Node v24.17.0 nsolid v6.3.1 release#482
Open
santigimeno wants to merge 22 commits into
Open
Conversation
PR-URL: nodejs/node#63703 Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
This seems like a bug in AIX header files because the examples show including the headers but upon inspecting these files there are no declarations for sendmmsg and others: https://www.ibm.com/docs/en/aix/7.2.0?topic=s-sendmmsg-subroutine For now we can claim to not have these functions. Alternatively we can declare these ourselves if we are AIX 7.2 or newer. The actual functions look to be available in libc. GCC also has the same implicit function declaration but it happily moves forward. Clang started making this an explict error in clang 16: https://www.redhat.com/en/blog/new-warnings-and-errors-clang-16 PR-URL: nodejs/node#62656 Refs: https://www.ibm.com/docs/en/aix/7.2.0?topic=s-sendmmsg-subroutine Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
PR-URL: nodejs/node#63820 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com>
PR-URL: nodejs/node#63820 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com>
PR-URL: nodejs/node#62891 Backport-PR-URL: nodejs/node#63164 Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
This is a set of src & tests fixes for nghttp2 due to changes in v1.67.0+ which require a selection of changes to how we handle low-level protocol errors when using the latest versions of nghttp2, changing both some src error handling and updating some tests to match. Signed-off-by: Tim Perry <pimterry@gmail.com> PR-URL: nodejs/node#62891 Backport-PR-URL: nodejs/node#63164 Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Refs: https://hackerone.com/reports/3658225 CVE-ID: CVE-2026-48937
PR-URL: nodejs-private/node-private#890 Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Refs: https://hackerone.com/reports/3720313 Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: nodejs-private/node-private#867 Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> CVE-ID: CVE-2026-48615
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: nodejs-private/node-private#870 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48617 Refs: https://hackerone.com/reports/3625987
Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: nodejs-private/node-private#869 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48618 Refs: https://hackerone.com/reports/3688064
A malicious HTTP/2 server can send repeated ORIGIN frames with unique origins, causing unbounded growth of the client-side originSet for the lifetime of the session. Cap the set at 128 entries; once full, new origins from ORIGIN frames are silently dropped. Refs: https://hackerone.com/reports/3676863 PR-URL: nodejs-private/node-private#855 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48619
The regex constructed by server.addContext() lacked the case-insensitive flag, causing uppercase or mixed-case SNI hostnames from ClientHello to miss their intended context and fall back to the default context. This violates RFC 6066 Section 3, which states that DNS hostnames are case-insensitive. In mTLS configurations with per-tenant contexts, this allowed bypassing client certificate authorization by simply uppercasing the SNI hostname. Add the 'i' flag to the RegExp in addContext() so that SNI matching is case-insensitive. PR-URL: nodejs-private/node-private#857 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48928 Refs: https://hackerone.com/reports/3656869
Ref: https://hackerone.com/reports/3656716 PR-URL: nodejs-private/node-private#868 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48930 Refs: https://hackerone.com/reports/3656716
PR-URL: nodejs-private/node-private#873 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48935 Refs: https://hackerone.com/reports/3625987
Attach a data guard listener on idle keepAlive sockets in the freeSockets pool. If unsolicited data arrives while the socket is idle, destroy it immediately to prevent response queue poisoning. Refs: https://hackerone.com/reports/3582376 PR-URL: nodejs-private/node-private#846 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48931 Refs: https://hackerone.com/reports/3582376
