer will automatically use it.
@@ -132,76 +52,21 @@ index 6346f8f7199cf7b7d3736c59571606fff102fbb6..7eea2eaefcad5780663a6b87985925ae
 +}
 +#else
  void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
-   CHECK(args[0]->IsUint32());
    Environment* env = Environment::GetCurrent(args);
-@@ -695,6 +731,7 @@ void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
-   Local<ArrayBuffer> buffer = ArrayBuffer::New(env->isolate(), store);
+ #ifdef V8_ENABLE_SANDBOX
+@@ -703,6 +714,7 @@ void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
    args.GetReturnValue().Set(Uint8Array::New(buffer, 0, len));
+ #endif  // V8_ENABLE_SANDBOX
  }
 +#endif  // defined(V8_ENABLE_SANDBOX)
  
  void SecureHeapUsed(const FunctionCallbackInfo<Value>& args) {
- #ifndef OPENSSL_IS_BORINGSSL
-diff --git a/src/crypto/crypto_util.h b/src/crypto/crypto_util.h
-index ebc7fddeccf04a92c610849b626b33f900d63493..ed7d202d1b041f8a6cd43ae767d696fb29ab9cd9 100644
---- a/src/crypto/crypto_util.h
-+++ b/src/crypto/crypto_util.h
-@@ -243,7 +243,7 @@ class ByteSource {
-   // Creates a v8::BackingStore that takes over responsibility for
-   // any allocated data. The ByteSource will be reset with size = 0
-   // after being called.
--  std::unique_ptr<v8::BackingStore> ReleaseToBackingStore();
-+  std::unique_ptr<v8::BackingStore> ReleaseToBackingStore(Environment* env);
- 
-   v8::Local<v8::ArrayBuffer> ToArrayBuffer(Environment* env);
- 
-diff --git a/src/crypto/crypto_x509.cc b/src/crypto/crypto_x509.cc
-index f616223cfb0f6e10f7cf57ada9704316bde2797e..eb6dad44a49d997097c8fb5009eeb60a7305da27 100644
---- a/src/crypto/crypto_x509.cc
-+++ b/src/crypto/crypto_x509.cc
-@@ -167,6 +167,19 @@ MaybeLocal<Value> ToV8Value(Local<Context> context, const BIOPointer& bio) {
- MaybeLocal<Value> ToBuffer(Environment* env, BIOPointer* bio) {
-   if (bio == nullptr || !*bio) return {};
-   BUF_MEM* mem = *bio;
-+#if defined(V8_ENABLE_SANDBOX)
-+  std::unique_ptr<ArrayBuffer::Allocator> allocator(ArrayBuffer::Allocator::NewDefaultAllocator());
-+  void* v8_data = allocator->Allocate(mem->length);
-+  CHECK(v8_data);
-+  memcpy(v8_data, mem->data, mem->length);
-+  std::unique_ptr<v8::BackingStore> backing = ArrayBuffer::NewBackingStore(
-+      v8_data,
-+      mem->length,
-+      [](void* data, size_t length, void*) {
-+        std::unique_ptr<ArrayBuffer::Allocator> allocator(ArrayBuffer::Allocator::NewDefaultAllocator());
-+        allocator->Free(data, length);
-+      }, nullptr);
-+#else
-   auto backing = ArrayBuffer::NewBackingStore(
-       mem->data,
-       mem->length,
-@@ -174,6 +187,8 @@ MaybeLocal<Value> ToBuffer(Environment* env, BIOPointer* bio) {
-         BIOPointer free_me(static_cast<BIO*>(data));
-       },
-       bio->release());
-+#endif
-+
-   auto ab = ArrayBuffer::New(env->isolate(), std::move(backing));
-   Local<Value> ret;
-   if (!Buffer::New(env, ab, 0, ab->ByteLength()).ToLocal(&ret)) return {};
+   args.GetReturnValue().Set(
 diff --git a/src/node_i18n.cc b/src/node_i18n.cc
-index 61b6ecd240c9500f21f683065a2f920af3afb502..ad2b1c76325cb5c8f18a618c5a85ae87b6a7bbe7 100644
+index 3c4f419aa29..584d0f62743 100644
 --- a/src/node_i18n.cc
 +++ b/src/node_i18n.cc
-@@ -104,7 +104,7 @@ namespace {
- 
- template <typename T>
- MaybeLocal<Object> ToBufferEndian(Environment* env, MaybeStackBuffer<T>* buf) {
--  MaybeLocal<Object> ret = Buffer::New(env, buf);
-+  MaybeLocal<Object> ret = Buffer::Copy(env, reinterpret_cast<char*>(buf->out()), buf->length() * sizeof(T));
-   if (ret.IsEmpty())
-     return ret;
- 
-@@ -181,7 +181,7 @@ MaybeLocal<Object> TranscodeLatin1ToUcs2(Environment* env,
+@@ -182,7 +182,7 @@ MaybeLocal<Object> TranscodeLatin1ToUcs2(Environment* env,
      return {};
    }
  
@@ -210,7 +75,7 @@ index 61b6ecd240c9500f21f683065a2f920af3afb502..ad2b1c76325cb5c8f18a618c5a85ae87
  }
  
  MaybeLocal<Object> TranscodeFromUcs2(Environment* env,
-@@ -226,7 +226,7 @@ MaybeLocal<Object> TranscodeUcs2FromUtf8(Environment* env,
+@@ -227,7 +227,7 @@ MaybeLocal<Object> TranscodeUcs2FromUtf8(Environment* env,
      return {};
    }
  
