From a8f5153286431ddd040fb6e7330c557cff525171 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Franti=C5=A1ek=20Zatloukal?= Date: Tue, 4 Aug 2020 10:01:17 +0200 Subject: [PATCH] Build with mozjs68 --- libproxy-0.4.15-mozjs-use-after-free.patch | 38 +++++ libproxy-0.4.15-mozjs68.patch | 180 +++++++++++++++++++++ libproxy.spec | 12 +- 3 files changed, 228 insertions(+), 2 deletions(-) create mode 100644 libproxy-0.4.15-mozjs-use-after-free.patch create mode 100644 libproxy-0.4.15-mozjs68.patch diff --git a/libproxy-0.4.15-mozjs-use-after-free.patch b/libproxy-0.4.15-mozjs-use-after-free.patch new file mode 100644 index 0000000..f63a394 --- /dev/null +++ b/libproxy-0.4.15-mozjs-use-after-free.patch @@ -0,0 +1,38 @@ +From 738785214546ec5bb772886019529b2a6519deaf Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 1 May 2020 19:04:22 +0100 +Subject: [PATCH] mozjs: Avoid use-after-free + +If we don't assign the temporary std::string returned by +url_.to_string() to a variable, then it immediately goes out of scope +and is freed, resulting in the result of c_str() pointing into freed +memory. This works about as well as you would expect. + +Signed-off-by: Simon McVittie +--- + libproxy/modules/pacrunner_mozjs.cpp | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/libproxy/modules/pacrunner_mozjs.cpp b/libproxy/modules/pacrunner_mozjs.cpp +index ade6d0a..aac6531 100644 +--- a/libproxy/modules/pacrunner_mozjs.cpp ++++ b/libproxy/modules/pacrunner_mozjs.cpp +@@ -175,14 +175,11 @@ class mozjs_pacrunner : public pacrunner { + + string run(const url& url_) throw (bad_alloc) { + // Build arguments to the FindProxyForURL() function +- const char *tmpurl = url_.to_string().c_str(); +- const char *tmphost = url_.get_host().c_str(); +- if (!tmpurl || !tmphost) { +- throw bad_alloc(); +- } ++ string tmpurl(url_.to_string()); ++ string tmphost(url_.get_host()); + JS::AutoValueArray<2> args(this->jsctx); +- args[0].setString(JS_NewStringCopyZ(this->jsctx, tmpurl)); +- args[1].setString(JS_NewStringCopyZ(this->jsctx, tmphost)); ++ args[0].setString(JS_NewStringCopyZ(this->jsctx, tmpurl.c_str())); ++ args[1].setString(JS_NewStringCopyZ(this->jsctx, tmphost.c_str())); + + // Find the proxy (call FindProxyForURL()) + JS::RootedValue rval(this->jsctx); diff --git a/libproxy-0.4.15-mozjs68.patch b/libproxy-0.4.15-mozjs68.patch new file mode 100644 index 0000000..7784dc8 --- /dev/null +++ b/libproxy-0.4.15-mozjs68.patch @@ -0,0 +1,180 @@ +From 6c9e48accddb90eef8412bef3ccc29594935d3b3 Mon Sep 17 00:00:00 2001 +From: Iain Lane +Date: Wed, 11 Mar 2020 11:54:52 +0000 +Subject: [PATCH] mozjs: Port to mozjs 68 + +There are a number of API changes that need to be adapted to, notably + + - JS_EncodeString is gone; need to use JS_EncodeStringToUTF8 now which + requires a rooted object to be passed in. + - JS_free is gone + +The pkg-config file ships some flags which need to be supplied to the +build. +--- + libproxy/cmake/modules/pacrunner_mozjs.cmk | 6 ++- + libproxy/modules/pacrunner_mozjs.cpp | 56 ++++++++++++++-------- + 2 files changed, 41 insertions(+), 21 deletions(-) + +diff --git a/libproxy/cmake/modules/pacrunner_mozjs.cmk b/libproxy/cmake/modules/pacrunner_mozjs.cmk +index 871cc85..2cc3c51 100644 +--- a/libproxy/cmake/modules/pacrunner_mozjs.cmk ++++ b/libproxy/cmake/modules/pacrunner_mozjs.cmk +@@ -9,8 +9,12 @@ if(WIN32) + elseif(NOT APPLE) + option(WITH_MOZJS "Search for MOZJS package" ON) + if (WITH_MOZJS) +- pkg_search_module(MOZJS mozjs-60) ++ pkg_search_module(MOZJS mozjs-68) + if(MOZJS_FOUND) ++ foreach(OPT ${MOZJS_CFLAGS}) ++ set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${OPT}") ++ endforeach() ++ message("mozjs is " ${CMAKE_CXX_FLAGS}) + include_directories(${MOZJS_INCLUDE_DIRS}) + link_directories(${MOZJS_LIBRARY_DIRS}) + else() +diff --git a/libproxy/modules/pacrunner_mozjs.cpp b/libproxy/modules/pacrunner_mozjs.cpp +index 38e7d46..37e1b42 100644 +--- a/libproxy/modules/pacrunner_mozjs.cpp ++++ b/libproxy/modules/pacrunner_mozjs.cpp +@@ -37,6 +37,9 @@ using namespace libproxy; + #pragma GCC diagnostic error "-Winvalid-offsetof" + #include + #include ++#include ++#include ++#include + + #include "pacutils.h" + +@@ -49,19 +52,21 @@ using namespace libproxy; + #endif + + static void dnsResolve_(JSContext *cx, JSString *hostname, JS::CallArgs *argv) { ++ char *tmp; + // Get hostname argument +- char *tmp = JS_EncodeString(cx, hostname); ++ JS::RootedString str(cx, hostname); ++ JS::UniqueChars chars = JS_EncodeStringToUTF8(cx, str); ++ const char *val = chars.get(); + + // Set the default return value + argv->rval().setNull(); + + // Look it up + struct addrinfo *info = nullptr; +- if (getaddrinfo(tmp, NULL, NULL, &info)) ++ if (getaddrinfo(val, NULL, NULL, &info)) + goto out; + + // Allocate the IP address +- JS_free(cx, tmp); + tmp = (char *) JS_malloc(cx, INET6_ADDRSTRLEN+1); + memset(tmp, 0, INET6_ADDRSTRLEN+1); + +@@ -77,7 +82,6 @@ static void dnsResolve_(JSContext *cx, JSString *hostname, JS::CallArgs *argv) { + + out: + if (info) freeaddrinfo(info); +- JS_free(cx, tmp); + } + + static bool dnsResolve(JSContext *cx, unsigned argc, JS::Value *vp) { +@@ -121,29 +125,40 @@ class mozjs_pacrunner : public pacrunner { + if (!JS::InitSelfHostedCode(this->jsctx)) goto error; + + JS::RootedValue rval(this->jsctx); +- JS::CompartmentOptions compart_opts; ++ JS::RealmOptions realm_opts; + + this->jsglb = new JS::Heap(JS_NewGlobalObject( + this->jsctx, &cls, + nullptr, JS::DontFireOnNewGlobalHook, +- compart_opts)); ++ realm_opts)); + + if (!(this->jsglb)) goto error; + JS::RootedObject global(this->jsctx,this->jsglb->get()); +- if (!(this->jsac = new JSAutoCompartment(this->jsctx, global))) goto error; +- if (!JS_InitStandardClasses(this->jsctx, global)) goto error; ++ if (!(this->jsar = new JSAutoRealm(this->jsctx, global))) goto error; + + // Define Javascript functions + JS_DefineFunction(this->jsctx, global, "dnsResolve", dnsResolve, 1, 0); + JS_DefineFunction(this->jsctx, global, "myIpAddress", myIpAddress, 0, 0); + JS::CompileOptions options(this->jsctx); +- options.setUTF8(true); + +- JS::Evaluate(this->jsctx, options, JAVASCRIPT_ROUTINES, +- strlen(JAVASCRIPT_ROUTINES), JS::MutableHandleValue(&rval)); ++ JS::SourceText routines, pac_source; ++ if (!routines.init(this->jsctx, ++ JAVASCRIPT_ROUTINES, ++ strlen(JAVASCRIPT_ROUTINES), ++ JS::SourceOwnership::Borrowed)) ++ goto error; ++ ++ if (!pac_source.init(this->jsctx, ++ pac.c_str(), ++ pac.length(), ++ JS::SourceOwnership::Borrowed)) ++ goto error; ++ ++ ++ JS::Evaluate(this->jsctx, options, routines, JS::MutableHandleValue(&rval)); + + // Add