Reject WebCrypto cipher operations whose computed output length would exceed INT_MAX before passing the length to OpenSSL. This avoids signed overflow in the AES and ChaCha20-Poly1305 one-shot cipher paths and turns oversized inputs into a clean operation failure. Refs: https://hackerone.com/reports/3760016 Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: nodejs-private/node-private#878 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48933
Backport-PR-URL: nodejs-private/node-private#895 PR-URL: nodejs-private/node-private#854 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48934 Refs: https://hackerone.com/reports/3649802
Backport-PR-URL: nodejs-private/node-private#895 PR-URL: nodejs-private/node-private#854 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Refs: https://hackerone.com/reports/3649802
This is a security release. Notable changes: * (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High * (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High * (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium * (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium * (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium * (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium * (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium * (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium * (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low * (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low * (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low PR-URL: nodejs-private/node-private#899
2026-06-18 Node.js v24.17.0 Krypton (LTS) Release Git-EVTag-v0-SHA512: f54522ee78d0b33417f71c125f489e2fb2ac6f0d8ece81c7048a2b29fdb92de79d35321dc0fb7343299e5ac3cb6e95946ad21e53479fb8e24737613f759a3837
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
WalkthroughThis PR refreshes vendored llhttp, nghttp2, and OpenSSL code and generated metadata, updates OpenSSL test build wiring for ChangesVendored dependency refresh
Estimated code review effort🎯 5 (Critical) | ⏱️ ~95 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@deps/nghttp2/lib/nghttp2_frame.c`:
- Around line 754-761: In the zero-payload fast path where payloadlen equals 0,
the code unconditionally initializes altsvc->origin_len to zero without
validating that the origin_len field actually contains zero in the frame header.
Add a validation check within the zero-payload early return block to ensure
origin_len equals zero before proceeding. Additionally, locate the validation
logic that compares origin_len (likely at or near line 6347 in the payloadlen
non-zero path) and correct the comparison to account for the 2-byte origin_len
header by changing `origin_len > iframe->payloadleft` to `origin_len >
(iframe->payloadleft - 2)` to prevent pointer arithmetic overflow.
In `@deps/openssl/config/archs/linux-ppc64le/asm/crypto/chacha/chachap10-ppc.s`:
- Line 411: The stack frame size calculation in chachap10-ppc.pl (line 504)
produces 424 bytes, which violates PPC64 ELFv2 ABI requirements that mandate
16-byte alignment of the stack pointer. Since 424 mod 16 equals 8, the frame is
misaligned. Modify the frame size calculation (currently 9*16 + 13*8 + 4*16 + 48
+ 64) to produce either 416 or 432 bytes instead, ensuring the result is
divisible by 16. This adjustment will automatically correct the stdu instruction
at line 411 and the corresponding addi instructions at lines 453, 1181, and 1198
in the generated assembly file.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 98bcf428-cfc6-4b1f-a140-1e1c0cedfeaa
📒 Files selected for processing (300)
CHANGELOG.mddeps/llhttp/CMakeLists.txtdeps/llhttp/include/llhttp.hdeps/llhttp/src/llhttp.cdeps/nghttp2/lib/CMakeLists.txtdeps/nghttp2/lib/includes/nghttp2/nghttp2.hdeps/nghttp2/lib/includes/nghttp2/nghttp2ver.hdeps/nghttp2/lib/nghttp2_alpn.cdeps/nghttp2/lib/nghttp2_frame.cdeps/nghttp2/lib/nghttp2_frame.hdeps/nghttp2/lib/nghttp2_hd.cdeps/nghttp2/lib/nghttp2_hd_huffman.cdeps/nghttp2/lib/nghttp2_hd_huffman.hdeps/nghttp2/lib/nghttp2_hd_huffman_data.cdeps/nghttp2/lib/nghttp2_helper.hdeps/nghttp2/lib/nghttp2_http.cdeps/nghttp2/lib/nghttp2_int.hdeps/nghttp2/lib/nghttp2_map.cdeps/nghttp2/lib/nghttp2_map.hdeps/nghttp2/lib/nghttp2_outbound_item.cdeps/nghttp2/lib/nghttp2_outbound_item.hdeps/nghttp2/lib/nghttp2_session.cdeps/nghttp2/lib/nghttp2_session.hdeps/nghttp2/lib/nghttp2_submit.cdeps/openssl/config/archs/BSD-x86/asm/configdata.pmdeps/openssl/config/archs/BSD-x86/asm/crypto/buildinf.hdeps/openssl/config/archs/BSD-x86/asm/include