@@ -219,7 +84,7 @@ index 61b6ecd240c9500f21f683065a2f920af3afb502..ad2b1c76325cb5c8f18a618c5a85ae87
  }
  
  MaybeLocal<Object> TranscodeUtf8FromUcs2(Environment* env,
-@@ -250,7 +250,7 @@ MaybeLocal<Object> TranscodeUtf8FromUcs2(Environment* env,
+@@ -251,7 +251,7 @@ MaybeLocal<Object> TranscodeUtf8FromUcs2(Environment* env,
      return {};
    }
  
@@ -229,7 +94,7 @@ index 61b6ecd240c9500f21f683065a2f920af3afb502..ad2b1c76325cb5c8f18a618c5a85ae87
  
  constexpr const char* EncodingName(const enum encoding encoding) {
 diff --git a/src/node_internals.h b/src/node_internals.h
-index 12ea72b61b0a5e194207bb369dfed4b8667107cb..64442215714a98f648971e517ddd9c77e38fe3f2 100644
+index 12ea72b61b0..64442215714 100644
 --- a/src/node_internals.h
 +++ b/src/node_internals.h
 @@ -121,7 +121,9 @@ v8::MaybeLocal<v8::Object> InitializePrivateSymbols(
@@ -253,7 +118,7 @@ index 12ea72b61b0a5e194207bb369dfed4b8667107cb..64442215714a98f648971e517ddd9c77
  
    // Delegate to V8's allocator for compatibility with the V8 memory cage.
 diff --git a/src/node_serdes.cc b/src/node_serdes.cc
-index c55a2e28066147ae5ca5def10ec76ccc03c634b4..c54183c72944989219b6437c9e571a3f7f3f8dd5 100644
+index 00fcd4b6afc..5f96ee2051e 100644
 --- a/src/node_serdes.cc
 +++ b/src/node_serdes.cc
 @@ -29,6 +29,26 @@ using v8::ValueSerializer;
@@ -307,8 +172,8 @@ index c55a2e28066147ae5ca5def10ec76ccc03c634b4..c54183c72944989219b6437c9e571a3f
  };
  
  class DeserializerContext : public BaseObject,
-@@ -144,6 +170,24 @@ Maybe<uint32_t> SerializerContext::GetSharedArrayBufferId(
-   return id.ToLocalChecked()->Uint32Value(env()->context());
+@@ -145,6 +171,24 @@ Maybe<uint32_t> SerializerContext::GetSharedArrayBufferId(
+   return id->Uint32Value(env()->context());
  }
  
 +void* SerializerContext::ReallocateBufferMemory(void* old_buffer,
@@ -331,14 +196,15 @@ index c55a2e28066147ae5ca5def10ec76ccc03c634b4..c54183c72944989219b6437c9e571a3f
 +
  Maybe<bool> SerializerContext::WriteHostObject(Isolate* isolate,
                                                 Local<Object> input) {
-   MaybeLocal<Value> ret;
-@@ -209,9 +253,14 @@ void SerializerContext::ReleaseBuffer(const FunctionCallbackInfo<Value>& args) {
+   Local<Value> args[1] = { input };
+@@ -211,10 +255,17 @@ void SerializerContext::ReleaseBuffer(const FunctionCallbackInfo<Value>& args) {
    // Note: Both ValueSerializer and this Buffer::New() variant use malloc()
    // as the underlying allocator.
    std::pair<uint8_t*, size_t> ret = ctx->serializer_.Release();
--  auto buf = Buffer::New(ctx->env(),
--                         reinterpret_cast<char*>(ret.first),
--                         ret.second);
+-  Local<Object> buf;
+-  if (Buffer::New(ctx->env(), reinterpret_cast<char*>(ret.first), ret.second)
+-          .ToLocal(&buf)) {
+-    args.GetReturnValue().Set(buf);
 +  std::unique_ptr<v8::BackingStore> bs =
 +      v8::ArrayBuffer::NewBackingStore(reinterpret_cast<char*>(ret.first), ret.second,
 +        [](void* data, size_t length, void* deleter_data) {
@@ -347,14 +213,17 @@ index c55a2e28066147ae5ca5def10ec76ccc03c634b4..c54183c72944989219b6437c9e571a3f
 +  Local<ArrayBuffer> ab = v8::ArrayBuffer::New(ctx->env()->isolate(), std::move(bs));
 +
 +  auto buf = Buffer::New(ctx->env(), ab, 0, ret.second);
++
++  if (!buf.IsEmpty()) {
++    args.GetReturnValue().Set(buf.ToLocalChecked());
+   }
+ }
  
-   if (!buf.IsEmpty()) {
-     args.GetReturnValue().Set(buf.ToLocalChecked());
 diff --git a/src/node_trace_events.cc b/src/node_trace_events.cc
-index 9787b14352753c5e0f8dc2b90093680e7cd10f1a..31af9e62396368af1b81f8841a705fd313df2b9f 100644
+index ef659f1c39f..225b1465b7c 100644
 --- a/src/node_trace_events.cc
 +++ b/src/node_trace_events.cc
-@@ -132,12 +132,28 @@ static void GetCategoryEnabledBuffer(const FunctionCallbackInfo<Value>& args) {
+@@ -129,12 +129,28 @@ static void GetCategoryEnabledBuffer(const FunctionCallbackInfo<Value>& args) {
    const uint8_t* enabled_pointer =
        TRACE_EVENT_API_GET_CATEGORY_GROUP_ENABLED(category_name.out());
    uint8_t* enabled_pointer_cast = const_cast<uint8_t*>(enabled_pointer);
