From dcf3fcc16531800bad647f82c6a9a6ad600d4997 Mon Sep 17 00:00:00 2001 From: Vasili Skurydzin Date: Mon, 29 Oct 2018 10:11:59 -0400 Subject: [PATCH 1/6] deps: cherry-pick 6bc4bfe from V8 upstream Only changes to src/base/debug/stack_trace_posix.cc included. Original commit message: Fixes to V8 GN build process on aix platform src/base/debug/stack_trace_posix.cc: suppressed unused function warnings for functions DemangleSymbols, OutputPointer(in order to compile with -Werror flag) test/cctest/test-isolate-independent-builtins.cc: corrections to make ByteInText test case compatible with aix. (affects aix only) Change-Id: I49e45e63545404c77aaed3f51b26557f6f03455e Reviewed-on: https://chromium-review.googlesource.com/927484 Reviewed-by: Jakob Gruber Reviewed-by: Michael Achenbach Commit-Queue: Jakob Gruber Cr-Commit-Position: refs/heads/master@{#52071} PR-URL: https://github.com/nodejs/node/pull/23958 Reviewed-By: Refael Ackermann Reviewed-By: Michael Dawson --- deps/v8/include/v8-version.h | 2 +- deps/v8/src/base/debug/stack_trace_posix.cc | 7 +++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 43abf735d38d3e..73d98b3a9ba8f2 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 6 #define V8_MINOR_VERSION 2 #define V8_BUILD_NUMBER 414 -#define V8_PATCH_LEVEL 70 +#define V8_PATCH_LEVEL 71 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/base/debug/stack_trace_posix.cc b/deps/v8/src/base/debug/stack_trace_posix.cc index 87c0a73d191e65..681dfbf9728449 100644 --- a/deps/v8/src/base/debug/stack_trace_posix.cc +++ b/deps/v8/src/base/debug/stack_trace_posix.cc @@ -72,6 +72,7 @@ const char kMangledSymbolPrefix[] = "_Z"; const char kSymbolCharacters[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"; +#if HAVE_EXECINFO_H // Demangles C++ symbols in the given text. Example: // // "out/Debug/base_unittests(_ZN10StackTraceC1Ev+0x20) [0x817778c]" @@ -81,7 +82,6 @@ void DemangleSymbols(std::string* text) { // Note: code in this function is NOT async-signal safe (std::string uses // malloc internally). -#if HAVE_EXECINFO_H std::string::size_type search_from = 0; while (search_from < text->size()) { @@ -117,9 +117,8 @@ void DemangleSymbols(std::string* text) { search_from = mangled_start + 2; } } - -#endif // HAVE_EXECINFO_H } +#endif // HAVE_EXECINFO_H class BacktraceOutputHandler { public: @@ -129,6 +128,7 @@ class BacktraceOutputHandler { virtual ~BacktraceOutputHandler() {} }; +#if HAVE_EXECINFO_H void OutputPointer(void* pointer, BacktraceOutputHandler* handler) { // This should be more than enough to store a 64-bit number in hex: // 16 hex digits + 1 for null-terminator. @@ -139,7 +139,6 @@ void OutputPointer(void* pointer, BacktraceOutputHandler* handler) { handler->HandleOutput(buf); } -#if HAVE_EXECINFO_H void ProcessBacktrace(void* const* trace, size_t size, BacktraceOutputHandler* handler) { // NOTE: This code MUST be async-signal safe (it's used by in-process From a2c76b3245403200a8a11531d3e5e639c0190e00 Mon Sep 17 00:00:00 2001 From: Vasili Skurydzin Date: Mon, 29 Oct 2018 10:14:50 -0400 Subject: [PATCH 2/6] deps: cherry-pick d2e0166 from V8 upstream Original commit message: ppc64, aix: Pass CallFrequency object by const reference to avoid value copy error. Bug: v8:8193 GCC bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61976 Change-Id: I0d4efca4da03ef82651325e15ddf2160022bc8de Reviewed-on: https://chromium-review.googlesource.com/1228633 Reviewed-by: Michael Starzinger Reviewed-by: Daniel Clifford Reviewed-by: Junliang Yan Commit-Queue: Junliang Yan Cr-Commit-Position: refs/heads/master@{#56275} PR-URL: https://github.com/nodejs/node/pull/23958 Reviewed-By: Refael Ackermann Reviewed-By: Michael Dawson --- deps/v8/include/v8-version.h | 2 +- deps/v8/src/compiler/bytecode-graph-builder.cc | 2 +- deps/v8/src/compiler/bytecode-graph-builder.h | 2 +- deps/v8/src/compiler/js-inlining.cc | 3 ++- deps/v8/src/compiler/js-operator.cc | 6 ++++-- deps/v8/src/compiler/js-operator.h | 8 ++++---- deps/v8/src/compiler/pipeline.cc | 3 ++- 7 files changed, 15 insertions(+), 11 deletions(-) diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 73d98b3a9ba8f2..95cc3573a3f723 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 6 #define V8_MINOR_VERSION 2 #define V8_BUILD_NUMBER 414 -#define V8_PATCH_LEVEL 71 +#define V8_PATCH_LEVEL 72 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/compiler/bytecode-graph-builder.cc b/deps/v8/src/compiler/bytecode-graph-builder.cc index 2d68ed8b0378eb..ca98a5fe28830b 100644 --- a/deps/v8/src/compiler/bytecode-graph-builder.cc +++ b/deps/v8/src/compiler/bytecode-graph-builder.cc @@ -475,7 +475,7 @@ Node* BytecodeGraphBuilder::Environment::Checkpoint( BytecodeGraphBuilder::BytecodeGraphBuilder( Zone* local_zone, Handle shared_info, Handle feedback_vector, BailoutId osr_offset, - JSGraph* jsgraph, CallFrequency invocation_frequency, + JSGraph* jsgraph, CallFrequency& invocation_frequency, SourcePositionTable* source_positions, int inlining_id, JSTypeHintLowering::Flags flags, bool stack_check) : local_zone_(local_zone), diff --git a/deps/v8/src/compiler/bytecode-graph-builder.h b/deps/v8/src/compiler/bytecode-graph-builder.h index 0ec8a1f473c55c..7609ec7279eda6 100644 --- a/deps/v8/src/compiler/bytecode-graph-builder.h +++ b/deps/v8/src/compiler/bytecode-graph-builder.h @@ -28,7 +28,7 @@ class BytecodeGraphBuilder { BytecodeGraphBuilder( Zone* local_zone, Handle shared, Handle feedback_vector, BailoutId osr_offset, - JSGraph* jsgraph, CallFrequency invocation_frequency, + JSGraph* jsgraph, CallFrequency& invocation_frequency, SourcePositionTable* source_positions, int inlining_id = SourcePosition::kNotInlined, JSTypeHintLowering::Flags flags = JSTypeHintLowering::kNoFlags, diff --git a/deps/v8/src/compiler/js-inlining.cc b/deps/v8/src/compiler/js-inlining.cc index b74f94fa72cdf7..abce004367e332 100644 --- a/deps/v8/src/compiler/js-inlining.cc +++ b/deps/v8/src/compiler/js-inlining.cc @@ -539,9 +539,10 @@ Reduction JSInliner::ReduceJSCall(Node* node) { if (info_->is_bailout_on_uninitialized()) { flags |= JSTypeHintLowering::kBailoutOnUninitialized; } + CallFrequency frequency = call.frequency(); BytecodeGraphBuilder graph_builder( zone(), shared_info, feedback_vector, BailoutId::None(), jsgraph(), - call.frequency(), source_positions_, inlining_id, flags, false); + frequency, source_positions_, inlining_id, flags, false); graph_builder.CreateGraph(); // Extract the inlinee start/end nodes. diff --git a/deps/v8/src/compiler/js-operator.cc b/deps/v8/src/compiler/js-operator.cc index 2a680cd6769ad7..6ea5b850c6910a 100644 --- a/deps/v8/src/compiler/js-operator.cc +++ b/deps/v8/src/compiler/js-operator.cc @@ -731,7 +731,8 @@ const Operator* JSOperatorBuilder::CallForwardVarargs(size_t arity, parameters); // parameter } -const Operator* JSOperatorBuilder::Call(size_t arity, CallFrequency frequency, +const Operator* JSOperatorBuilder::Call(size_t arity, + CallFrequency const& frequency, VectorSlotPair const& feedback, ConvertReceiverMode convert_mode) { CallParameters parameters(arity, frequency, feedback, convert_mode); @@ -751,7 +752,8 @@ const Operator* JSOperatorBuilder::CallWithArrayLike(CallFrequency