+ From 738785214546ec5bb772886019529b2a6519deaf Mon Sep 17 00:00:00 2001

+ From: Simon McVittie <smcv@debian.org>

+ Date: Fri, 1 May 2020 19:04:22 +0100

+ Subject: [PATCH] mozjs: Avoid use-after-free

+ 

+ If we don't assign the temporary std::string returned by

+ url_.to_string() to a variable, then it immediately goes out of scope

+ and is freed, resulting in the result of c_str() pointing into freed

+ memory. This works about as well as you would expect.

+ 

+ Signed-off-by: Simon McVittie <smcv@debian.org>

+ ---

+  libproxy/modules/pacrunner_mozjs.cpp | 11 ++++-------

+  1 file changed, 4 insertions(+), 7 deletions(-)

+ 

+ diff --git a/libproxy/modules/pacrunner_mozjs.cpp b/libproxy/modules/pacrunner_mozjs.cpp

+ index ade6d0a..aac6531 100644

+ --- a/libproxy/modules/pacrunner_mozjs.cpp

+ +++ b/libproxy/modules/pacrunner_mozjs.cpp

+ @@ -175,14 +175,11 @@ class mozjs_pacrunner : public pacrunner {

+  

+  	string run(const url& url_) throw (bad_alloc) {

+  		// Build arguments to the FindProxyForURL() function

+ -		const char *tmpurl  = url_.to_string().c_str();

+ -		const char *tmphost = url_.get_host().c_str();

+ -		if (!tmpurl || !tmphost) {

+ -			throw bad_alloc();

+ -		}

+ +		string tmpurl(url_.to_string());

+ +		string tmphost(url_.get_host());

+  		JS::AutoValueArray<2> args(this->jsctx);

+ -		args[0].setString(JS_NewStringCopyZ(this->jsctx, tmpurl));

+ -		args[1].setString(JS_NewStringCopyZ(this->jsctx, tmphost));

+ +		args[0].setString(JS_NewStringCopyZ(this->jsctx, tmpurl.c_str()));

+ +		args[1].setString(JS_NewStringCopyZ(this->jsctx, tmphost.c_str()));

+  

+  		// Find the proxy (call FindProxyForURL())

+  		JS::RootedValue rval(this->jsctx);

+ From 6c9e48accddb90eef8412bef3ccc29594935d3b3 Mon Sep 17 00:00:00 2001

+ From: Iain Lane <iain@orangesquash.org.uk>

+ Date: Wed, 11 Mar 2020 11:54:52 +0000

+ Subject: [PATCH] mozjs: Port to mozjs 68

+ 

+ There are a number of API changes that need to be adapted to, notably

+ 

+   - JS_EncodeString is gone; need to use JS_EncodeStringToUTF8 now which

+     requires a rooted object to be passed in.

+   - JS_free is gone

+ 

+ The pkg-config file ships some flags which need to be supplied to the

+ build.

+ ---

+  libproxy/cmake/modules/pacrunner_mozjs.cmk |  6 ++-

+  libproxy/modules/pacrunner_mozjs.cpp       | 56 ++++++++++++++--------

+  2 files changed, 41 insertions(+), 21 deletions(-)

+ 

+ diff --git a/libproxy/cmake/modules/pacrunner_mozjs.cmk b/libproxy/cmake/modules/pacrunner_mozjs.cmk

+ index 871cc85..2cc3c51 100644

+ --- a/libproxy/cmake/modules/pacrunner_mozjs.cmk

+ +++ b/libproxy/cmake/modules/pacrunner_mozjs.cmk

+ @@ -9,8 +9,12 @@ if(WIN32)

+  elseif(NOT APPLE)

+    option(WITH_MOZJS "Search for MOZJS package" ON)

+    if (WITH_MOZJS)

+ -    pkg_search_module(MOZJS mozjs-60)

+ +    pkg_search_module(MOZJS mozjs-68)

+      if(MOZJS_FOUND)

+ +      foreach(OPT ${MOZJS_CFLAGS})

+ +        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${OPT}")

+ +      endforeach()

