Merge remote-tracking branch 'origin/main' into farm/951ebbb3/serve-stream-resolve-socket-uaf

Author: robobun

packages/bun-usockets/src/crypto/openssl.c

@@ -1306,6 +1306,7 @@ void us_internal_ssl_attach(struct us_socket_t *s, SSL_CTX *ctx,
   s->ssl_fatal_error = 0;
   s->ssl_raw_tap = 0;
   s->ssl_shutdown_after_spill = 0;
+  s->ssl_close_after_spill = 0;
   s->ssl_in_use = 0;
   s->ssl_pending_detach = 0;
   s->ssl_pending_close_code = 0;
@@ -1549,17 +1550,30 @@ static int ssl_handle_shutdown(struct us_socket_t *s, int force_fast_shutdown) {
 }
 
 struct us_socket_t *us_internal_ssl_close(struct us_socket_t *s, int code, void *reason) {
-  ssl_release_spill(s->group->loop, s);
   if (s->ssl && s->ssl_in_use) {
     /* A JS callback running from inside SSL_do_handshake/SSL_read (ALPN, SNI,
      * keylog, ...) destroyed this socket. Reaching ssl_set_loop_data /
      * SSL_do_handshake here would re-enter BoringSSL on the same SSL* while
      * the outer ssl_run_handshake is still on the stack; defer to the SSL
-     * driver's epilogue (the same protocol close_raw and ssl_detach honor). */
+     * driver's epilogue (the same protocol close_raw and ssl_detach honor),
+     * releasing the spill now so the re-issued close cannot itself defer. */
+    ssl_release_spill(s->group->loop, s);
     s->ssl_pending_detach = 1;
     s->ssl_pending_close_code = (unsigned char) code;
     return s;
   }
+  /* node's `_handle.close()` (FAST_SHUTDOWN, no reason) must not cut off spilled
+   * ciphertext already reported as written: SSL sealed it, so it can only be
+   * delivered, never re-sent. Mirror ssl_shutdown_after_spill; defer at most once. */
+  if (code == LIBUS_SOCKET_CLOSE_CODE_FAST_SHUTDOWN && !reason
+      && !s->ssl_close_after_spill && !s->ssl_fatal_error && !us_socket_is_closed(s)) {
+    struct loop_ssl_data *loop_ssl_data = (struct loop_ssl_data *)s->group->loop->data.ssl_data;
+    if (loop_ssl_data && !ssl_drain_spill(loop_ssl_data, s)) {
+      s->ssl_close_after_spill = 1;
+      return s;
+    }
+  }
+  ssl_release_spill(s->group->loop, s);
   /* SEMI_SOCKET never connected — SSL was attached eagerly on the fast-path
    * connect, but no bytes were ever exchanged. Firing on_handshake(0) here
    * lands in JS after onConnectError already tore down `this`/its handlers. */
@@ -1722,6 +1736,10 @@ struct us_socket_t *us_internal_ssl_on_writable(struct us_socket_t *s) {
       us_internal_ssl_shutdown(s);
       if (ssl_gone(s)) return s;
     }
+    if (s->ssl_close_after_spill) {
+      s->ssl_close_after_spill = 0;
+      return us_internal_ssl_close(s, LIBUS_SOCKET_CLOSE_CODE_FAST_SHUTDOWN, NULL);
+    }
   }
   ssl_update_handshake(s);
   if (ssl_gone(s)) return s;

packages/bun-usockets/src/internal/internal.h

@@ -271,6 +271,9 @@ struct us_socket_t {
    * spilled (see ssl_flush_write_batch); the shutdown re-runs once the
    * spill drains so those records are not cut off by our FIN/close_notify. */
   unsigned char ssl_shutdown_after_spill : 1;
+  /* Same as ssl_shutdown_after_spill but for us_internal_ssl_close: the
+   * close re-runs from the writable event once the spill drains. */
+  unsigned char ssl_close_after_spill : 1;
   /* Set while SSL_do_handshake/SSL_read is on the stack: JS run from inside
    * those calls (ALPN/SNI/keylog callbacks) may destroy the socket, and the
    * SSL must not be freed under BoringSSL's feet - the detach is deferred to

src/jsc/bindings/bindings.cpp

@@ -4047,6 +4047,7 @@ void JSC__JSValue__putToPropertyKey(JSC::EncodedJSValue JSValue0, JSC::JSGlobalO
     auto pkey = key.toPropertyKey(arg1);
     RETURN_IF_EXCEPTION(scope, );
     object->putDirectMayBeIndex(arg1, pkey, value);
+    RETURN_IF_EXCEPTION(scope, );
 }
 
 extern "C" [[ZIG_EXPORT(check_slow)]] void JSC__JSValue__putMayBeIndex(JSC::EncodedJSValue target, JSC::JSGlobalObject* globalObject, const BunString* key, JSC::EncodedJSValue value)

src/jsc/bindings/node/crypto/JSCipherPrototype.cpp

@@ -351,6 +351,12 @@ JSC_DEFINE_HOST_FUNCTION(jsCipherSetAAD, (JSC::JSGlobalObject * globalObject, JS
         return ERR::OUT_OF_RANGE(scope, globalObject, "buffer is too big"_s, 0, INT_MAX, jsNumber(aadbuf->byteLength()));
     }
 