frequency) { } const Operator* JSOperatorBuilder::CallWithSpread( - uint32_t arity, CallFrequency frequency, VectorSlotPair const& feedback) { + uint32_t arity, CallFrequency const& frequency, + VectorSlotPair const& feedback) { CallParameters parameters(arity, frequency, feedback, ConvertReceiverMode::kAny); return new (zone()) Operator1( // -- diff --git a/deps/v8/src/compiler/js-operator.h b/deps/v8/src/compiler/js-operator.h index 5ea288f355eeba..0bf2c589818566 100644 --- a/deps/v8/src/compiler/js-operator.h +++ b/deps/v8/src/compiler/js-operator.h @@ -192,7 +192,7 @@ CallForwardVarargsParameters const& CallForwardVarargsParametersOf( // used as a parameter by JSCall and JSCallWithSpread operators. class CallParameters final { public: - CallParameters(size_t arity, CallFrequency frequency, + CallParameters(size_t arity, CallFrequency const& frequency, VectorSlotPair const& feedback, ConvertReceiverMode convert_mode) : bit_field_(ArityField::encode(arity) | @@ -201,7 +201,7 @@ class CallParameters final { feedback_(feedback) {} size_t arity() const { return ArityField::decode(bit_field_); } - CallFrequency frequency() const { return frequency_; } + CallFrequency const& frequency() const { return frequency_; } ConvertReceiverMode convert_mode() const { return ConvertReceiverModeField::decode(bit_field_); } @@ -647,12 +647,12 @@ class V8_EXPORT_PRIVATE JSOperatorBuilder final const Operator* CallForwardVarargs(size_t arity, uint32_t start_index); const Operator* Call( - size_t arity, CallFrequency frequency = CallFrequency(), + size_t arity, CallFrequency const& frequency = CallFrequency(), VectorSlotPair const& feedback = VectorSlotPair(), ConvertReceiverMode convert_mode = ConvertReceiverMode::kAny); const Operator* CallWithArrayLike(CallFrequency frequency); const Operator* CallWithSpread( - uint32_t arity, CallFrequency frequency = CallFrequency(), + uint32_t arity, CallFrequency const& frequency = CallFrequency(), VectorSlotPair const& feedback = VectorSlotPair()); const Operator* CallRuntime(Runtime::FunctionId id); const Operator* CallRuntime(Runtime::FunctionId id, size_t arity); diff --git a/deps/v8/src/compiler/pipeline.cc b/deps/v8/src/compiler/pipeline.cc index 4b91e9fc4a22fc..e5aac506e67b60 100644 --- a/deps/v8/src/compiler/pipeline.cc +++ b/deps/v8/src/compiler/pipeline.cc @@ -890,10 +890,11 @@ struct GraphBuilderPhase { if (data->info()->is_bailout_on_uninitialized()) { flags |= JSTypeHintLowering::kBailoutOnUninitialized; } + CallFrequency frequency = CallFrequency(1.0f); BytecodeGraphBuilder graph_builder( temp_zone, data->info()->shared_info(), handle(data->info()->closure()->feedback_vector()), - data->info()->osr_offset(), data->jsgraph(), CallFrequency(1.0f), + data->info()->osr_offset(), data->jsgraph(), frequency, data->source_positions(), SourcePosition::kNotInlined, flags); graph_builder.CreateGraph(); } From e083cc17c32699a3b6cb795d0931554106a2c0ae Mon Sep 17 00:00:00 2001 From: Vasili Skurydzin Date: Mon, 29 Oct 2018 10:26:55 -0400 Subject: [PATCH 3/6] deps,v8: fix gyp build on Aix platform Floating this patch since the code does not exist upstream anymore. deps/v8/testing/gtest.gyp: Suppress -Wnonnull-compare, -Waddress warnings for deps/v8/testing/gtest project; deps/v8/src/compiler/store-store-elimination.cc, deps/v8/src/conversions.cc: Suppress unused function warnings in order to compile with newer (>4.8.5) gcc on Aix. PR-URL: https://github.com/nodejs/node/pull/23958 Reviewed-By: Refael Ackermann Reviewed-By: Michael Dawson --- deps/v8/include/v8-version.h | 2 +- deps/v8/src/compiler/store-store-elimination.cc | 6 ++++++ deps/v8/src/conversions.cc | 6 ++++++ deps/v8/testing/gtest.gyp | 4 ++++ 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 95cc3573a3f723..96f1cd6d46fb23 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 6 #define V8_MINOR_VERSION 2 #define V8_BUILD_NUMBER 414 -#define V8_PATCH_LEVEL 72 +#define V8_PATCH_LEVEL 73 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/compiler/store-store-elimination.cc b/deps/v8/src/compiler/store-store-elimination.cc index 71aa2110bb7808..eaa74328f09c71 100644 --- a/deps/v8/src/compiler/store-store-elimination.cc +++ b/deps/v8/src/compiler/store-store-elimination.cc @@ -251,6 +251,9 @@ void StoreStoreElimination::Run(JSGraph* js_graph, Zone* temp_zone) { } } +#if V8_OS_AIX +ALLOW_UNUSED_TYPE +#endif bool RedundantStoreFinder::IsEffectful(Node* node) { return (node->op()->EffectInputCount() >= 1); } @@ -552,6 +555,9 @@ bool UnobservableStore::operator==(const UnobservableStore other) const { return (id_ == other.id_) && (offset_ == other.offset_); } +#if V8_OS_AIX +ALLOW_UNUSED_TYPE +#endif bool UnobservableStore::operator!=(const UnobservableStore other) const { return !(*this == other); } diff --git a/deps/v8/src/conversions.cc b/deps/v8/src/conversions.cc index 8956a261688b1b..1071c1f2a1b312 100644 --- a/deps/v8/src/conversions.cc +++ b/deps/v8/src/conversions.cc @@ -53,11 +53,17 @@ class StringCharacterStreamIterator { }; +#if V8_OS_AIX +ALLOW_UNUSED_TYPE +#endif StringCharacterStreamIterator::StringCharacterStreamIterator( StringCharacterStream* stream) : stream_(stream) { ++(*this); } +#if V8_OS_AIX +ALLOW_UNUSED_TYPE +#endif uint16_t StringCharacterStreamIterator::operator*() const { return current_; } diff --git a/deps/v8/testing/gtest.gyp b/deps/v8/testing/gtest.gyp index a94ee884fe9f51..ddc617537130e4 100644 --- a/deps/v8/testing/gtest.gyp +++ b/deps/v8/testing/gtest.gyp @@ -94,6 +94,10 @@ 'action????': ['$(TargetPath)', '--gtest_print_time'], }, }], + ['OS=="aix"', { + 'cflags': [ '-Wno-nonnull-compare', + '-Wno-address' ], + }], ], }], ], From 56af4074b92b49739a0a9b4c5c0cd10463827e0e Mon Sep 17 00:00:00 2001 From: Rod Vagg Date: Wed, 14 Nov 2018 14:01:33 +1100 Subject: [PATCH 4/6] deps: float 43e6a58d from openssl (CVE-2018-0734) Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.0.2q Ref: https://github.com/openssl/openssl/pull/7486 Ref: https://github.com/openssl/openssl/pull/7513 Ref: https://www.openssl.org/news/secadv/20181030.txt Ref: https://github.com/nodejs/node/pull/23965 Upstream: https://github.com/openssl/openssl/commit/a9cfb8c2 Upstream: https://github.com/openssl/openssl/commit/43e6a58d Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7486) Original backport commit message: Merge DSA reallocation timing fix CVE-2018-0734. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7513) --- deps/openssl/openssl/crypto/dsa/dsa_ossl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deps/openssl/openssl/crypto/dsa/dsa_ossl.c b/deps/openssl/openssl/crypto/dsa/dsa_ossl.c index 2dcfedeeee7e5c..100e2692681657 100644 --- a/deps/openssl/openssl/crypto/dsa/dsa_ossl.c +++ b/deps/openssl/openssl/crypto/dsa/dsa_ossl.c @@ -279,7 +279,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, goto err; /* Preallocate space */ - q_bits = BN_num_bits(dsa->q); + q_bits = BN_num_bits(dsa->q) + sizeof(dsa->q->d[0]) * 16; if (!BN_set_bit(&k, q_bits) || !BN_set_bit(&l, q_bits) || !BN_set_bit(&m, q_bits)) From 114ab64824e984e5ac706c3a16af64bfd0f7c107 Mon Sep 17 00:00:00 2001 From: Rod Vagg Date: Wed, 14 Nov 2018 14:06:46 +1100 Subject: [PATCH 