+ +      message("mozjs is " ${CMAKE_CXX_FLAGS})

+        include_directories(${MOZJS_INCLUDE_DIRS})

+        link_directories(${MOZJS_LIBRARY_DIRS})

+      else()

+ diff --git a/libproxy/modules/pacrunner_mozjs.cpp b/libproxy/modules/pacrunner_mozjs.cpp

+ index 38e7d46..37e1b42 100644

+ --- a/libproxy/modules/pacrunner_mozjs.cpp

+ +++ b/libproxy/modules/pacrunner_mozjs.cpp

+ @@ -37,6 +37,9 @@ using namespace libproxy;

+  #pragma GCC diagnostic error "-Winvalid-offsetof"

+  #include <js/Initialization.h>

+  #include <js/CallArgs.h>

+ +#include <js/CompilationAndEvaluation.h>

+ +#include <js/MemoryFunctions.h>

+ +#include <js/SourceText.h>

+  

+  #include "pacutils.h"

+  

+ @@ -49,19 +52,21 @@ using namespace libproxy;

+  #endif

+  

+  static void dnsResolve_(JSContext *cx, JSString *hostname, JS::CallArgs *argv) {

+ +	char *tmp;

+  	// Get hostname argument

+ -	char *tmp = JS_EncodeString(cx, hostname);

+ +	JS::RootedString str(cx, hostname);

+ +	JS::UniqueChars chars = JS_EncodeStringToUTF8(cx, str);

+ +	const char *val = chars.get();

+  

+  	// Set the default return value

+  	argv->rval().setNull();

+  

+  	// Look it up

+  	struct addrinfo *info = nullptr;

+ -	if (getaddrinfo(tmp, NULL, NULL, &info))

+ +	if (getaddrinfo(val, NULL, NULL, &info))

+  		goto out;

+  

+  	// Allocate the IP address

+ -	JS_free(cx, tmp);

+  	tmp = (char *) JS_malloc(cx, INET6_ADDRSTRLEN+1);

+  	memset(tmp, 0, INET6_ADDRSTRLEN+1);

+  

+ @@ -77,7 +82,6 @@ static void dnsResolve_(JSContext *cx, JSString *hostname, JS::CallArgs *argv) {

+  

+  	out:

+  		if (info) freeaddrinfo(info);

+ -		JS_free(cx, tmp);

+  }

+  

+  static bool dnsResolve(JSContext *cx, unsigned argc, JS::Value *vp) {

+ @@ -121,29 +125,40 @@ class mozjs_pacrunner : public pacrunner {

+  			if (!JS::InitSelfHostedCode(this->jsctx)) goto error;

+  

+  			JS::RootedValue  rval(this->jsctx);

+ -			JS::CompartmentOptions compart_opts;

+ +			JS::RealmOptions realm_opts;

+  

+  			this->jsglb = new JS::Heap<JSObject*>(JS_NewGlobalObject(

+  								  this->jsctx, &cls,

+  								  nullptr, JS::DontFireOnNewGlobalHook,

+ -								  compart_opts));

+ +								  realm_opts));

+  

+  			if (!(this->jsglb)) goto error;

+  			JS::RootedObject global(this->jsctx,this->jsglb->get());

+ -			if (!(this->jsac = new JSAutoCompartment(this->jsctx,  global))) goto error;

+ -			if (!JS_InitStandardClasses(this->jsctx, global))            goto error;

+ +			if (!(this->jsar = new JSAutoRealm(this->jsctx,  global))) goto error;

+  

+  			// Define Javascript functions

+  			JS_DefineFunction(this->jsctx, global, "dnsResolve", dnsResolve, 1, 0);

+  			JS_DefineFunction(this->jsctx, global, "myIpAddress", myIpAddress, 0, 0);

+  			JS::CompileOptions options(this->jsctx);

+ -			options.setUTF8(true);

+  

+ -			JS::Evaluate(this->jsctx, options, JAVASCRIPT_ROUTINES,

+ -				     strlen(JAVASCRIPT_ROUTINES), JS::MutableHandleValue(&rval));

+ +			JS::SourceText<mozilla::Utf8Unit> routines, pac_source;