/openssl/opensslv.hdeps/openssl/config/archs/BSD-x86/asm/include/openssl/ssl.hdeps/openssl/config/archs/BSD-x86/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/BSD-x86/asm_avx2/configdata.pmdeps/openssl/config/archs/BSD-x86/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/BSD-x86/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/BSD-x86/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/BSD-x86/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/BSD-x86/no-asm/configdata.pmdeps/openssl/config/archs/BSD-x86/no-asm/crypto/buildinf.hdeps/openssl/config/archs/BSD-x86/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/BSD-x86/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/BSD-x86/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/BSD-x86_64/asm/configdata.pmdeps/openssl/config/archs/BSD-x86_64/asm/crypto/buildinf.hdeps/openssl/config/archs/BSD-x86_64/asm/include/openssl/opensslv.hdeps/openssl/config/archs/BSD-x86_64/asm/include/openssl/ssl.hdeps/openssl/config/archs/BSD-x86_64/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/BSD-x86_64/asm_avx2/configdata.pmdeps/openssl/config/archs/BSD-x86_64/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/BSD-x86_64/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/BSD-x86_64/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/BSD-x86_64/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/BSD-x86_64/no-asm/configdata.pmdeps/openssl/config/archs/BSD-x86_64/no-asm/crypto/buildinf.hdeps/openssl/config/archs/BSD-x86_64/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/BSD-x86_64/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/BSD-x86_64/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/VC-WIN32/asm/configdata.pmdeps/openssl/config/archs/VC-WIN32/asm/crypto/buildinf.hdeps/openssl/config/archs/VC-WIN32/asm/include/openssl/opensslv.hdeps/openssl/config/archs/VC-WIN32/asm/include/openssl/ssl.hdeps/openssl/config/archs/VC-WIN32/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/VC-WIN32/asm_avx2/configdata.pmdeps/openssl/config/archs/VC-WIN32/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/VC-WIN32/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/VC-WIN32/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/VC-WIN32/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/VC-WIN32/no-asm/configdata.pmdeps/openssl/config/archs/VC-WIN32/no-asm/crypto/buildinf.hdeps/openssl/config/archs/VC-WIN32/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/VC-WIN32/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/VC-WIN32/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/VC-WIN64-ARM/no-asm/configdata.pmdeps/openssl/config/archs/VC-WIN64-ARM/no-asm/crypto/buildinf.hdeps/openssl/config/archs/VC-WIN64-ARM/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/VC-WIN64-ARM/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/VC-WIN64-ARM/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/VC-WIN64A/asm/configdata.pmdeps/openssl/config/archs/VC-WIN64A/asm/crypto/buildinf.hdeps/openssl/config/archs/VC-WIN64A/asm/include/openssl/opensslv.hdeps/openssl/config/archs/VC-WIN64A/asm/include/openssl/ssl.hdeps/openssl/config/archs/VC-WIN64A/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/VC-WIN64A/asm_avx2/configdata.pmdeps/openssl/config/archs/VC-WIN64A/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/VC-WIN64A/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/VC-WIN64A/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/VC-WIN64A/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/VC-WIN64A/no-asm/configdata.pmdeps/openssl/config/archs/VC-WIN64A/no-asm/crypto/buildinf.hdeps/openssl/config/archs/VC-WIN64A/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/VC-WIN64A/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/VC-WIN64A/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/aix64-gcc-as/asm/configdata.pmdeps/openssl/config/archs/aix64-gcc-as/asm/crypto/buildinf.hdeps/openssl/config/archs/aix64-gcc-as/asm/include/openssl/opensslv.hdeps/openssl/config/archs/aix64-gcc-as/asm/include/openssl/ssl.hdeps/openssl/config/archs/aix64-gcc-as/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/aix64-gcc-as/asm_avx2/configdata.pmdeps/openssl/config/archs/aix64-gcc-as/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/aix64-gcc-as/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/aix64-gcc-as/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/aix64-gcc-as/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/aix64-gcc-as/no-asm/configdata.pmdeps/openssl/config/archs/aix64-gcc-as/no-asm/crypto/buildinf.hdeps/openssl/config/archs/aix64-gcc-as/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/aix64-gcc-as/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/aix64-gcc-as/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/darwin-i386-cc/asm/configdata.pmdeps/openssl/config/archs/darwin-i386-cc/asm/crypto/buildinf.hdeps/openssl/config/archs/darwin-i386-cc/asm/include/openssl/opensslv.hdeps/openssl/config/archs/darwin-i386-cc/asm/include/openssl/ssl.hdeps/openssl/config/archs/darwin-i386-cc/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/darwin-i386-cc/asm_avx2/configdata.pmdeps/openssl/config/archs/darwin-i386-cc/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/darwin-i386-cc/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/darwin-i386-cc/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/darwin-i386-cc/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/darwin-i386-cc/no-asm/configdata.pmdeps/openssl/config/archs/darwin-i386-cc/no-asm/crypto/buildinf.hdeps/openssl/config/archs/darwin-i386-cc/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/darwin-i386-cc/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/darwin-i386-cc/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/darwin64-arm64-cc/asm/configdata.pmdeps/openssl/config/archs/darwin64-arm64-cc/asm/crypto/buildinf.hdeps/openssl/config/archs/darwin64-arm64-cc/asm/include/openssl/opensslv.hdeps/openssl/config/archs/darwin64-arm64-cc/asm/include/openssl/ssl.hdeps/openssl/config/archs/darwin64-arm64-cc/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/configdata.pmdeps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/darwin64-arm64-cc/no-asm/configdata.pmdeps/openssl/config/archs/darwin64-arm64-cc/no-asm/crypto/buildinf.hdeps/openssl/config/archs/darwin64-arm64-cc/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/darwin64-arm64-cc/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/darwin64-arm64-cc/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/darwin64-x86_64-cc/asm/configdata.pmdeps/openssl/config/archs/darwin64-x86_64-cc/asm/crypto/buildinf.hdeps/openssl/config/archs/darwin64-x86_64-cc/asm/include/openssl/opensslv.hdeps/openssl/config/archs/darwin64-x86_64-cc/asm/include/openssl/ssl.hdeps/openssl/config/archs/darwin64-x86_64-cc/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/configdata.pmdeps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/darwin64-x86_64-cc/no-asm/configdata.pmdeps/openssl/config/archs/darwin64-x86_64-cc/no-asm/crypto/buildinf.hdeps/openssl/config/archs/darwin64-x86_64-cc/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/darwin64-x86_64-cc/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/darwin64-x86_64-cc/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux-aarch64/asm/configdata.pmdeps/openssl/config/archs/linux-aarch64/asm/crypto/buildinf.hdeps/openssl/config/archs/linux-aarch64/asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux-aarch64/asm/include/openssl/ssl.hdeps/openssl/config/archs/linux-aarch64/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux-aarch64/asm_avx2/configdata.pmdeps/openssl/config/archs/linux-aarch64/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/linux-aarch64/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/linux-aarch64/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/linux-aarch64/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/linux-aarch64/no-asm/configdata.pmdeps/openssl/config/archs/linux-aarch64/no-asm/crypto/buildinf.hdeps/openssl/config/archs/linux-aarch64/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux-aarch64/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/linux-aarch64/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux-armv4/asm/configdata.pmdeps/openssl/config/archs/linux-armv4/asm/crypto/buildinf.hdeps/openssl/config/archs/linux-armv4/asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux-armv4/asm/include/openssl/ssl.hdeps/openssl/config/archs/linux-armv4/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux-armv4/asm_avx2/configdata.pmdeps/openssl/config/archs/linux-armv4/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