Build with mozjs68

2020-08-04 10:01:17 +02:00 · 2020-08-04 10:01:17 +02:00 · a8f5153286
commit a8f5153286
parent e84dd5fa0b
3 changed files with 228 additions and 2 deletions
--- a/libproxy-0.4.15-mozjs-use-after-free.patch
+++ b/libproxy-0.4.15-mozjs-use-after-free.patch
@ -0,0 +1,38 @@
+From 738785214546ec5bb772886019529b2a6519deaf Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@debian.org>
+Date: Fri, 1 May 2020 19:04:22 +0100
+Subject: [PATCH] mozjs: Avoid use-after-free
+
+If we don't assign the temporary std::string returned by
+url_.to_string() to a variable, then it immediately goes out of scope
+and is freed, resulting in the result of c_str() pointing into freed
+memory. This works about as well as you would expect.
+
+Signed-off-by: Simon McVittie <smcv@debian.org>
+---
+ libproxy/modules/pacrunner_mozjs.cpp | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/libproxy/modules/pacrunner_mozjs.cpp b/libproxy/modules/pacrunner_mozjs.cpp
+index ade6d0a..aac6531 100644
+--- a/libproxy/modules/pacrunner_mozjs.cpp
+++ b/libproxy/modules/pacrunner_mozjs.cpp
+@@ -175,14 +175,11 @@ class mozjs_pacrunner : public pacrunner {
+ 
+ 	string run(const url& url_) throw (bad_alloc) {
+ 		// Build arguments to the FindProxyForURL() function
+-		const char *tmpurl  = url_.to_string().c_str();
+-		const char *tmphost = url_.get_host().c_str();
+-		if (!tmpurl || !tmphost) {
+-			throw bad_alloc();
+-		}
+		string tmpurl(url_.to_string());
+		string tmphost(url_.get_host());
+ 		JS::AutoValueArray<2> args(this->jsctx);
+-		args[0].setString(JS_NewStringCopyZ(this->jsctx, tmpurl));
+-		args[1].setString(JS_NewStringCopyZ(this->jsctx, tmphost));
+		args[0].setString(JS_NewStringCopyZ(this->jsctx, tmpurl.c_str()));
+		args[1].setString(JS_NewStringCopyZ(this->jsctx, tmphost.c_str()));
+ 
+ 		// Find the proxy (call FindProxyForURL())
+ 		JS::RootedValue rval(this->jsctx);
--- a/libproxy-0.4.15-mozjs68.patch
+++ b/libproxy-0.4.15-mozjs68.patch
@ -0,0 +1,180 @@
+From 6c9e48accddb90eef8412bef3ccc29594935d3b3 Mon Sep 17 00:00:00 2001
+From: Iain Lane <iain@orangesquash.org.uk>
+Date: Wed, 11 Mar 2020 11:54:52 +0000
+Subject: [PATCH] mozjs: Port to mozjs 68
+
+There are a number of API changes that need to be adapted to, notably
+
+  - JS_EncodeString is gone; need to use JS_EncodeStringToUTF8 now which
+    requires a rooted object to be passed in.
+  - JS_free is gone
+
+The pkg-config file ships some flags which need to be supplied to the
+build.
+---
+ libproxy/cmake/modules/pacrunner_mozjs.cmk |  6 ++-
+ libproxy/modules/pacrunner_mozjs.cpp       | 56 ++++++++++++++--------
+ 2 files changed, 41 insertions(+), 21 deletions(-)
+
+diff --git a/libproxy/cmake/modules/pacrunner_mozjs.cmk b/libproxy/cmake/modules/pacrunner_mozjs.cmk
+index 871cc85..2cc3c51 100644
+--- a/libproxy/cmake/modules/pacrunner_mozjs.cmk
+++ b/libproxy/cmake/modules/pacrunner_mozjs.cmk
+@@ -9,8 +9,12 @@ if(WIN32)
+ elseif(NOT APPLE)
+   option(WITH_MOZJS "Search for MOZJS package" ON)
+   if (WITH_MOZJS)
+-    pkg_search_module(MOZJS mozjs-60)
+    pkg_search_module(MOZJS mozjs-68)
+     if(MOZJS_FOUND)
+      foreach(OPT ${MOZJS_CFLAGS})
+        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${OPT}")
+      endforeach()
+      message("mozjs is " ${CMAKE_CXX_FLAGS})
+       include_directories(${MOZJS_INCLUDE_DIRS})
+       link_directories(${MOZJS_LIBRARY_DIRS})
+     else()
+diff --git a/libproxy/modules/pacrunner_mozjs.cpp b/libproxy/modules/pacrunner_mozjs.cpp
+index 38e7d46..37e1b42 100644
+--- a/libproxy/modules/pacrunner_mozjs.cpp
+++ b/libproxy/modules/pacrunner_mozjs.cpp
+@@ -37,6 +37,9 @@ using namespace libproxy;
+ #pragma GCC diagnostic error "-Winvalid-offsetof"
+ #include <js/Initialization.h>
+ #include <js/CallArgs.h>
+#include <js/CompilationAndEvaluation.h>
+#include <js/MemoryFunctions.h>
+#include <js/SourceText.h>
+ 
+ #include "pacutils.h"
+ 
+@@ -49,19 +52,21 @@ using namespace libproxy;
+ #endif
+ 
+ static void dnsResolve_(JSContext *cx, JSString *hostname, JS::CallArgs *argv) {
+	char *tmp;
+ 	// Get hostname argument
+-	char *tmp = JS_EncodeString(cx, hostname);
+	JS::RootedString str(cx, hostname);
+	JS::UniqueChars chars = JS_EncodeStringToUTF8(cx, str);
+	const char *val = chars.get();
+ 
+ 	// Set the default return value
+ 	argv->rval().setNull();