+ +			if (!routines.init(this->jsctx,

+ +					   JAVASCRIPT_ROUTINES,

+ +					   strlen(JAVASCRIPT_ROUTINES),

+ +					   JS::SourceOwnership::Borrowed))

+ +				goto error;

+ +

+ +			if (!pac_source.init(this->jsctx,

+ +					     pac.c_str(),

+ +					     pac.length(),

+ +					     JS::SourceOwnership::Borrowed))

+ +				goto error;

+ +

+ +

+ +			JS::Evaluate(this->jsctx, options, routines, JS::MutableHandleValue(&rval));

+  

+  			// Add PAC to the environment

+ -			JS::Evaluate(this->jsctx, options, pac.c_str(), pac.length(), JS::MutableHandleValue(&rval));

+ +			JS::Evaluate(this->jsctx, options, pac_source, JS::MutableHandleValue(&rval));

+  			return;

+  		}

+  		error:

+ @@ -152,7 +167,7 @@ class mozjs_pacrunner : public pacrunner {

+  	}

+  

+  	~mozjs_pacrunner() {

+ -		if (this->jsac) delete this->jsac;

+ +		if (this->jsar) delete this->jsar;

+  		if (this->jsglb) delete this->jsglb;

+  		if (this->jsctx) JS_DestroyContext(this->jsctx);

+  		JS_ShutDown();

+ @@ -160,11 +175,9 @@ class mozjs_pacrunner : public pacrunner {

+  

+  	string run(const url& url_) throw (bad_alloc) {

+  		// Build arguments to the FindProxyForURL() function

+ -		char *tmpurl  = JS_strdup(this->jsctx, url_.to_string().c_str());

+ -		char *tmphost = JS_strdup(this->jsctx, url_.get_host().c_str());

+ +		const char *tmpurl  = url_.to_string().c_str();

+ +		const char *tmphost = url_.get_host().c_str();

+  		if (!tmpurl || !tmphost) {

+ -			if (tmpurl) JS_free(this->jsctx, tmpurl);

+ -			if (tmphost) JS_free(this->jsctx, tmphost);

+  			throw bad_alloc();

+  		}

+  		JS::AutoValueArray<2> args(this->jsctx);

+ @@ -176,10 +189,13 @@ class mozjs_pacrunner : public pacrunner {

+  		JS::RootedObject global(this->jsctx,this->jsglb->get());

+  		bool result = JS_CallFunctionName(this->jsctx, global, "FindProxyForURL", args, &rval);

+  		if (!result) return "";

+ +		if (!rval.isString())

+ +			return "";

+  

+ -		char * tmpanswer = JS_EncodeString(this->jsctx, rval.toString());

+ +		JS::RootedString s(this->jsctx, rval.toString());

+ +		JS::UniqueChars chars = JS_EncodeStringToUTF8(this->jsctx, s);

+ +		const char *tmpanswer = chars.get();

+  		string answer = string(tmpanswer);

+ -		JS_free(this->jsctx, tmpanswer);

+  

+  		if (answer == "undefined") return "";

+  		return answer;

+ @@ -188,7 +204,7 @@ class mozjs_pacrunner : public pacrunner {

+  private:

+  	JSContext *jsctx;

+  	JS::Heap<JSObject*> *jsglb;

+ -	JSAutoCompartment *jsac;

+ +	JSAutoRealm *jsar;

+  };

+  

+  PX_PACRUNNER_MODULE_EZ(mozjs, "JS_DefineFunction", "mozjs");

+ Release:        23%{?dist}

+ # https://github.com/libproxy/libproxy/pull/109

+ Patch6:         libproxy-0.4.15-mozjs68.patch

+ # https://github.com/libproxy/libproxy/pull/118

+ Patch7:         libproxy-0.4.15-mozjs-use-after-free.patch

+ BuildRequires:  pkgconfig(mozjs-68)

+ * Tue Aug 04 2020 Frantisek Zatloukal <fzatlouk@redhat.com> - 0.4.15-23

+ - build with mozjs68

+ - backport use after free fix for mozjs backend

+