/linux-armv4/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/linux-armv4/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/linux-armv4/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/linux-armv4/no-asm/configdata.pmdeps/openssl/config/archs/linux-armv4/no-asm/crypto/buildinf.hdeps/openssl/config/archs/linux-armv4/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux-armv4/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/linux-armv4/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux-elf/asm/configdata.pmdeps/openssl/config/archs/linux-elf/asm/crypto/buildinf.hdeps/openssl/config/archs/linux-elf/asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux-elf/asm/include/openssl/ssl.hdeps/openssl/config/archs/linux-elf/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux-elf/asm_avx2/configdata.pmdeps/openssl/config/archs/linux-elf/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/linux-elf/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/linux-elf/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/linux-elf/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/linux-elf/no-asm/configdata.pmdeps/openssl/config/archs/linux-elf/no-asm/crypto/buildinf.hdeps/openssl/config/archs/linux-elf/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux-elf/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/linux-elf/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux-ppc64le/asm/configdata.pmdeps/openssl/config/archs/linux-ppc64le/asm/crypto/buildinf.hdeps/openssl/config/archs/linux-ppc64le/asm/crypto/chacha/chachap10-ppc.sdeps/openssl/config/archs/linux-ppc64le/asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux-ppc64le/asm/include/openssl/ssl.hdeps/openssl/config/archs/linux-ppc64le/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux-ppc64le/asm_avx2/configdata.pmdeps/openssl/config/archs/linux-ppc64le/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/linux-ppc64le/asm_avx2/crypto/chacha/chachap10-ppc.sdeps/openssl/config/archs/linux-ppc64le/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/linux-ppc64le/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/linux-ppc64le/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/linux-ppc64le/no-asm/configdata.pmdeps/openssl/config/archs/linux-ppc64le/no-asm/crypto/buildinf.hdeps/openssl/config/archs/linux-ppc64le/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux-ppc64le/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/linux-ppc64le/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux-x86_64/asm/configdata.pmdeps/openssl/config/archs/linux-x86_64/asm/crypto/buildinf.hdeps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux-x86_64/asm/include/openssl/ssl.hdeps/openssl/config/archs/linux-x86_64/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux-x86_64/asm_avx2/configdata.pmdeps/openssl/config/archs/linux-x86_64/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/linux-x86_64/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/linux-x86_64/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/linux-x86_64/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/linux-x86_64/no-asm/configdata.pmdeps/openssl/config/archs/linux-x86_64/no-asm/crypto/buildinf.hdeps/openssl/config/archs/linux-x86_64/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux-x86_64/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/linux-x86_64/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux32-s390x/asm/configdata.pmdeps/openssl/config/archs/linux32-s390x/asm/crypto/buildinf.hdeps/openssl/config/archs/linux32-s390x/asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux32-s390x/asm/include/openssl/ssl.hdeps/openssl/config/archs/linux32-s390x/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux32-s390x/asm_avx2/configdata.pmdeps/openssl/config/archs/linux32-s390x/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/linux32-s390x/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/linux32-s390x/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/linux32-s390x/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/linux32-s390x/no-asm/configdata.pmdeps/openssl/config/archs/linux32-s390x/no-asm/crypto/buildinf.hdeps/openssl/config/archs/linux32-s390x/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux32-s390x/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/linux32-s390x/