From c4948ea0267ccd922d71b0cc2e98d1e3f33a43cb Mon Sep 17 00:00:00 2001 From: Myles Borins Date: Mon, 30 Apr 2018 13:39:33 -0400 Subject: [PATCH 1/9] Working on v6.14.3 PR-URL: https://github.com/nodejs/node/pull/19996 --- src/node_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/node_version.h b/src/node_version.h index 1bef707c808..17cbff6d345 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -3,12 +3,12 @@ #define NODE_MAJOR_VERSION 6 #define NODE_MINOR_VERSION 14 -#define NODE_PATCH_VERSION 2 +#define NODE_PATCH_VERSION 3 #define NODE_VERSION_IS_LTS 1 #define NODE_VERSION_LTS_CODENAME "Boron" -#define NODE_VERSION_IS_RELEASE 1 +#define NODE_VERSION_IS_RELEASE 0 #ifndef NODE_STRINGIFY #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n) From 6b6ea2007a2642c50243a67162f574efe26913bb Mon Sep 17 00:00:00 2001 From: John Barboza Date: Mon, 4 Jun 2018 06:19:09 -0700 Subject: [PATCH 2/9] add test case for help message --- test/parallel/test-help-message.js | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 test/parallel/test-help-message.js diff --git a/test/parallel/test-help-message.js b/test/parallel/test-help-message.js new file mode 100644 index 00000000000..ce13b0f8d74 --- /dev/null +++ b/test/parallel/test-help-message.js @@ -0,0 +1,14 @@ +'use strict'; +const common = require('../common'); + +const assert = require('assert'); +const exec = require('child_process').exec; + +const cmd = `${process.execPath} --help | grep "Usage: node"` + +exec(cmd, common.mustCall((error, stdout, stderr) => { + assert.strictEqual(stderr, ''); + + // omitting trailing whitespace and \n + assert.strictEqual(stdout.replace(/\s+$/, '').startsWith("Usage: node"), true); +})); From 4abedc5b0fdfdb64d8b9d9f9b6aa2f11c2977d54 Mon Sep 17 00:00:00 2001 From: John Barboza Date: Tue, 5 Jun 2018 05:23:57 -0700 Subject: [PATCH 3/9] clear revents before calling next poll --- deps/uv/src/unix/os390-syscalls.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deps/uv/src/unix/os390-syscalls.c b/deps/uv/src/unix/os390-syscalls.c index fe23ee9ff81..c3eeb409aa6 100644 --- a/deps/uv/src/unix/os390-syscalls.c +++ b/deps/uv/src/unix/os390-syscalls.c @@ -278,6 +278,7 @@ int epoll_ctl(uv__os390_epoll* lst, return -1; } lst->items[fd].events = event->events; + lst->items[fd].revents = 0; } else abort(); @@ -311,6 +312,7 @@ int epoll_wait(uv__os390_epoll* lst, struct epoll_event* events, ev.fd = pfds[i].fd; ev.events = pfds[i].revents; + pfds[i].revents = 0; events[reventcount++] = ev; } From 984c2d20c0b9de00478c9892cfd62ae2351fa732 Mon Sep 17 00:00:00 2001 From: John Barboza Date: Tue, 5 Jun 2018 06:44:13 -0700 Subject: [PATCH 4/9] _SET_FDS_MSGS macro doesn't return anything --- deps/uv/src/unix/os390-syscalls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deps/uv/src/unix/os390-syscalls.c b/deps/uv/src/unix/os390-syscalls.c index c3eeb409aa6..d09f9d65038 100644 --- a/deps/uv/src/unix/os390-syscalls.c +++ b/deps/uv/src/unix/os390-syscalls.c @@ -294,7 +294,7 @@ int epoll_wait(uv__os390_epoll* lst, struct epoll_event* events, int pollret; int reventcount; - size = _SET_FDS_MSGS(size, 1, lst->size - 1); + _SET_FDS_MSGS(size, 1, lst->size - 1); pfds = lst->items; pollret = poll(pfds, size, timeout); if (pollret <= 0) From f7f4ec5769a966aa95e47b20672c52a8ab903eb3 Mon Sep 17 00:00:00 2001 From: John Barboza Date: Tue, 5 Jun 2018 06:53:21 -0700 Subject: [PATCH 5/9] return value from poll indicates total number of triggered events --- deps/uv/src/unix/os390-syscalls.