Update to 20.12.1 for fix CVE-2024-27982,CVE-2024-27983,CVE-2024-30260 and CVE-2024-30261

(cherry picked from commit b51d0c45f1acabe35ab3ed9a37029e8c4bcbb7b6)
2024-09-18 15:34:12 +08:00 · 2024-09-18 15:34:12 +08:00 · b75ca91982
commit b75ca91982
parent 51e2fa3a87
5 changed files with 23 additions and 212 deletions
--- a/0002-Revert-deps-V8-tagged.patch
+++ b/0002-Revert-deps-V8-tagged.patch
@ -1,141 +0,0 @@
 From 1dd706c8c473b31bcef269d6ecde6fc72200ce89 Mon Sep 17 00:00:00 2001
 From: Eustace <eusteuc@outlook.com>
 Date: Mon, 18 Mar 2024 09:31:46 +0800
 Subject: [PATCH] Revert "deps: V8: cherry-pick 13192d6e10fa"
 "Tagged" is at an unfinished state here yet.
 This reverts commit bc2ebb972b34f54e042de9636e7451d2526436a9.
 ---
 deps/v8/src/builtins/riscv/builtins-riscv.cc     |  2 +-
 deps/v8/src/codegen/riscv/assembler-riscv-inl.h  | 16 ++++++++--------
 deps/v8/src/codegen/riscv/assembler-riscv.h      |  2 +-
 deps/v8/src/execution/riscv/simulator-riscv.cc   |  8 ++++----
 .../regexp/riscv/regexp-macro-assembler-riscv.cc |  2 +-
 5 files changed, 15 insertions(+), 15 deletions(-)
 diff --git a/deps/v8/src/builtins/riscv/builtins-riscv.cc b/deps/v8/src/builtins/riscv/builtins-riscv.cc
 index d6091434b9..3404562785 100644
 --- a/deps/v8/src/builtins/riscv/builtins-riscv.cc
 +++ b/deps/v8/src/builtins/riscv/builtins-riscv.cc
@@ -1512,7 +1512,7 @@ static void Generate_InterpreterEnterBytecode(MacroAssembler* masm) {
   // Set the return address to the correct point in the interpreter entry
   // trampoline.
   Label builtin_trampoline, trampoline_loaded;
 -  Tagged<Smi> interpreter_entry_return_pc_offset(
 +  Smi interpreter_entry_return_pc_offset(
       masm->isolate()->heap()->interpreter_entry_return_pc_offset());
   DCHECK_NE(interpreter_entry_return_pc_offset, Smi::zero());
 diff --git a/deps/v8/src/codegen/riscv/assembler-riscv-inl.h b/deps/v8/src/codegen/riscv/assembler-riscv-inl.h
 index ca6d641e2c..55f191e6af 100644
 --- a/deps/v8/src/codegen/riscv/assembler-riscv-inl.h
 +++ b/deps/v8/src/codegen/riscv/assembler-riscv-inl.h
@@ -128,9 +128,9 @@ Handle<HeapObject> Assembler::compressed_embedded_object_handle_at(
 }
 void Assembler::deserialization_set_special_target_at(
 -    Address instruction_payload, Tagged<Code> code, Address target) {
 +    Address instruction_payload, Code code, Address target) {
   set_target_address_at(instruction_payload,
 -                        !code.is_null() ? code->constant_pool() : kNullAddress,
 +                        !code.is_null() ? code.constant_pool() : kNullAddress,
                         target);
 }
@@ -159,13 +159,12 @@ void Assembler::deserialization_set_target_internal_reference_at(
   }
 }
 -Tagged<HeapObject> RelocInfo::target_object(PtrComprCageBase cage_base) {
 +HeapObject RelocInfo::target_object(PtrComprCageBase cage_base) {
   DCHECK(IsCodeTarget(rmode_) || IsEmbeddedObjectMode(rmode_));
   if (IsCompressedEmbeddedObject(rmode_)) {
 -    return HeapObject::cast(
 -        Tagged<Object>(V8HeapCompressionScheme::DecompressTagged(