+    // Passing a NULL output buffer to EVP_CipherUpdate is only valid for AEAD
+    // modes; for any other mode it writes the ciphertext through the NULL pointer.
+    if (!cipher->m_ctx || !cipher->isAuthenticatedMode()) {
+        return ERR::CRYPTO_INVALID_STATE(scope, globalObject, "setAAD"_s);
+    }
+
     MarkPopErrorOnReturn popError;
 
     int32_t outlen;

src/jsc/bindings/webcore/AbortSignal.cpp

@@ -122,7 +122,7 @@ JSValue AbortSignal::jsReason(JSC::JSGlobalObject& globalObject)
         if (m_commonReason != CommonAbortReason::None) {
             existingValue = toJS(&globalObject, m_commonReason);
             m_commonReason = CommonAbortReason::None;
-            m_reason.setWeakly(existingValue);
+            m_reason.set(globalObject.vm(), wrapper(), existingValue);
         }
     }
 
@@ -159,10 +159,11 @@ void AbortSignal::markAborted(JSC::JSValue reason)
     applyFlags(static_cast<uint8_t>(AbortSignalFlags::Aborted) | static_cast<uint8_t>(AbortSignalFlags::IsFiringEventListeners));
     m_sourceSignals.clear();
 
-    // FIXME: This code is wrong: we should emit a write-barrier. Otherwise, GC can collect it.
-    // https://bugs.webkit.org/show_bug.cgi?id=236353
     ASSERT(reason);
-    m_reason.setWeakly(reason);
+    if (auto* context = scriptExecutionContext())
+        m_reason.set(context->vm(), wrapper(), reason);
+    else
+        m_reason.setWeakly(reason);
 
     cancelTimer();
 }

src/jsc/bindings/webcore/JSAbortController.cpp

@@ -242,11 +242,31 @@ void JSAbortController::visitChildrenImpl(JSCell* cell, Visitor& visitor)
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
     Base::visitChildren(thisObject, visitor);
     addWebCoreOpaqueRoot(visitor, thisObject->wrapped().opaqueRoot());
-    thisObject->wrapped().signal().reason().visit(visitor);
+    thisObject->visitAdditionalChildrenInGCThread(visitor);
 }
 
 DEFINE_VISIT_CHILDREN(JSAbortController);
 
+template<typename Visitor>
+void JSAbortController::visitOutputConstraints(JSCell* cell, Visitor& visitor)
+{
+    auto* thisObject = uncheckedDowncast<JSAbortController>(cell);
+    ASSERT_GC_OBJECT_INHERITS(thisObject, info());
+    Base::visitOutputConstraints(thisObject, visitor);
+    thisObject->visitAdditionalChildrenInGCThread(visitor);
+}
+
+template void JSAbortController::visitOutputConstraints(JSCell*, AbstractSlotVisitor&);
+template void JSAbortController::visitOutputConstraints(JSCell*, SlotVisitor&);
+
+template<typename Visitor>
+void JSAbortController::visitAdditionalChildrenInGCThread(Visitor& visitor)
+{
+    wrapped().signal().reason().visit(visitor);
+}
+
+DEFINE_VISIT_ADDITIONAL_CHILDREN_IN_GC_THREAD(JSAbortController);
+
 void JSAbortController::analyzeHeap(JSCell* cell, HeapAnalyzer& analyzer)
 {
     auto* thisObject = uncheckedDowncast<JSAbortController>(cell);

src/jsc/bindings/webcore/JSAbortController.h

@@ -58,7 +58,9 @@ class JSAbortController : public JSDOMWrapper<AbortController> {
     }
     static JSC::GCClient::IsoSubspace* subspaceForImpl(JSC::VM& vm);
     DECLARE_VISIT_CHILDREN;
+    template<typename Visitor> void visitAdditionalChildrenInGCThread(Visitor&);
 
+    template<typename Visitor> static void visitOutputConstraints(JSCell*, Visitor&);
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 
 protected:

src/jsc/bindings/webcore/JSValueInWrappedObject.h

@@ -98,7 +98,8 @@ inline void JSValueInWrappedObject::setWeakly(JSC::JSValue value)
 inline void JSValueInWrappedObject::set(JSC::VM& vm, const JSC::JSCell* owner, JSC::JSValue value)
 {
     setWeakly(value);
-    vm.writeBarrier(owner, value);
+    if (owner)
+        vm.writeBarrier(owner, value);
 }
 
 inline void JSValueInWrappedObject::clear()

src/runtime/api.rs

@@ -259,6 +259,21 @@ pub(crate) fn with_text_format_source<R>(
         _str_hold.slice()
     };
 
+    // Every parser reached from here records source positions as an `i32`
+    // (`ast::Loc` via `usize2loc` for JSONC/TOML, JSON5's token locs, YAML's
+    // `Pos`), so an input those offsets cannot represent panics inside the
+    // lexer instead of reporting an error. Reject it before parsing.
+    if bytes.len() > i32::MAX as usize {
+        return Err(global.throw_range_error(
+            bytes.len() as i64,
+            bun_jsc::RangeErrorOptions {
+                field_name: b"input.byteLength",
+                max: i64::from(i32::MAX),
+                ..Default::default()
+            },
+        ));
+    }
+
     let mut log = bun_ast::Log::init();
     let source = bun_ast::Source::init_path_string(path, bytes);
 

src/runtime/node/node_fs.rs

@@ -2426,7 +2426,7 @@ mod _async_tasks {
                                 <$T as ReaddirEntry>::destroy_entry(item);
                             }
                             {
-                                let _lock = self.pending_err_mutex.lock();
+                                let _lock = self.pending_err_mutex.lock_guard();
                                 if self.pending_err.is_none() {
                                     let err_path: &[u8] = if !err.path.is_empty() {
                                         &err.path[..]