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/deps/uv/src/unix/os390-syscalls.c b/deps/uv/src/unix/os390-syscalls.c index d09f9d65038..29ca55f2527 100644 --- a/deps/uv/src/unix/os390-syscalls.c +++ b/deps/uv/src/unix/os390-syscalls.c @@ -293,6 +293,7 @@ int epoll_wait(uv__os390_epoll* lst, struct epoll_event* events, struct pollfd* pfds; int pollret; int reventcount; + int nevents; _SET_FDS_MSGS(size, 1, lst->size - 1); pfds = lst->items; @@ -303,6 +304,7 @@ int epoll_wait(uv__os390_epoll* lst, struct epoll_event* events, pollret = _NFDS(pollret) + _NMSGS(pollret); reventcount = 0; + nevents = 0; for (int i = 0; i < lst->size && i < maxevents && reventcount < pollret; ++i) { struct epoll_event ev; @@ -312,11 +314,16 @@ int epoll_wait(uv__os390_epoll* lst, struct epoll_event* events, ev.fd = pfds[i].fd; ev.events = pfds[i].revents; + if (pfds[i].revents & POLLIN && pfds[i].revents & POLLOUT) + reventcount += 2; + else if (pfds[i].revents & (POLLIN | POLLOUT)) + ++reventcount; + pfds[i].revents = 0; - events[reventcount++] = ev; + events[nevents++] = ev; } - return reventcount; + return nevents; } From f23cdc8fc3940653673057fe3ab394827a08952f Mon Sep 17 00:00:00 2001 From: John Barboza Date: Tue, 5 Jun 2018 07:03:27 -0700 Subject: [PATCH 6/9] avoid clobbering msg queue entry with EPOLL_CTL_MOD --- deps/uv/src/unix/os390-syscalls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deps/uv/src/unix/os390-syscalls.c b/deps/uv/src/unix/os390-syscalls.c index 29ca55f2527..0f8e11ea2ca 100644 --- a/deps/uv/src/unix/os390-syscalls.c +++ b/deps/uv/src/unix/os390-syscalls.c @@ -272,7 +272,7 @@ int epoll_ctl(uv__os390_epoll* lst, lst->items[fd].events = event->events; lst->items[fd].revents = 0; } else if (op == EPOLL_CTL_MOD) { - if (fd >= lst->size || lst->items[fd].fd == -1) { + if (fd >= lst->size - 1 || lst->items[fd].fd == -1) { uv_mutex_unlock(&global_epoll_lock); errno = ENOENT; return -1; From aead219d6d233725466e3a94aa51b393a7b3e331 Mon Sep 17 00:00:00 2001 From: John Barboza Date: Mon, 11 Jun 2018 06:13:41 -0700 Subject: [PATCH 7/9] store pointer instead of using array reference all over the place --- deps/uv/src/unix/os390-syscalls.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/deps/uv/src/unix/os390-syscalls.c b/deps/uv/src/unix/os390-syscalls.c index 0f8e11ea2ca..7974abdc97b 100644 --- a/deps/uv/src/unix/os390-syscalls.c +++ b/deps/uv/src/unix/os390-syscalls.c @@ -308,18 +308,20 @@ int epoll_wait(uv__os390_epoll* lst, struct epoll_event* events, for (int i = 0; i < lst->size && i < maxevents && reventcount < pollret; ++i) { struct epoll_event ev; + struct pollfd* pfd; - if (pfds[i].fd == -1 || pfds[i].revents == 0) + pfd = &pfds[i]; + if (pfd->fd == -1 || pfd->revents == 0) continue; - ev.fd = pfds[i].fd; - ev.events = pfds[i].revents; - if (pfds[i].revents & POLLIN && pfds[i].revents & POLLOUT) + ev.fd = pfd->fd; + ev.events = pfd->revents; + if (pfd->revents & POLLIN && pfd->revents & POLLOUT) reventcount += 2; - else if (pfds[i].revents & (POLLIN | POLLOUT)) + else if (pfd->revents & (POLLIN | POLLOUT)) ++reventcount; - pfds[i].revents = 0; + pfd->revents = 0; events[nevents++] = ev; } From 7dbcfc62174bab7b547cd88e0385517e689891ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=A1=D0=BA=D0=BE=D0=B2=D0=BE=D1=80=D0=BE=D0=B4=D0=B0=20?= =?UTF-8?q?=D0=9D=D0=B8=D0=BA=D0=B8=D1=82=D0=B0=20=D0=90=D0=BD=D0=B4=D1=80?= =?UTF-8?q?=D0=B5=D0=B5=D0=B2=D0=B8=D1=87?