5/6] deps: float ebf65dbe from openssl (DSA vulnerability) Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.0.2q, not deemed severe enough to be assigned a CVE #. Ref: https://github.com/openssl/openssl/pull/7487 Ref: https://github.com/openssl/openssl/pull/7512 Ref: https://github.com/nodejs/node/pull/23965 Upstream: https://github.com/openssl/openssl/commit/415c3356 Upstream: https://github.com/openssl/openssl/commit/ebf65dbe Original commit message: DSA mod inverse fix There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Matthias St. Pierre Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7487) Original backport commit message: Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7512) --- deps/openssl/openssl/crypto/dsa/dsa_ossl.c | 34 ++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/deps/openssl/openssl/crypto/dsa/dsa_ossl.c b/deps/openssl/openssl/crypto/dsa/dsa_ossl.c index 100e2692681657..80daf604183a6c 100644 --- a/deps/openssl/openssl/crypto/dsa/dsa_ossl.c +++ b/deps/openssl/openssl/crypto/dsa/dsa_ossl.c @@ -73,6 +73,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa); static int dsa_init(DSA *dsa); static int dsa_finish(DSA *dsa); +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx); static DSA_METHOD openssl_dsa_meth = { "OpenSSL DSA method", @@ -333,8 +335,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, if (!BN_mod(r, r, dsa->q, ctx)) goto err; - /* Compute part of 's = inv(k) (m + xr) mod q' */ - if ((kinv = BN_mod_inverse(NULL, &k, dsa->q, ctx)) == NULL) + /* Compute part of 's = inv(k) (m + xr) mod q' */ + if ((kinv = dsa_mod_inverse_fermat(&k, dsa->q, ctx)) == NULL) goto err; if (*kinvp != NULL) @@ -468,3 +470,31 @@ static int dsa_finish(DSA *dsa) BN_MONT_CTX_free(dsa->method_mont_p); return (1); } + +/* + * Compute the inverse of k modulo q. + * Since q is prime, Fermat's Little Theorem applies, which reduces this to + * mod-exp operation. Both the exponent and modulus are public information + * so a mod-exp that doesn't leak the base is sufficient. A newly allocated + * BIGNUM is returned which the caller must free. + */ +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx) +{ + BIGNUM *res = NULL; + BIGNUM *r, e; + + if ((r = BN_new()) == NULL) + return NULL; + + BN_init(&e); + + if (BN_set_word(r, 2) + && BN_sub(&e, q, r) + && BN_mod_exp_mont(r, k, &e, q, ctx, NULL)) + res = r; + else + BN_free(r); + BN_free(&e); + return res; +} From 8d77cc18de294ce1719aaaee274c5f485cf396d4 Mon Sep 17 00:00:00 2001 From: Rod Vagg Date: Wed, 14 Nov 2018 14:22:27 +1100 Subject: [PATCH 6/6] deps: float 26d7fce1 from openssl (CVE-2018-0734 follow-on) The fix for CVE-2018-0734, floated in 213c7d2d, failed to include a constant-time calculation for one of the variables. This introduces a fix for that. Ref: https://github.com/openssl/openssl/pull/7549 Ref: https://github.com/nodejs/node/pull/24353 Upstream: https://github.com/openssl/openssl/commit/26d7fce1 Original commit message: Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239) --- deps/openssl/openssl/crypto/dsa/dsa_ossl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deps/openssl/openssl/crypto/dsa/dsa_ossl.c b/deps/openssl/openssl/crypto/dsa/dsa_ossl.c index 80daf604183a6c..c887c3c34e3712 100644 --- a/deps/openssl/openssl/crypto/dsa/dsa_ossl.c +++ b/deps/openssl/openssl/crypto/dsa/dsa_ossl.c @@ -295,9 +295,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { BN_set_flags(&k, BN_FLG_CONSTTIME); + BN_set_flags(&l, BN_FLG_CONSTTIME); } - if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, CRYPTO_LOCK_DSA, dsa->p, ctx))