+ 
+ 	// Look it up
+ 	struct addrinfo *info = nullptr;
+-	if (getaddrinfo(tmp, NULL, NULL, &info))
+	if (getaddrinfo(val, NULL, NULL, &info))
+ 		goto out;
+ 
+ 	// Allocate the IP address
+-	JS_free(cx, tmp);
+ 	tmp = (char *) JS_malloc(cx, INET6_ADDRSTRLEN+1);
+ 	memset(tmp, 0, INET6_ADDRSTRLEN+1);
+ 
+@@ -77,7 +82,6 @@ static void dnsResolve_(JSContext *cx, JSString *hostname, JS::CallArgs *argv) {
+ 
+ 	out:
+ 		if (info) freeaddrinfo(info);
+-		JS_free(cx, tmp);
+ }
+ 
+ static bool dnsResolve(JSContext *cx, unsigned argc, JS::Value *vp) {
+@@ -121,29 +125,40 @@ class mozjs_pacrunner : public pacrunner {
+ 			if (!JS::InitSelfHostedCode(this->jsctx)) goto error;
+ 
+ 			JS::RootedValue  rval(this->jsctx);
+-			JS::CompartmentOptions compart_opts;
+			JS::RealmOptions realm_opts;
+ 
+ 			this->jsglb = new JS::Heap<JSObject*>(JS_NewGlobalObject(
+ 								  this->jsctx, &cls,
+ 								  nullptr, JS::DontFireOnNewGlobalHook,
+-								  compart_opts));
+								  realm_opts));
+ 
+ 			if (!(this->jsglb)) goto error;
+ 			JS::RootedObject global(this->jsctx,this->jsglb->get());
+-			if (!(this->jsac = new JSAutoCompartment(this->jsctx,  global))) goto error;
+-			if (!JS_InitStandardClasses(this->jsctx, global))            goto error;
+			if (!(this->jsar = new JSAutoRealm(this->jsctx,  global))) goto error;
+ 
+ 			// Define Javascript functions
+ 			JS_DefineFunction(this->jsctx, global, "dnsResolve", dnsResolve, 1, 0);
+ 			JS_DefineFunction(this->jsctx, global, "myIpAddress", myIpAddress, 0, 0);
+ 			JS::CompileOptions options(this->jsctx);
+-			options.setUTF8(true);
+ 
+-			JS::Evaluate(this->jsctx, options, JAVASCRIPT_ROUTINES,
+-				     strlen(JAVASCRIPT_ROUTINES), JS::MutableHandleValue(&rval));
+			JS::SourceText<mozilla::Utf8Unit> routines, pac_source;
+			if (!routines.init(this->jsctx,
+					   JAVASCRIPT_ROUTINES,
+					   strlen(JAVASCRIPT_ROUTINES),
+					   JS::SourceOwnership::Borrowed))
+				goto error;
+
+			if (!pac_source.init(this->jsctx,
+					     pac.c_str(),
+					     pac.length(),
+					     JS::SourceOwnership::Borrowed))
+				goto error;
+
+
+			JS::Evaluate(this->jsctx, options, routines, JS::MutableHandleValue(&rval));
+ 
+ 			// Add PAC to the environment
+-			JS::Evaluate(this->jsctx, options, pac.c_str(), pac.length(), JS::MutableHandleValue(&rval));
+			JS::Evaluate(this->jsctx, options, pac_source, JS::MutableHandleValue(&rval));
+ 			return;
+ 		}
+ 		error:
+@@ -152,7 +167,7 @@ class mozjs_pacrunner : public pacrunner {
+ 	}
+ 
+ 	~mozjs_pacrunner() {
+-		if (this->jsac) delete this->jsac;
+		if (this->jsar) delete this->jsar;
+ 		if (this->jsglb) delete this->jsglb;
+ 		if (this->jsctx) JS_DestroyContext(this->jsctx);
+ 		JS_ShutDown();
+@@ -160,11 +175,9 @@ class mozjs_pacrunner : public pacrunner {
+ 
+ 	string run(const url& url_) throw (bad_alloc) {
+ 		// Build arguments to the FindProxyForURL() function
+-		char *tmpurl  = JS_strdup(this->jsctx, url_.to_string().c_str());
+-		char *tmphost = JS_strdup(this->jsctx, url_.get_host().c_str());
+		const char *tmpurl  = url_.to_string().c_str();
+		const char *tmphost = url_.get_host().c_str();
+ 		if (!tmpurl || !tmphost) {
+-			if (tmpurl) JS_free(this->jsctx, tmpurl);
+-			if (tmphost) JS_free(this->jsctx, tmphost);
+ 			throw bad_alloc();
+ 		}
+ 		JS::AutoValueArray<2> args(this->jsctx);
+@@ -176,10 +189,13 @@ class mozjs_pacrunner : public pacrunner {
+ 		JS::RootedObject global(this->jsctx,this->jsglb->get());
+ 		bool result = JS_CallFunctionName(this->jsctx, global, "FindProxyForURL", args, &rval);
+ 		if (!result) return "";
+		if (!rval.isString())
+			return "";
+ 
+-		char * tmpanswer = JS_EncodeString(this->jsctx, rval.toString());
+		JS::RootedString s(this->jsctx, rval.toString());
+		JS::UniqueChars chars = JS_EncodeStringToUTF8(this->jsctx, s);
+		const char *tmpanswer = chars.get();
+ 		string answer = string(tmpanswer);
+-		JS_free(this->jsctx, tmpanswer);
+ 
+ 		if (answer == "undefined") return "";
+ 		return answer;
+@@ -188,7 +204,7 @@ class mozjs_pacrunner : public pacrunner {
+ private:
+ 	JSContext *jsctx;
+ 	JS::Heap<JSObject*> *jsglb;
+-	JSAutoCompartment *jsac;
+	JSAutoRealm *jsar;
+ };
+ 
+ PX_PACRUNNER_MODULE_EZ(mozjs, "JS_DefineFunction", "mozjs");
--- a/libproxy.spec
+++ b/libproxy.spec
@ -4,7 +4,7 @@