 -            cage_base,
 -            Assembler::target_compressed_address_at(pc_, constant_pool_))));
 +    return HeapObject::cast(Object(V8HeapCompressionScheme::DecompressTagged(
 +        cage_base,
 +        Assembler::target_compressed_address_at(pc_, constant_pool_))));
   } else {
     return HeapObject::cast(
         Object(Assembler::target_address_at(pc_, constant_pool_)));
@@ -187,7 +186,8 @@ Handle<HeapObject> RelocInfo::target_object_handle(Assembler* origin) {
   }
 }
 -void RelocInfo::set_target_object(Tagged<HeapObject> target,
 +void RelocInfo::set_target_object(Heap* heap, HeapObject target,
 +                                  WriteBarrierMode write_barrier_mode,
                                   ICacheFlushMode icache_flush_mode) {
   DCHECK(IsCodeTarget(rmode_) || IsEmbeddedObjectMode(rmode_));
   if (IsCompressedEmbeddedObject(rmode_)) {
 diff --git a/deps/v8/src/codegen/riscv/assembler-riscv.h b/deps/v8/src/codegen/riscv/assembler-riscv.h
 index bcd5a62d32..ed222b52d6 100644
 --- a/deps/v8/src/codegen/riscv/assembler-riscv.h
 +++ b/deps/v8/src/codegen/riscv/assembler-riscv.h
@@ -286,7 +286,7 @@ class V8_EXPORT_PRIVATE Assembler : public AssemblerBase,
   // This is for calls and branches within generated code.  The serializer
   // has already deserialized the lui/ori instructions etc.
   inline static void deserialization_set_special_target_at(Address location,
 -                                                           Tagged<Code> code,
 +                                                           Code code,
                                                            Address target);
   // Get the size of the special target encoded at 'instruction_payload'.
 diff --git a/deps/v8/src/execution/riscv/simulator-riscv.cc b/deps/v8/src/execution/riscv/simulator-riscv.cc
 index 052a2d67dd..9582db4896 100644
 --- a/deps/v8/src/execution/riscv/simulator-riscv.cc
 +++ b/deps/v8/src/execution/riscv/simulator-riscv.cc
@@ -1781,7 +1781,7 @@ void RiscvDebugger::Debug() {
           sreg_t value;
           StdoutStream os;
           if (GetValue(arg1, &value)) {
 -            Tagged<Object> obj(value);
 +            Object obj(value);
             os << arg1 << ": \n";
 #ifdef DEBUG
             obj.Print(os);
@@ -1830,7 +1830,7 @@ void RiscvDebugger::Debug() {
           PrintF("  0x%012" PRIxPTR " :  0x%016" REGIx_FORMAT
                  "  %14" REGId_FORMAT " ",
                  reinterpret_cast<intptr_t>(cur), *cur, *cur);
 -          Tagged<Object> obj(*cur);
 +          Object obj(*cur);
           Heap* current_heap = sim_->isolate_->heap();
           if (obj.IsSmi() ||
               IsValidHeapObject(current_heap, HeapObject::cast(obj))) {
@@ -4692,7 +4692,7 @@ bool Simulator::DecodeRvvVS() {
 Builtin Simulator::LookUp(Address pc) {
   for (Builtin builtin = Builtins::kFirst; builtin <= Builtins::kLast;
        ++builtin) {
 -    if (builtins_.code(builtin)->contains(isolate_, pc)) return builtin;
