From 56804398a94bea941183ae4ed29d2a9f82069a6f Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Sat, 6 Jan 2018 19:51:06 -0500 Subject: gnu: webkitgtk: Disable SharedArrayBuffers to mitigate Spectre. * gnu/packages/patches/webkitgtk-mitigate-spectre.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/webkit.scm (webkitgtk)[source]: Add patch. --- gnu/local.mk | 3 +- .../patches/webkitgtk-mitigate-spectre.patch | 107 +++++++++++++++++++++ gnu/packages/webkit.scm | 5 +- 3 files changed, 112 insertions(+), 3 deletions(-) create mode 100644 gnu/packages/patches/webkitgtk-mitigate-spectre.patch (limited to 'gnu') diff --git a/gnu/local.mk b/gnu/local.mk index d82cbcee26..d4e8419217 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -2,7 +2,7 @@ # Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès # Copyright © 2013, 2014, 2015, 2016, 2017 Andreas Enge # Copyright © 2016 Mathieu Lirzin -# Copyright © 2013, 2014, 2015, 2016, 2017 Mark H Weaver +# Copyright © 2013, 2014, 2015, 2016, 2017, 2018 Mark H Weaver # Copyright © 2016 Chris Marusich # Copyright © 2016, 2017 Kei Kebreau # Copyright © 2016, 2017 Rene Saavedra @@ -1136,6 +1136,7 @@ dist_patch_DATA = \ %D%/packages/patches/vsearch-unbundle-cityhash.patch \ %D%/packages/patches/vte-CVE-2012-2738-pt1.patch \ %D%/packages/patches/vte-CVE-2012-2738-pt2.patch \ + %D%/packages/patches/webkitgtk-mitigate-spectre.patch \ %D%/packages/patches/weechat-python.patch \ %D%/packages/patches/wicd-bitrate-none-fix.patch \ %D%/packages/patches/wicd-get-selected-profile-fix.patch \ diff --git a/gnu/packages/patches/webkitgtk-mitigate-spectre.patch b/gnu/packages/patches/webkitgtk-mitigate-spectre.patch new file mode 100644 index 0000000000..3d983ede66 --- /dev/null +++ b/gnu/packages/patches/webkitgtk-mitigate-spectre.patch @@ -0,0 +1,107 @@ +Disable SharedArrayBuffers to mitigate Spectre. Based on: + + https://trac.webkit.org/changeset/226386/webkit + +Backported to webkitgtk-2.18.4 by Mark H Weaver + + +--- webkitgtk-2.18.4/Source/JavaScriptCore/runtime/JSGlobalObject.h.orig 2017-12-19 02:23:07.000000000 -0500 ++++ webkitgtk-2.18.4/Source/JavaScriptCore/runtime/JSGlobalObject.h 2018-01-06 19:28:55.985066986 -0500 +@@ -338,8 +338,10 @@ + WriteBarrier m_moduleLoaderStructure; + WriteBarrier m_arrayBufferPrototype; + WriteBarrier m_arrayBufferStructure; ++#if ENABLE(SHARED_ARRAY_BUFFER) + WriteBarrier m_sharedArrayBufferPrototype; + WriteBarrier m_sharedArrayBufferStructure; ++#endif + + #define DEFINE_STORAGE_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \ + WriteBarrier m_ ## lowerName ## Prototype; \ +@@ -670,8 +672,13 @@ + switch (sharingMode) { + case ArrayBufferSharingMode::Default: + return m_arrayBufferPrototype.get(); ++#if ENABLE(SHARED_ARRAY_BUFFER) + case ArrayBufferSharingMode::Shared: + return m_sharedArrayBufferPrototype.get(); ++#else ++ default: ++ return m_arrayBufferPrototype.get(); ++#endif + } + } + Structure* arrayBufferStructure(ArrayBufferSharingMode sharingMode) const +@@ -679,8 +686,13 @@ + switch (sharingMode) { + case ArrayBufferSharingMode::Default: + return m_arrayBufferStructure.get(); ++#if ENABLE(SHARED_ARRAY_BUFFER) + case ArrayBufferSharingMode::Shared: + return m_sharedArrayBufferStructure.get(); ++#else ++ default: ++ return m_arrayBufferStructure.get(); ++#endif + } + RELEASE_ASSERT_NOT_REACHED(); + return nullptr; +--- webkitgtk-2.18.4/Source/JavaScriptCore/runtime/JSGlobalObject.cpp.orig 2017-12-19 02:23:07.000000000 -0500 ++++ webkitgtk-2.18.4/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2018-01-06 19:27:16.628574304 -0500 +@@ -574,8 +574,10 @@ + + m_arrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this, JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Default)); + m_arrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this, m_arrayBufferPrototype.get())); ++#if ENABLE(SHARED_ARRAY_BUFFER) + m_sharedArrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this, JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Shared)); + m_sharedArrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this, m_sharedArrayBufferPrototype.get())); ++#endif + + m_iteratorPrototype.set(vm, this, IteratorPrototype::create(vm, this, IteratorPrototype::createStructure(vm, this, m_objectPrototype.get()))); + m_generatorPrototype.set(vm, this, GeneratorPrototype::create(vm, this, GeneratorPrototype::createStructure(vm, this, m_iteratorPrototype.get()))); +@@ -620,10 +622,11 @@ + + JSArrayBufferConstructor* arrayBufferConstructor = JSArrayBufferConstructor::create(vm, JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_arrayBufferPrototype.get(), m_speciesGetterSetter.get(), ArrayBufferSharingMode::Default); + m_arrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, arrayBufferConstructor, DontEnum); ++#if ENABLE(SHARED_ARRAY_BUFFER) + JSArrayBufferConstructor* sharedArrayBufferConstructor = nullptr; + sharedArrayBufferConstructor = JSArrayBufferConstructor::create(vm, JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_sharedArrayBufferPrototype.get(), m_speciesGetterSetter.get(), ArrayBufferSharingMode::Shared); + m_sharedArrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, sharedArrayBufferConstructor, DontEnum); +- ++#endif + #define CREATE_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \ + capitalName ## Constructor* lowerName ## Constructor = capitalName ## Constructor::create(vm, capitalName ## Constructor::createStructure(vm, this, m_functionPrototype.get()), m_ ## lowerName ## Prototype.get(), m_speciesGetterSetter.get()); \ + m_ ## lowerName ## Prototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, lowerName ## Constructor, DontEnum); \ +@@ -686,7 +689,9 @@ + putDirectWithoutTransition(vm, vm.propertyNames->builtinNames().ArrayPrivateName(), arrayConstructor, DontEnum | DontDelete | ReadOnly); + + putDirectWithoutTransition(vm, vm.propertyNames->ArrayBuffer, arrayBufferConstructor, DontEnum); ++#if ENABLE(SHARED_ARRAY_BUFFER) + putDirectWithoutTransition(vm, vm.propertyNames->SharedArrayBuffer, sharedArrayBufferConstructor, DontEnum); ++#endif + + #define PUT_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \ + putDirectWithoutTransition(vm, vm.propertyNames-> jsName, lowerName ## Constructor, DontEnum); \ +@@ -1288,8 +1293,10 @@ + + visitor.append(thisObject->m_arrayBufferPrototype); + visitor.append(thisObject->m_arrayBufferStructure); ++#if ENABLE(SHARED_ARRAY_BUFFER) + visitor.append(thisObject->m_sharedArrayBufferPrototype); + visitor.append(thisObject->m_sharedArrayBufferStructure); ++#endif + + #define VISIT_SIMPLE_TYPE(CapitalName, lowerName, properName, instanceType, jsName, prototypeBase) \ + visitor.append(thisObject->m_ ## lowerName ## Prototype); \ +--- webkitgtk-2.18.4/Source/WTF/wtf/Platform.h.orig 2017-10-16 08:18:56.000000000 -0400 ++++ webkitgtk-2.18.4/Source/WTF/wtf/Platform.h 2018-01-06 19:29:52.897349199 -0500 +@@ -1190,6 +1190,9 @@ + #define HAVE_NS_ACTIVITY 1 + #endif + ++/* Disable SharedArrayBuffers until Spectre security concerns are mitigated. */ ++#define ENABLE_SHARED_ARRAY_BUFFER 0 ++ + #if (OS(DARWIN) && USE(CG)) || (USE(FREETYPE) && !PLATFORM(GTK)) || (PLATFORM(WIN) && (USE(CG) || USE(CAIRO))) + #undef ENABLE_OPENTYPE_MATH + #define ENABLE_OPENTYPE_MATH 1 diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm index e2d753aa3d..7acc018632 100644 --- a/gnu/packages/webkit.scm +++ b/gnu/packages/webkit.scm @@ -2,7 +2,7 @@ ;;; Copyright © 2015 Sou Bunnbu ;;; Copyright © 2015 David Hashe ;;; Copyright © 2015 Ricardo Wurmus -;;; Copyright © 2015, 2016, 2017 Mark H Weaver +;;; Copyright © 2015, 2016, 2017, 2018 Mark H Weaver ;;; ;;; This file is part of GNU Guix. ;;; @@ -61,7 +61,8 @@ name "-" version ".tar.xz")) (sha256 (base32 - "1f1j0r996l20cgkvbwpizn7d4yp58cy334b1pvn4kfb5c2dbpdl7")))) + "1f1j0r996l20cgkvbwpizn7d4yp58cy334b1pvn4kfb5c2dbpdl7")) + (patches (search-patches "webkitgtk-mitigate-spectre.patch")))) (build-system cmake-build-system) (arguments '(#:tests? #f ; no tests -- cgit 1.4.1