PAC to the environment +- JS::Evaluate(this->jsctx, options, pac.c_str(), pac.length(), JS::MutableHandleValue(&rval)); ++ JS::Evaluate(this->jsctx, options, pac_source, JS::MutableHandleValue(&rval)); + return; + } + error: +@@ -152,7 +167,7 @@ class mozjs_pacrunner : public pacrunner { + } + + ~mozjs_pacrunner() { +- if (this->jsac) delete this->jsac; ++ if (this->jsar) delete this->jsar; + if (this->jsglb) delete this->jsglb; + if (this->jsctx) JS_DestroyContext(this->jsctx); + JS_ShutDown(); +@@ -160,11 +175,9 @@ class mozjs_pacrunner : public pacrunner { + + string run(const url& url_) throw (bad_alloc) { + // Build arguments to the FindProxyForURL() function +- char *tmpurl = JS_strdup(this->jsctx, url_.to_string().c_str()); +- char *tmphost = JS_strdup(this->jsctx, url_.get_host().c_str()); ++ const char *tmpurl = url_.to_string().c_str(); ++ const char *tmphost = url_.get_host().c_str(); + if (!tmpurl || !tmphost) { +- if (tmpurl) JS_free(this->jsctx, tmpurl); +- if (tmphost) JS_free(this->jsctx, tmphost); + throw bad_alloc(); + } + JS::AutoValueArray<2> args(this->jsctx); +@@ -176,10 +189,13 @@ class mozjs_pacrunner : public pacrunner { + JS::RootedObject global(this->jsctx,this->jsglb->get()); + bool result = JS_CallFunctionName(this->jsctx, global, "FindProxyForURL", args, &rval); + if (!result) return ""; ++ if (!rval.isString()) ++ return ""; + +- char * tmpanswer = JS_EncodeString(this->jsctx, rval.toString()); ++ JS::RootedString s(this->jsctx, rval.toString()); ++ JS::UniqueChars chars = JS_EncodeStringToUTF8(this->jsctx, s); ++ const char *tmpanswer = chars.get(); + string answer = string(tmpanswer); +- JS_free(this->jsctx, tmpanswer); + + if (answer == "undefined") return ""; + return answer; +@@ -188,7 +204,7 @@ class mozjs_pacrunner : public pacrunner { + private: + JSContext *jsctx; + JS::Heap *jsglb; +- JSAutoCompartment *jsac; ++ JSAutoRealm *jsar; + }; + + PX_PACRUNNER_MODULE_EZ(mozjs, "JS_DefineFunction", "mozjs"); diff --git a/libproxy.spec b/libproxy.spec index 811fcf5..ecec23c 100644 --- a/libproxy.spec +++ b/libproxy.spec @@ -4,7 +4,7 @@ Name: libproxy Version: 0.4.15 -Release: 22%{?dist} +Release: 23%{?dist} Summary: A library handling all the details of proxy configuration License: LGPLv2+ @@ -23,6 +23,10 @@ Patch3: libproxy-0.4.15-mozjs52.patch Patch4: libproxy-0.4.15-mozjs60.patch # https://github.com/libproxy/libproxy/pull/106 Patch5: libproxy-0.4.15-python39.patch +# https://github.com/libproxy/libproxy/pull/109 +Patch6: libproxy-0.4.15-mozjs68.patch +# https://github.com/libproxy/libproxy/pull/118 +Patch7: libproxy-0.4.15-mozjs-use-after-free.patch BuildRequires: cmake >= 2.6.0 BuildRequires: gcc-c++ @@ -32,7 +36,7 @@ BuildRequires: libmodman-devel >= 2.0.1 # gnome BuildRequires: pkgconfig(gio-2.0) >= 2.26 # mozjs -BuildRequires: pkgconfig(mozjs-60) +BuildRequires: pkgconfig(mozjs-68) # NetworkManager BuildRequires: pkgconfig(libnm) # pacrunner (and NetworkManager) @@ -226,6 +230,10 @@ install -Dpm 0644 %{SOURCE1} %{buildroot}/%{_mandir}/man1/proxy.1 %changelog +* Tue Aug 04 2020 Frantisek Zatloukal - 0.4.15-23 +- build with mozjs68 +- backport use after free fix for mozjs backend + * Tue Aug 04 2020 Frantisek Zatloukal - 0.4.15-22 - Fix build by switching to cmake macros instead of make