 +    if (builtins_.code(builtin).contains(isolate_, pc)) return builtin;
   }
   return Builtin::kNoBuiltinId;
 }
@@ -4709,7 +4709,7 @@ void Simulator::DecodeRVIType() {
         if (builtin != Builtin::kNoBuiltinId) {
           auto code = builtins_.code(builtin);
           if ((rs1_reg() != ra || imm12() != 0)) {
 -            if ((Address)get_pc() == code->instruction_start()) {
 +            if ((Address)get_pc() == code.InstructionStart()) {
               sreg_t arg0 = get_register(a0);
               sreg_t arg1 = get_register(a1);
               sreg_t arg2 = get_register(a2);
 diff --git a/deps/v8/src/regexp/riscv/regexp-macro-assembler-riscv.cc b/deps/v8/src/regexp/riscv/regexp-macro-assembler-riscv.cc
 index 72f89767eb..4063b4b3d2 100644
 --- a/deps/v8/src/regexp/riscv/regexp-macro-assembler-riscv.cc
 +++ b/deps/v8/src/regexp/riscv/regexp-macro-assembler-riscv.cc
@@ -1211,7 +1211,7 @@ static T* frame_entry_address(Address re_frame, int frame_offset) {
 int64_t RegExpMacroAssemblerRISCV::CheckStackGuardState(Address* return_address,
                                                         Address raw_code,
                                                         Address re_frame) {
 -  Tagged<InstructionStream> re_code = InstructionStream::cast(Object(raw_code));
 +  InstructionStream re_code = InstructionStream::cast(Object(raw_code));
   return NativeRegExpMacroAssembler::CheckStackGuardState(
       frame_entry<Isolate*>(re_frame, kIsolateOffset),
       static_cast<int>(frame_entry<int64_t>(re_frame, kStartIndexOffset)),
 -- 
 2.41.0
--- a/0003-fix-fd-is-null-when-calling-clearBuffer.patch
+++ b/0003-fix-fd-is-null-when-calling-clearBuffer.patch
@ -1,59 +0,0 @@
 From e0d8242693da7d6c1eb5f2ae75cb224e8bc7397b Mon Sep 17 00:00:00 2001
 From: zhenweijin <zhenwei.jin@intel.com>
 Date: Fri, 1 Dec 2023 19:35:05 +0800
 Subject: [PATCH] stream: fix fd is null when calling clearBuffer
 ---
 lib/internal/streams/writable.js         |  3 ++-
 test/parallel/test-file-write-stream5.js | 28 ++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 test/parallel/test-file-write-stream5.js
 diff --git a/lib/internal/streams/writable.js b/lib/internal/streams/writable.js
 index e55ddc1796cf6c..0dbf56d7a69ca9 100644
 --- a/lib/internal/streams/writable.js
 +++ b/lib/internal/streams/writable.js
@@ -733,7 +733,8 @@ function errorBuffer(state) {
 // If there's something in the buffer waiting, then process it.
 function clearBuffer(stream, state) {
 -  if ((state[kState] & (kDestroyed | kBufferProcessing | kCorked | kBuffered)) !== kBuffered) {
 +  if ((state[kState] & (kDestroyed | kBufferProcessing | kCorked | kBuffered | kConstructed)) !==
 +      (kBuffered | kConstructed)) {
     return;
   }
 diff --git a/test/parallel/test-file-write-stream5.js b/test/parallel/test-file-write-stream5.js
 new file mode 100644
 index 00000000000000..cdc8b52eebd48d
 --- /dev/null
 +++ b/test/parallel/test-file-write-stream5.js
@@ -0,0 +1,28 @@
 +'use strict';
 +
 +// Test 'uncork' for WritableStream.
