From 9b1cb9da5734deaf38fa7ade13c74ff503e9141f Mon Sep 17 00:00:00 2001 From: Rod Vagg Date: Fri, 1 Mar 2019 11:22:06 +1100 Subject: [PATCH] build: enable v8's siphash for hash seed creation Triggers the V8_USE_SIPHASH to switch from the internal custom V8 hash seed generation function to an implementation of SipHash. Final step needed to clear up HashWick. PR-URL: https://github.com/nodejs/node/pull/26367 Refs: https://github.com/nodejs/node/issues/23259 Refs: https://darksi.de/12.hashwick-v8-vulnerability/ Reviewed-By: Gus Caplan Reviewed-By: Richard Lau Reviewed-By: Refael Ackermann Reviewed-By: Ben Noordhuis Reviewed-By: Ruben Bridgewater Reviewed-By: Fedor Indutny Reviewed-By: James M Snell Reviewed-By: Yang Guo Reviewed-By: Ujjwal Sharma --- common.gypi | 3 +++ configure.py | 6 ++++++ deps/v8/gypfiles/features.gypi | 3 +++ deps/v8/gypfiles/v8.gyp | 3 +++ node.gyp | 1 + 5 files changed, 16 insertions(+) diff --git a/common.gypi b/common.gypi index fcd7cdc7ce3be6..338ed2cbbb9bb8 100644 --- a/common.gypi +++ b/common.gypi @@ -32,6 +32,9 @@ # Increment by one for each non-official patch applied to deps/v8. 'v8_embedder_string': '-node.18', + # Turn on SipHash for hash seed generation, addresses HashWick + 'v8_use_siphash': 'true', + # Enable disassembler for `--print-code` v8 options 'v8_enable_disassembler': 1, diff --git a/configure.py b/configure.py index 6c6da268c7888e..8ae56fdeff2b7e 100755 --- a/configure.py +++ b/configure.py @@ -509,6 +509,11 @@ dest='without_snapshot', help=optparse.SUPPRESS_HELP) +parser.add_option('--without-siphash', + action='store_true', + dest='without_siphash', + help=optparse.SUPPRESS_HELP) + parser.add_option('--code-cache-path', action='store', dest='code_cache_path', @@ -1178,6 +1183,7 @@ def configure_v8(o): o['variables']['v8_random_seed'] = 0 # Use a random seed for hash tables. o['variables']['v8_promise_internal_field_count'] = 1 # Add internal field to promises for async hooks. o['variables']['v8_use_snapshot'] = 'false' if options.without_snapshot else 'true' + o['variables']['v8_use_siphash'] = 'false' if options.without_siphash else 'true' o['variables']['v8_trace_maps'] = 1 if options.trace_maps else 0 o['variables']['node_use_v8_platform'] = b(not options.without_v8_platform) o['variables']['node_use_bundled_v8'] = b(not options.without_bundled_v8) diff --git a/deps/v8/gypfiles/features.gypi b/deps/v8/gypfiles/features.gypi index 618949124a71cb..4b885bd5fa00c0 100644 --- a/deps/v8/gypfiles/features.gypi +++ b/deps/v8/gypfiles/features.gypi @@ -154,6 +154,9 @@ ['v8_use_snapshot=="true" and v8_use_external_startup_data==1', { 'defines': ['V8_USE_EXTERNAL_STARTUP_DATA',], }], + ['v8_use_siphash=="true"', { + 'defines': ['V8_USE_SIPHASH',], + }], ['dcheck_always_on!=0', { 'defines': ['DEBUG',], }], diff --git a/deps/v8/gypfiles/v8.gyp b/deps/v8/gypfiles/v8.gyp index 9793d5cab5497c..2c21a993e14e04 100644 --- a/deps/v8/gypfiles/v8.gyp +++ b/deps/v8/gypfiles/v8.gyp @@ -92,6 +92,7 @@ 'v8_enable_verify_predictable=<(v8_enable_verify_predictable)', 'v8_target_cpu=<(v8_target_arch)', 'v8_use_snapshot=<(v8_use_snapshot)', + 'v8_use_siphash=<(v8_use_siphash)', ] }, 'conditions': [ @@ -1432,6 +1433,8 @@ '../src/string-stream.h', '../src/strtod.cc', '../src/strtod.h', + '../src/third_party/siphash/halfsiphash.cc', + '../src/third_party/siphash/halfsiphash.h', '../src/third_party/utf8-decoder/utf8-decoder.h', '../src/tracing/trace-event.cc', '../src/tracing/trace-event.h', diff --git a/node.gyp b/node.gyp index 9547daee4cce32..28cbf63366c749 100644 --- a/node.gyp +++ b/node.gyp @@ -1,6 +1,7 @@ { 'variables': { 'v8_use_snapshot%': 'false', + 'v8_use_siphash%': 'true', 'v8_trace_maps%': 0, 'node_use_dtrace%': 'false', 'node_use_etw%': 'false',