put the embedded blob code to the .openbsd.mutable section and

mprotect it RX to support x-only idea from deraadt@, diff from kettenis@
2023-01-28 12:46:46 +00:00 · 2023-01-28 12:46:46 +00:00 · 2aba169072
parent d98818c95d
commit 2aba169072
6 changed files with 108 additions and 4 deletions
--- a/lang/node/Makefile
+++ b/lang/node/Makefile
@ -2,9 +2,6 @@ ONLY_FOR_ARCHS =	amd64 aarch64 i386 powerpc64 riscv64
 DPB_PROPERTIES =	parallel

 USE_WXNEEDED =		Yes
-.if ${MACHINE_ARCH} == amd64 || ${MACHINE_ARCH} == riscv64
-USE_NOEXECONLY =	Yes
-.endif

 COMMENT = JavaScript runtime built on Chrome's V8 JavaScript engine

@ -13,7 +10,7 @@ PLEDGE_VER =		1.1.3
 DISTFILES =		node-pledge-{}${PLEDGE_VER}.tar.gz:0 \
 			${DISTNAME}-headers.tar.gz \
 			${DISTNAME}.tar.xz
-REVISION =		1
+REVISION =		2

 DISTNAME =		node-${NODE_VERSION}
 PKGNAME =		${DISTNAME:S/v//g}
--- a/lang/node/patches/patch-deps_v8_src_execution_isolate_cc
+++ b/lang/node/patches/patch-deps_v8_src_execution_isolate_cc
@ -0,0 +1,26 @@
+Index: deps/v8/src/execution/isolate.cc
+--- deps/v8/src/execution/isolate.cc.orig
+++ deps/v8/src/execution/isolate.cc
+@@ -141,6 +141,10 @@
+ #include "src/execution/simulator-base.h"
+ #endif
+ 
+#if defined(V8_OS_OPENBSD)
+#include <sys/mman.h>
+#endif
+
+ extern "C" const uint8_t* v8_Default_embedded_blob_code_;
+ extern "C" uint32_t v8_Default_embedded_blob_code_size_;
+ extern "C" const uint8_t* v8_Default_embedded_blob_data_;
+@@ -3682,6 +3686,11 @@ void Isolate::InitializeDefaultEmbeddedBlob() {
+   uint32_t code_size = DefaultEmbeddedBlobCodeSize();
+   const uint8_t* data = DefaultEmbeddedBlobData();
+   uint32_t data_size = DefaultEmbeddedBlobDataSize();
+
+#if defined(V8_OS_OPENBSD)
+  mprotect(reinterpret_cast<void *>(const_cast<uint8_t *>(code)),
+          code_size, PROT_READ | PROT_EXEC);
+#endif
+ 
+   if (StickyEmbeddedBlobCode() != nullptr) {
+     base::MutexGuard guard(current_embedded_blob_refcount_mutex_.Pointer());
--- a/lang/node/patches/patch-deps_v8_src_snapshot_embedded_platform-embedded-file-writer-base_cc
+++ b/lang/node/patches/patch-deps_v8_src_snapshot_embedded_platform-embedded-file-writer-base_cc
@ -0,0 +1,12 @@
+Index: deps/v8/src/snapshot/embedded/platform-embedded-file-writer-base.cc
+--- deps/v8/src/snapshot/embedded/platform-embedded-file-writer-base.cc.orig
+++ deps/v8/src/snapshot/embedded/platform-embedded-file-writer-base.cc
+@@ -143,6 +143,8 @@ EmbeddedTargetOs ToEmbeddedTargetOs(const char* s) {
+     return EmbeddedTargetOs::kWin;
+   } else if (string == "starboard") {
+     return EmbeddedTargetOs::kStarboard;
+  } else if (string == "openbsd") {
+    return EmbeddedTargetOs::kOpenBSD;
+   } else {
+     return EmbeddedTargetOs::kGeneric;
+   }
--- a/lang/node/patches/patch-deps_v8_src_snapshot_embedded_platform-embedded-file-writer-base_h
+++ b/lang/node/patches/patch-deps_v8_src_snapshot_embedded_platform-embedded-file-writer-base_h
@ -0,0 +1,11 @@
+Index: deps/v8/src/snapshot/embedded/platform-embedded-file-writer-base.h
+--- deps/v8/src/snapshot/embedded/platform-embedded-file-writer-base.h.orig
+++ deps/v8/src/snapshot/embedded/platform-embedded-file-writer-base.h
+@@ -33,6 +33,7 @@ enum class EmbeddedTargetOs {
+   kMac,
+   kWin,
+   kStarboard,
+  kOpenBSD,
+   kGeneric,  // Everything not covered above falls in here.
+ };
+ 
--- a/lang/node/patches/patch-deps_v8_src_snapshot_embedded_platform-embedded-file-writer-generic_cc
+++ b/lang/node/patches/patch-deps_v8_src_snapshot_embedded_platform-embedded-file-writer-generic_cc
@ -0,0 +1,47 @@
+Index: deps/v8/src/snapshot/embedded/platform-embedded-file-writer-generic.cc
+--- deps/v8/src/snapshot/embedded/platform-embedded-file-writer-generic.cc.orig
+++ deps/v8/src/snapshot/embedded/platform-embedded-file-writer-generic.cc
+@@ -10,6 +10,10 @@
+ #include "src/common/globals.h"
+ #include "src/objects/code.h"
+ 
+#if V8_OS_OPENBSD
+#include <sys/param.h>
+#endif
+
+ namespace v8 {
+ namespace internal {
+ 
+@@ -36,6 +40,8 @@ const char* DirectiveAsString(DataDirective directive)
+ void PlatformEmbeddedFileWriterGeneric::SectionText() {
+   if (target_os_ == EmbeddedTargetOs::kChromeOS) {
+     fprintf(fp_, ".section .text.hot.embedded\n");
+  } else if (target_os_ == EmbeddedTargetOs::kOpenBSD) {
+    fprintf(fp_, ".section .openbsd.mutable,\"a\"\n");
+   } else {
+     fprintf(fp_, ".section .text\n");
+   }
+@@ -74,7 +80,9 @@ void PlatformEmbeddedFileWriterGeneric::DeclareSymbolG
+ }
+ 
+ void PlatformEmbeddedFileWriterGeneric::AlignToCodeAlignment() {
+-#if V8_TARGET_ARCH_X64
+#if V8_OS_OPENBSD
+  fprintf(fp_, ".balign %d\n", PAGE_SIZE);
+#elif V8_TARGET_ARCH_X64
+   // On x64 use 64-bytes code alignment to allow 64-bytes loop header alignment.
+   STATIC_ASSERT(64 >= kCodeAlignment);
+   fprintf(fp_, ".balign 64\n");
+@@ -96,6 +104,12 @@ void PlatformEmbeddedFileWriterGeneric::AlignToDataAli
+   // load target to be aligned at 8 bytes (2^3).
+   STATIC_ASSERT(8 >= Code::kMetadataAlignment);
+   fprintf(fp_, ".balign 8\n");
+}
+
+void PlatformEmbeddedFileWriterGeneric::PaddingAfterCode() {
+#if V8_OS_OPENBSD
+  fprintf(fp_, ".balign %d\n", PAGE_SIZE);
+#endif
+ }
+ 
+ void PlatformEmbeddedFileWriterGeneric::Comment(const char* string) {
--- a/lang/node/patches/patch-deps_v8_src_snapshot_embedded_platform-embedded-file-writer-generic_h
+++ b/lang/node/patches/patch-deps_v8_src_snapshot_embedded_platform-embedded-file-writer-generic_h
@ -0,0 +1,11 @@
+Index: deps/v8/src/snapshot/embedded/platform-embedded-file-writer-generic.h
+--- deps/v8/src/snapshot/embedded/platform-embedded-file-writer-generic.h.orig
+++ deps/v8/src/snapshot/embedded/platform-embedded-file-writer-generic.h
+@@ -28,6 +28,7 @@ class PlatformEmbeddedFileWriterGeneric
+   void SectionRoData() override;
+ 
+   void AlignToCodeAlignment() override;
+  void PaddingAfterCode() override;
+   void AlignToDataAlignment() override;
+ 
+   void DeclareUint32(const char* name, uint32_t value) override;