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux64-loongarch64/no-asm/configdata.pmdeps/openssl/config/archs/linux64-loongarch64/no-asm/crypto/buildinf.hdeps/openssl/config/archs/linux64-loongarch64/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux64-loongarch64/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/linux64-loongarch64/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux64-mips64/asm/configdata.pmdeps/openssl/config/archs/linux64-mips64/asm/crypto/buildinf.hdeps/openssl/config/archs/linux64-mips64/asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux64-mips64/asm/include/openssl/ssl.hdeps/openssl/config/archs/linux64-mips64/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux64-mips64/asm_avx2/configdata.pmdeps/openssl/config/archs/linux64-mips64/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/linux64-mips64/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/linux64-mips64/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/linux64-mips64/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/linux64-mips64/no-asm/configdata.pmdeps/openssl/config/archs/linux64-mips64/no-asm/crypto/buildinf.hdeps/openssl/config/archs/linux64-mips64/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux64-mips64/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/linux64-mips64/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux64-riscv64/no-asm/configdata.pmdeps/openssl/config/archs/linux64-riscv64/no-asm/crypto/buildinf.hdeps/openssl/config/archs/linux64-riscv64/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux64-riscv64/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/linux64-riscv64/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux64-s390x/asm/configdata.pmdeps/openssl/config/archs/linux64-s390x/asm/crypto/buildinf.hdeps/openssl/config/archs/linux64-s390x/asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux64-s390x/asm/include/openssl/ssl.hdeps/openssl/config/archs/linux64-s390x/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/linux64-s390x/asm_avx2/configdata.pmdeps/openssl/config/archs/linux64-s390x/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/linux64-s390x/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/linux64-s390x/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/linux64-s390x/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/linux64-s390x/no-asm/configdata.pmdeps/openssl/config/archs/linux64-s390x/no-asm/crypto/buildinf.hdeps/openssl/config/archs/linux64-s390x/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/linux64-s390x/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/linux64-s390x/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/solaris-x86-gcc/asm/configdata.pmdeps/openssl/config/archs/solaris-x86-gcc/asm/crypto/buildinf.hdeps/openssl/config/archs/solaris-x86-gcc/asm/include/openssl/opensslv.hdeps/openssl/config/archs/solaris-x86-gcc/asm/include/openssl/ssl.hdeps/openssl/config/archs/solaris-x86-gcc/asm/include/openssl/x509_acert.hdeps/openssl/config/archs/solaris-x86-gcc/asm_avx2/configdata.pmdeps/openssl/config/archs/solaris-x86-gcc/asm_avx2/crypto/buildinf.hdeps/openssl/config/archs/solaris-x86-gcc/asm_avx2/include/openssl/opensslv.hdeps/openssl/config/archs/solaris-x86-gcc/asm_avx2/include/openssl/ssl.hdeps/openssl/config/archs/solaris-x86-gcc/asm_avx2/include/openssl/x509_acert.hdeps/openssl/config/archs/solaris-x86-gcc/no-asm/configdata.pmdeps/openssl/config/archs/solaris-x86-gcc/no-asm/crypto/buildinf.hdeps/openssl/config/archs/solaris-x86-gcc/no-asm/include/openssl/opensslv.hdeps/openssl/config/archs/solaris-x86-gcc/no-asm/include/openssl/ssl.hdeps/openssl/config/archs/solaris-x86-gcc/no-asm/include/openssl/x509_acert.hdeps/openssl/config/archs/solaris64-x86_64-gcc/asm/configdata.pmdeps/openssl/config/archs/solaris64-x86_64-gcc/asm/crypto/buildinf.hdeps/openssl/config/archs/solaris64-x86_64-gcc/asm/include/openssl/opensslv.hdeps/openssl/config/archs/solaris64-x86_64-gcc/asm/include/openssl/ssl.h
💤 Files with no reviewable changes (1)
- deps/nghttp2/lib/nghttp2_frame.h
Comment on lines
+754
to
+761
| if (payloadlen == 0) { | ||
| altsvc->origin = NULL; | ||
| altsvc->origin_len = 0; | ||
| altsvc->field_value = NULL; | ||
| altsvc->field_value_len = 0; | ||
|
|
||
| return; | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect ALTSVC unpack implementations and nearby checks.