 +// Refs: https://github.com/nodejs/node/issues/50979
 +
 +const common = require('../common');
 +const fs = require('fs');
 +const assert = require('assert');
 +const test = require('node:test');
 +const tmpdir = require('../common/tmpdir');
 +
 +const filepath = tmpdir.resolve('write_stream.txt');
 +tmpdir.refresh();
 +
 +const data = 'data';
 +
 +test('writable stream uncork', () => {
 +  const fileWriteStream = fs.createWriteStream(filepath);
 +
 +  fileWriteStream.on('finish', common.mustCall(() => {
 +    const writtenData = fs.readFileSync(filepath, 'utf8');
 +    assert.strictEqual(writtenData, data);
 +  }));
 +  fileWriteStream.cork();
 +  fileWriteStream.write(data, common.mustCall());
 +  fileWriteStream.uncork();
 +  fileWriteStream.end();
 +});
--- a/icu4c-74_2-data-bin-l.zip
+++ b/icu4c-74_2-data-bin-l.zip
--- a/node-v20.12.1.tar.xz
+++ b/node-v20.12.1.tar.xz
--- a/nodejs.spec
+++ b/nodejs.spec
@ -1,8 +1,8 @@
-%global baserelease 3
+%global baserelease 1
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 %global nodejs_epoch 1
 %global nodejs_major 20
-%global nodejs_minor 11
+%global nodejs_minor 12
 %global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %global nodejs_soversion 115
@ -18,22 +18,22 @@
 %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
 %global v8_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
 %global c_ares_major 1
-%global c_ares_minor 20
+%global c_ares_minor 27
-%global c_ares_patch 1
+%global c_ares_patch 0
 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
 %global llhttp_major 8
 %global llhttp_minor 1
-%global llhttp_patch 1
+%global llhttp_patch 2
 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
 %global libuv_major 1
 %global libuv_minor 46
 %global libuv_patch 0
 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
 %global nghttp2_major 1
-%global nghttp2_minor 58
+%global nghttp2_minor 60
 %global nghttp2_patch 0
 %global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch}
-%global icu_major 73
+%global icu_major 74
 %global icu_minor 2
 %global icu_version %{icu_major}.%{icu_minor}
 %global icudatadir %{nodejs_datadir}/icudata
@ -48,12 +48,12 @@
 %global punycode_version %{punycode_major}.%{punycode_minor}.%{punycode_patch}
 %global npm_epoch 1
 %global npm_major 10
-%global npm_minor 2
+%global npm_minor 5
-%global npm_patch 4
+%global npm_patch 0
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 %global uvwasi_major 0
 %global uvwasi_minor 0
-%global uvwasi_patch 19
+%global uvwasi_patch 20
 %global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
 %global histogram_major 0
 %global histogram_minor 9
@ -80,8 +80,6 @@ Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_majo
 Source4: nodejs_native.attr
 Patch0: 0001-Use-system-uv-zlib.patch
 Patch1: 0002-Revert-deps-V8-tagged.patch
 Patch2: 0003-fix-fd-is-null-when-calling-clearBuffer.patch
 BuildRequires: python3-devel python3-setuptools  make
 BuildRequires: zlib-devel python3-jinja2
@ -265,7 +263,12 @@ export LDFLAGS="%{build_ldflags}"
 # The ninja build does not put the shared library in the expected location, so
 # we will move it.
 mv out/Release/lib/libnode.so.%{nodejs_soversion} out/Release/
 %if 0%{?nodejs_major} >= 20
 ./tools/install.py install --dest-dir %{buildroot} --prefix %{_prefix}
 %else
 ./tools/install.py install %{buildroot} %{_prefix}
 %endif
 chmod 0755 %{buildroot}/%{_bindir}/node
 chrpath --delete %{buildroot}%{_bindir}/node
@ -399,6 +402,14 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
 %{_pkgdocdir}/npm/docs
 %changelog
 * Wed Sep 18 2024 yaoxin <yao_xin001@hoperun.com> - 1:20.12.1-1
 - Update to 20.12.1:
  * CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session()
    leads to HTTP/2 server crash- (High)
  * CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
  * llhttp version 9.2.1
  * undici version 5.28.4
 * Mon May 06 2024 Ge Wang <wang__ge@126.com> - 1:20.11.1-3
 - Fix fd is null when calling clearBuffer