= Date: Tue, 24 Apr 2018 15:59:18 +0300 Subject: [PATCH 8/9] src: avoid hanging on Buffer#fill 0-length input Previously, zero-length Buffers and TypedArrays passed as fillers hanged Buffer#fill and Buffer.from. This changes those cases when it hanged to a zero-fill instead, which should be backwards compatible. This fixes CVE-2018-7167. PR-URL: https://github.com/nodejs-private/node-private/pull/121 Fixes: https://github.com/nodejs-private/security/issues/193 Refs: https://github.com/nodejs-private/node-private/pull/118 Reviewed-By: Ben Noordhuis Reviewed-By: Tiancheng "Timothy" Gu Reviewed-By: Evan Lucas Reviewed-By: Michael Dawson --- src/node_buffer.cc | 6 ++++++ test/parallel/test-buffer-alloc-is-filled.js | 20 ++++++++++++++++++++ test/parallel/test-buffer-fill.js | 16 ++++++++++++++++ 3 files changed, 42 insertions(+) create mode 100644 test/parallel/test-buffer-alloc-is-filled.js diff --git a/src/node_buffer.cc b/src/node_buffer.cc index da838e8bb05..9c46cf291d9 100644 --- a/src/node_buffer.cc +++ b/src/node_buffer.cc @@ -654,6 +654,12 @@ void Fill(const FunctionCallbackInfo& args) { size_t in_there = str_length; char* ptr = ts_obj_data + start + str_length; + if (in_there == 0) { + // Just use zero-fill if the input was empty + memset(ts_obj_data + start, 0, fill_length); + return; + } + while (in_there < fill_length - in_there) { memcpy(ptr, ts_obj_data + start, in_there); ptr += in_there; diff --git a/test/parallel/test-buffer-alloc-is-filled.js b/test/parallel/test-buffer-alloc-is-filled.js new file mode 100644 index 00000000000..bd6bdb6f29f --- /dev/null +++ b/test/parallel/test-buffer-alloc-is-filled.js @@ -0,0 +1,20 @@ +'use strict'; + +require('../common'); +const assert = require('assert'); + +for (const fill of [ + '', + [], + Buffer.from(''), + new Uint8Array(0), + { toString: () => '' }, + { toString: () => '', length: 10 } +]) { + for (let i = 0; i < 50; i++) { + const buf = Buffer.alloc(100, fill); + assert.strictEqual(buf.length, 100); + for (let n = 0; n < buf.length; n++) + assert.strictEqual(buf[n], 0); + } +} diff --git a/test/parallel/test-buffer-fill.js b/test/parallel/test-buffer-fill.js index b4c7e2f139c..bee4efafe4d 100644 --- a/test/parallel/test-buffer-fill.js +++ b/test/parallel/test-buffer-fill.js @@ -319,6 +319,22 @@ Buffer.alloc(8, ''); assert.strictEqual(buf.toString(), 'էէէէէ'); } +{ + for (const fill of [ + '', + [], + Buffer.from(''), + new Uint8Array(0), + { toString: () => '' }, + { toString: () => '', length: 10 } + ]) { + assert.deepStrictEqual( + Buffer.alloc(10, 'abc').fill(fill), + Buffer.alloc(10) + ); + } +} + // Testing public API. Make sure "start" is properly checked, even if it's // magically mangled using Symbol.toPrimitive. { From 8c9f0d0fb4c3b8625c4b7a2ec654655fe9a67c92 Mon Sep 17 00:00:00 2001 From: Evan Lucas Date: Mon, 11 Jun 2018 18:35:05 -0500 Subject: [PATCH 9/9] 2018-06-12, Version 6.14.3 (LTS) Notable changes: * **buffer** (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang PR-URL: https://github.com/nodejs-private/node-private/pull/134 --- CHANGELOG.md | 3 ++- doc/changelogs/CHANGELOG_V6.md | 27 ++++++++++++++++++++------- src/node_version.h | 2 +- 3 files changed, 23 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 005ada53c86..fbe9766712c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,7 +26,8 @@ release. -6.14.2
+6.14.3
+6.14.2
6.14.1
6.14.0
6.13.1
diff --git a/doc/changelogs/CHANGELOG_V6.md b/doc/changelogs/CHANGELOG_V6.md index 5b1a998e3f6..766b3718d38 100644 --- a/doc/changelogs/CHANGELOG_V6.md +++ b/doc/changelogs/CHANGELOG_V6.md @@ -7,6 +7,7 @@ +6.14.3
6.14.2
6.14.1
6.14.0