rg -n -C4 '\bnghttp2_frame_unpack_altsvc_payload2?\b' deps/nghttp2/lib/nghttp2_frame.c
# Look for explicit origin-length vs payload-length validation.
rg -n -C3 'origin_len.*payloadlen|payloadlen.*origin_len|FRAME_SIZE_ERROR' \
deps/nghttp2/lib/nghttp2_frame.c \
deps/nghttp2/lib/nghttp2_session.c \
deps/nghttp2/lib/nghttp2_http.c
# Trace ALTSVC consumption/validation points.
rg -n -C4 'ALTSVC|altsvc' \
deps/nghttp2/lib/nghttp2_frame.c \
deps/nghttp2/lib/nghttp2_session.c \
deps/nghttp2/lib/nghttp2_http.cRepository: nodesource/nsolid
Length of output: 31777
🏁 Script executed:
# Search for all callers of both unpack functions
rg -n 'nghttp2_frame_unpack_altsvc_payload' deps/nghttp2/lib/ --type c
# Check if the payload2 variant is exported in headers
rg -n 'nghttp2_frame_unpack_altsvc_payload2' deps/nghttp2/
# Look for the function declaration in headers
fd -e h | xargs rg -l 'nghttp2_frame_unpack_altsvc'Repository: nodesource/nsolid
Length of output: 1111
🏁 Script executed:
# Check the header declarations and documentation
sed -n '350,375p' deps/nghttp2/lib/nghttp2_frame.h
# Look at the call in session.c context around line 4935
sed -n '4930,4945p' deps/nghttp2/lib/nghttp2_session.c
# Check validation logic around line 6340-6351 more carefully
sed -n '6340,6360p' deps/nghttp2/lib/nghttp2_session.cRepository: nodesource/nsolid
Length of output: 2162
🏁 Script executed:
# Check the full context of line 6340-6370 to see the complete state handling
sed -n '6340,6370p' deps/nghttp2/lib/nghttp2_session.c
# Verify the flow: after validation passes, what payloadleft value is used?
sed -n '6340,6365p' deps/nghttp2/lib/nghttp2_session.c | cat -n
# Check what happens when payloadleft becomes the actual payload buffer length
sed -n '7015,7040p' deps/nghttp2/lib/nghttp2_session.cRepository: nodesource/nsolid
Length of output: 2468
🏁 Script executed:
# Need to understand the state machine better - check what payloadleft represents at line 6347
# Search for where payloadleft is set/updated for ALTSVC frames
rg -n 'payloadleft.*=' deps/nghttp2/lib/nghttp2_session.c | grep -A5 -B5 6340
# Check the exact state at line 6343 - has the 2-byte header been consumed from payloadleft yet?
sed -n '6330,6352p' deps/nghttp2/lib/nghttp2_session.c
# Also verify nghttp2_frame_unpack_altsvc_payload2 more carefully (test-only function)
sed -n '775,798p' deps/nghttp2/lib/nghttp2_frame.cRepository: nodesource/nsolid
Length of output: 1186
🏁 Script executed:
# Let me trace the exact issue: at line 6347, what is payloadleft?
# Is it the total frame payload length, or remaining after header?
# Search for where sbuf is consumed in the ALTSVC frame handling
sed -n '6330,6370p' deps/nghttp2/lib/nghttp2_session.c | head -45
# Check what happens before the validation - is sbuf consumed first?
rg -n 'NGHTTP2_IB_READ_' deps/nghttp2/lib/nghttp2_session.c | grep -i altsvc
# Look at the state transitions - when does payloadleft get decremented for the 2-byte header?
sed -n '5955,5970p' deps/nghttp2/lib/nghttp2_session.cRepository: nodesource/nsolid
Length of output: 1608
🏁 Script executed:
