[api] Implement StartupData::CanBeRehashed() for the snapshot blob

This enables the embedder to check if the snapshot generated from SnapshotCreator::CreateBlob() can be rehashed and the seed can be recomputed during deserialization. The lack of this functionality resulted in a temporary vunerability in Node.js: nodejs/node#27365 Change-Id: I88d52337217c40f79c26438be3c87d2db874d980 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578661 Commit-Queue: Joyee Cheung <joyee@igalia.com> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#61175}
joyeecheung · May 2, 2019 · e0a109c · e0a109c
1 parent 87b3416
commit e0a109c
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 2 deletions.
diff --git a/include/v8.h b/include/v8.h
@@ -8581,6 +8581,13 @@ class V8_EXPORT Isolate {
 
 class V8_EXPORT StartupData {
  public:
+  /**
+   * Whether the data created can be rehashed and and the hash seed can be
+   * recomputed when deserialized.
+   * Only valid for StartupData returned by SnapshotCreator::CreateBlob().
+   */
+  bool CanBeRehashed() const;
+
   const char* data;
   int raw_size;
 };

diff --git a/src/api.cc b/src/api.cc
@@ -887,6 +887,11 @@ StartupData SnapshotCreator::CreateBlob(
   return result;
 }
 
+bool StartupData::CanBeRehashed() const {
+  DCHECK(i::Snapshot::VerifyChecksum(this));
+  return i::Snapshot::ExtractRehashability(this);
+}
+
 void V8::SetDcheckErrorHandler(DcheckErrorCallback that) {
   v8::base::SetDcheckFunction(that);
 }

diff --git a/src/snapshot/snapshot-common.cc b/src/snapshot/snapshot-common.cc
@@ -230,7 +230,9 @@ uint32_t Snapshot::ExtractContextOffset(const v8::StartupData* data,
 
 bool Snapshot::ExtractRehashability(const v8::StartupData* data) {
   CHECK_LT(kRehashabilityOffset, static_cast<uint32_t>(data->raw_size));
-  return GetHeaderValue(data, kRehashabilityOffset) != 0;
+  uint32_t rehashability = GetHeaderValue(data, kRehashabilityOffset);
+  CHECK_IMPLIES(rehashability != 0, rehashability == 1);
+  return rehashability != 0;
 }
 
 namespace {

diff --git a/src/snapshot/snapshot.h b/src/snapshot/snapshot.h
@@ -86,11 +86,12 @@ class Snapshot : public AllStatic {
   static bool SnapshotIsValid(const v8::StartupData* snapshot_blob);
 #endif  // DEBUG
 
+  static bool ExtractRehashability(const v8::StartupData* data);
+
  private:
   static uint32_t ExtractNumContexts(const v8::StartupData* data);
   static uint32_t ExtractContextOffset(const v8::StartupData* data,
                                        uint32_t index);
-  static bool ExtractRehashability(const v8::StartupData* data);
   static Vector<const byte> ExtractStartupData(const v8::StartupData* data);
   static Vector<const byte> ExtractReadOnlyData(const v8::StartupData* data);
   static Vector<const byte> ExtractContextData(const v8::StartupData* data,

diff --git a/test/cctest/test-serialize.cc b/test/cctest/test-serialize.cc
@@ -3721,6 +3721,7 @@ UNINITIALIZED_TEST(ReinitializeHashSeedNotRehashable) {
     }
     blob =
         creator.CreateBlob(v8::SnapshotCreator::FunctionCodeHandling::kClear);
+    CHECK(!blob.CanBeRehashed());
   }
 
   i::FLAG_hash_seed = 1337;
@@ -3786,6 +3787,7 @@ UNINITIALIZED_TEST(ReinitializeHashSeedRehashable) {
     }
     blob =
         creator.CreateBlob(v8::SnapshotCreator::FunctionCodeHandling::kClear);
+    CHECK(blob.CanBeRehashed());
   }
 
   i::FLAG_hash_seed = 1337;