@@ -63,6 +64,18 @@ [Node.js Long Term Support Plan](https://github.com/nodejs/LTS) and will be supported actively until April 2018 and maintained until April 2019. + +## 2018-06-12, Version 6.14.3 'Boron' (LTS), @evanlucas + +### Notable Changes + +* **buffer** (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang + +### Commits + +* [[`7dbcfc6217`](https://github.com/nodejs/node/commit/7dbcfc6217)] - **src**: avoid hanging on Buffer#fill 0-length input (Сковорода Никита Андреевич) [nodejs-private/node-private#121](https://github.com/nodejs-private/node-private/pull/121) + + ## 2018-04-30, Version 6.14.2 'Boron' (LTS), @MylesBorins @@ -412,13 +425,13 @@ This LTS release comes with 112 commits, 17 of which are considered Semver-Minor - more robust stringification for unhandled rejections (Timothy Gu) [#13784](https://github.com/nodejs/node/pull/13784) * **repl**: - improve require() autocompletion (Alexey Orlenko) [#14409](https://github.com/nodejs/node/pull/14409) -* **src**: +* **src**: - add openssl-system-ca-path configure option (Daniel Bevenius) [#16790](https://github.com/nodejs/node/pull/16790) - add --use-bundled-ca --use-openssl-ca check (Daniel Bevenius) [#12087](https://github.com/nodejs/node/pull/12087) - add process.ppid (cjihrig) [#16839](https://github.com/nodejs/node/pull/16839) * **tls**: - accept `lookup` option for `tls.connect()` (Fedor Indutny) [#12839](https://github.com/nodejs/node/pull/12839) -* **tools, build**: +* **tools, build**: - a new macOS installer! (JP Wesselink) [#15179](https://github.com/nodejs/node/pull/15179) * **url**: - WHATWG URL api support (James M Snell) [#7448](https://github.com/nodejs/node/pull/7448) @@ -892,7 +905,7 @@ This LTS release comes with 263 commits. This includes 173 which are test relate * [[`4c98e07702`](https://github.com/nodejs/node/commit/4c98e07702)] - **test**: fixtures in test-net-pipe-connect-errors (Eric Freiberg) [#15922](https://github.com/nodejs/node/pull/15922) * [[`244bfb398d`](https://github.com/nodejs/node/commit/244bfb398d)] - **test**: fixtures in test-process-redirect-warnings-env (Kat Rosario) [#15930](https://github.com/nodejs/node/pull/15930) * [[`18479d3cff`](https://github.com/nodejs/node/commit/18479d3cff)] - **test**: fix ordering of strictEqual actual/expected (Chad Zezula) [#16008](https://github.com/nodejs/node/pull/16008) -* [[`66fd6a1409`](https://github.com/nodejs/node/commit/66fd6a1409)] - **test**: use fixtures.readSync (szhang351) +* [[`66fd6a1409`](https://github.com/nodejs/node/commit/66fd6a1409)] - **test**: use fixtures.readSync (szhang351) * [[`6d33564b1a`](https://github.com/nodejs/node/commit/6d33564b1a)] - **test**: replaced fixturesDir with common.fixtures (Dolapo Toki) [#15836](https://github.com/nodejs/node/pull/15836) * [[`a6f04bec9e`](https://github.com/nodejs/node/commit/a6f04bec9e)] - **test**: use fixtures.fixturesDir (Gene Wu) [#15822](https://github.com/nodejs/node/pull/15822) * [[`2103453977`](https://github.com/nodejs/node/commit/2103453977)] - **test**: replaces fixturesDir with fixtures methods (Christian Murphy) [#15817](https://github.com/nodejs/node/pull/15817) @@ -1002,7 +1015,7 @@ This release includes a security update to openssl that has been deemed low seve * **process**: - add --redirect-warnings command line argument (James M Snell) [#10116](https://github.com/nodejs/node/pull/10116) * **src**: - - allow CLI args in env with NODE_OPTIONS (Sam Roberts) [#12028](https://github.com/nodejs/node/pull/12028) + - allow CLI args in env with NODE_OPTIONS (Sam Roberts) [#12028](https://github.com/nodejs/node/pull/12028) - --abort-on-uncaught-exception in NODE_OPTIONS (Sam Roberts) [#13932](https://github.com/nodejs/node/pull/13932) - allow --tls-cipher-list in NODE_OPTIONS (Sam Roberts) [#13172](https://github.com/nodejs/node/pull/13172) - use SafeGetenv() for NODE_REDIRECT_WARNINGS (Sam Roberts) [#12677](https://github.com/nodejs/node/pull/12677) @@ -1088,7 +1101,7 @@ This release includes a security update to openssl that has been deemed low seve * [[`b166837551`](https://github.com/nodejs/node/commit/b166837551)] - **src,etw**: fix event 9 on 64 bit Windows (João Reis) [#15563](https://github.com/nodejs/node/pull/15563) * [[`18987794bd`](https://github.com/nodejs/node/commit/18987794bd)] - **test**: move test-cluster-debug-port to sequential (Oleksandr Kushchak) [#16292](https://github.com/nodejs/node/pull/16292) * [[`1fdbaed2f2`](https://github.com/nodejs/node/commit/1fdbaed2f2)] - **test**: begin normalizing fixtures use (James M Snell) [#14332](https://github.com/nodejs/node/pull/14332) -* [[`3ad6a9dfc4`](https://github.com/nodejs/node/commit/3ad6a9dfc4)] - **test**: remove assert message (Joe Henry) +* [[`3ad6a9dfc4`](https://github.com/nodejs/node/commit/3ad6a9dfc4)] - **test**: remove assert message (Joe Henry) * [[`58509ec471`](https://github.com/nodejs/node/commit/58509ec471)] - **test**: clarify assert messages in crypto tests (cpandrews8) [#16019](https://github.com/nodejs/node/pull/16019) * [[`ab7f43aa41`](https://github.com/nodejs/node/commit/ab7f43aa41)] - **test**: include expected result in error messages (Chowdhurian) [#16039](https://github.com/nodejs/node/pull/16039) * [[`342ac9f0c6`](https://github.com/nodejs/node/commit/342ac9f0c6)] - **test**: cleanup test-buffer-sharedarraybuffer (Rafal Leszczynski) [#15896](https://github.com/nodejs/node/pull/15896) @@ -1161,7 +1174,7 @@ This LTS release comes with 91 commits. This includes 29 which are test related, ### Notable Changes -* **net**: +* **net**: - support passing undefined to listen() to match behavior in v4.x and v8.x (Sam Roberts) [#14234](https://github.com/nodejs/node/pull/14234) ### Commits @@ -1247,7 +1260,7 @@ This LTS release comes with 91 commits. This includes 29 which are test related, * [[`c88f99f1f3`](https://github.com/nodejs/node/commit/c88f99f1f3)] - **test**: improvements to various http tests (James M Snell) [#14315](https://github.com/nodejs/node/pull/14315) * [[`860c6198c0`](https://github.com/nodejs/node/commit/860c6198c0)] - **test**: use ciphers supported by shared OpenSSL (Jérémy Lal) [#14566](https://github.com/nodejs/node/pull/14566) * [[`8b9a05c04b`](https://github.com/nodejs/node/commit/8b9a05c04b)] - **test**: read proper inspector message size (Bartosz Sosnowski) [#14596](https://github.com/nodejs/node/pull/14596) -* [[`86497f1acc`](https://github.com/nodejs/node/commit/86497f1acc)] - **test**: mark inspector-port-zero-cluster as flaky (Refael Ackermann) +* [[`86497f1acc`](https://github.com/nodejs/node/commit/86497f1acc)] - **test**: mark inspector-port-zero-cluster as flaky (Refael Ackermann) * [[`8dfc2838c8`](https://github.com/nodejs/node/commit/8dfc2838c8)] - **test**: fix test-readline-interface (Azard) [#14677](https://github.com/nodejs/node/pull/14677) * [[`3a6392b283`](https://github.com/nodejs/node/commit/3a6392b283)] - **tls**: fix empty issuer/subject/infoAccess parsing (Ben Noordhuis) [#14473](https://github.com/nodejs/node/pull/14473) * [[`37dd2adbac`](https://github.com/nodejs/node/commit/37dd2adbac)] - **tools**: fix linter error in html.js (Michaël Zasso) [#15063](https://github.com/nodejs/node/pull/15063) diff --git a/src/node_version.h b/src/node_version.h index 17cbff6d345..31005e20311 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -8,7 +8,7 @@ #define NODE_VERSION_IS_LTS 1 #define NODE_VERSION_LTS_CODENAME "Boron" -#define NODE_VERSION_IS_RELEASE 0 +#define NODE_VERSION_IS_RELEASE 1 #ifndef NODE_STRINGIFY #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)