src: prepare for v8 sandboxing #58376
Open
+61
−7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Review requested:
|
nodejs-github-bot
added
c++
jasnell
force-pushed
the
jasnell/some-v8-sandbox-preparations
branch
from
d21804d to
474cba4
Compare
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
jasnell
force-pushed
the
jasnell/some-v8-sandbox-preparations
branch
from
474cba4 to
fd4f0e7
Compare
This comment was marked as outdated.
This comment was marked as outdated.
anonrig
approved these changes
May 18, 2025
legendecas
approved these changes
May 18, 2025
addaleax
reviewed
May 18, 2025
src/crypto/crypto_util.cc
Outdated
| std::unique_ptr<BackingStore> ptr = ArrayBuffer::NewBackingStore( | ||
| allocated_data_, | ||
| size(), | ||
| [](void* data, size_t length, void* deleter_data) { | ||
| OPENSSL_clear_free(deleter_data, length); | ||
| }, allocated_data_); | ||
| #endif |
There was a problem hiding this comment.
This looks like it would be a good idea to add a helper to e.g. util.h that switches between the two variants in a single location rather than having #ifdefs for every call, no?
There was a problem hiding this comment.
Likely yes. I'm wanting to minimize the individual changes in this PR so we can make sure they are correct, but then we can likely extract out some utilities (maybe in node_buffer.h) that handle this in a more general way separately. That can be done separately I think?
jasnell
force-pushed
the
jasnell/some-v8-sandbox-preparations
branch
from
fd4f0e7 to
d9af9b2
Compare
This comment was marked as outdated.
This comment was marked as outdated.
anonrig
approved these changes
May 19, 2025
This comment was marked as outdated.
This comment was marked as outdated.
jasnell
added
the
author ready
joyeecheung
reviewed
May 19, 2025
Comment on lines
+668
to
+676
| // The v8 sandbox is enabled, so we cannot use the secure heap because | ||
| // the sandbox requires that all array buffers be allocated via the isolate. | ||
| // That is fundamentally incompatible with the secure heap which allocates | ||
| // in openssl's secure heap area. Instead we'll just throw an error here. | ||
| // | ||
| // That said, we really shouldn't get here in the first place since the | ||
| // option to enable the secure heap is only available when the sandbox | ||
| // is disabled. | ||
| THROW_ERR_CRYPTO_UNSUPPORTED_OPERATION(env); |
There was a problem hiding this comment.
I think this should just be
Suggested change
| // The v8 sandbox is enabled, so we cannot use the secure heap because | |
| // the sandbox requires that all array buffers be allocated via the isolate. | |
| // That is fundamentally incompatible with the secure heap which allocates | |
| // in openssl's secure heap area. Instead we'll just throw an error here. | |
| // | |
| // That said, we really shouldn't get here in the first place since the | |
| // option to enable the secure heap is only available when the sandbox | |
| // is disabled. | |
| THROW_ERR_CRYPTO_UNSUPPORTED_OPERATION(env); | |
| // Secure heap is only available when the sandbox is disabled. | |
| UNREACHABLE(); |
| auto backing = ArrayBuffer::NewBackingStore( | ||
| env->isolate(), | ||
| data.size(), | ||
| BackingStoreInitializationMode::kUninitialized); |
There was a problem hiding this comment.
Should these use the default BackingStoreOnFailureMode::kOutOfMemory? I think previously the caller would throw catchable errors instead of memory allocation on the OpenSSL side fails. Now this would just crash.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When the v8 sandbox is enabled (possibly at some point in the future) all ArrayBuffer allocations must be done within the isolate. Externally allocated backing stores are not permitted. This starts to prepare for that by adding some compile time branches to copy some external buffers rather than wrapping them. We also disable the
--secure-heapfeature since that fundamentally doesn't make sense and can't be supported with v8 sandbox enabled.This PR cannot yet include additional tests for the new branches largely because we cannot yet build node with v8 sandbox enabled.