 Name:           libproxy
 Version:        0.4.15
-Release:        22%{?dist}
+Release:        23%{?dist}
 Summary:        A library handling all the details of proxy configuration

 License:        LGPLv2+
@ -23,6 +23,10 @@ Patch3:         libproxy-0.4.15-mozjs52.patch
 Patch4:         libproxy-0.4.15-mozjs60.patch
 # https://github.com/libproxy/libproxy/pull/106
 Patch5:         libproxy-0.4.15-python39.patch
+# https://github.com/libproxy/libproxy/pull/109
+Patch6:         libproxy-0.4.15-mozjs68.patch
+# https://github.com/libproxy/libproxy/pull/118
+Patch7:         libproxy-0.4.15-mozjs-use-after-free.patch

 BuildRequires:  cmake >= 2.6.0
 BuildRequires:  gcc-c++
@ -32,7 +36,7 @@ BuildRequires:  libmodman-devel >= 2.0.1
 # gnome
 BuildRequires:  pkgconfig(gio-2.0) >= 2.26
 # mozjs
-BuildRequires:  pkgconfig(mozjs-60)
+BuildRequires:  pkgconfig(mozjs-68)
 # NetworkManager
 BuildRequires:  pkgconfig(libnm)
 # pacrunner (and NetworkManager)
@ -226,6 +230,10 @@ install -Dpm 0644 %{SOURCE1} %{buildroot}/%{_mandir}/man1/proxy.1


 %changelog
+* Tue Aug 04 2020 Frantisek Zatloukal <fzatlouk@redhat.com> - 0.4.15-23
+- build with mozjs68
+- backport use after free fix for mozjs backend
+
 * Tue Aug 04 2020 Frantisek Zatloukal <fzatlouk@redhat.com> - 0.4.15-22
 - Fix build by switching to cmake macros instead of make