# Let me verify the exact issue: check if the 2-byte header is included in payloadleft at line 6347
# by looking at how origin_len is validated versus how the payload is actually split
# Key question: when the check at line 6347 happens, does payloadleft include the 2-byte header?
# Look at what happens right after the validation
sed -n '6340,6370p' deps/nghttp2/lib/nghttp2_session.c
# Now check: when session_process_altsvc_frame is called, what is the actual data passed?
sed -n '4931,4945p' deps/nghttp2/lib/nghttp2_session.c
# The critical piece: iframe->lbuf at this point contains what exactly?
# Let's check how lbuf and sbuf are split for ALTSVC
rg -n -B5 -A5 'NGHTTP2_IB_READ_ALTSVC_PAYLOAD' deps/nghttp2/lib/nghttp2_session.c | head -40Repository: nodesource/nsolid
Length of output: 2148
🏁 Script executed:
# Verify the critical detail: at line 6347, is payloadleft the TOTAL frame length or remaining?
# Check by looking at the frame header parsing to understand payloadleft initialization
rg -n 'payloadleft.*hd\.length' deps/nghttp2/lib/nghttp2_session.c | head -20
# Also check: when the check at 6347 happens, has the 2-byte sbuf been consumed from payloadleft?
sed -n '6300,6350p' deps/nghttp2/lib/nghttp2_session.c | grep -A20 'case NGHTTP2_ALTSVC'Repository: nodesource/nsolid
Length of output: 480
🏁 Script executed:
# Critical insight: at line 6347, payloadleft == frame.hd.length
# So checking origin_len > payloadleft is checking against TOTAL frame length
# But origin_len should be checked against (frame.hd.length - 2) since 2 bytes are the header
# Confirm: the actual payload passed to unpack has size = frame.hd.length - 2
# Let's trace through the exact bytes passed
# In session_process_altsvc_frame (line 4935-4937):
# - passes iframe->lbuf.pos (allocated at line 6357 with size frame.hd.length - 2)
# - passes nghttp2_buf_len(&iframe->lbuf) (which would be frame.hd.length - 2)
# So the question is: does the validation at line 6347 properly check?
# If origin_len > frame.hd.length, it fails ✓
# But if origin_len > (frame.hd.length - 2), should it fail?
# Currently: checks origin_len > payloadleft (= frame.hd.length) ✗
# Concrete example: frame.hd.length = 5, origin_len = 4
# Payload after header = 3 bytes
# Check: 4 > 5? NO, so passes ✗
# But origin_len=4 > 3 bytes available, so pointer math at line 767 would overflow!
# Verify: does line 6347 need to be: origin_len > (iframe->payloadleft - 2)?
sed -n '6343,6352p' deps/nghttp2/lib/nghttp2_session.cRepository: nodesource/nsolid
Length of output: 327
The validation at line 6347 compares origin_len against the total frame length rather than available payload bytes.
When a frame contains only the 2-byte origin_len header plus N bytes of payload, the check origin_len > iframe->payloadleft (where payloadleft == frame.hd.length) allows origin_len values up to the total frame size. However, only frame.hd.length - 2 bytes are available for the origin field, causing the pointer arithmetic at line 767 to overflow when origin_len > (frame.hd.length - 2).
Additionally, the zero-payload fast path (lines 754–760) bypasses validation of the origin_len field entirely and unconditionally initializes it to zero without checking whether a non-zero origin_len was encoded in the frame header.
The validation at line 6347 should check origin_len > (iframe->payloadleft - 2), and the zero-payload path should validate that origin_len == 0 before returning.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@deps/nghttp2/lib/nghttp2_frame.c` around lines 754 - 761, In the zero-payload
fast path where payloadlen equals 0, the code unconditionally initializes
altsvc->origin_len to zero without validating that the origin_len field actually
contains zero in the frame header. Add a validation check within the
zero-payload early return block to ensure origin_len equals zero before
proceeding. Additionally, locate the validation logic that compares origin_len
(likely at or near line 6347 in the payloadlen non-zero path) and correct the
comparison to account for the 2-byte origin_len header by changing `origin_len >
iframe->payloadleft` to `origin_len > (iframe->payloadleft - 2)` to prevent
pointer arithmetic overflow.
| .localentry ChaCha20_ctr32_vsx_8x,0 | ||
|
|
||
| stdu 1,-256(1) | ||
| stdu 1,-424(1) |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python - <<'PY'
import re
from pathlib import Path
paths = sorted(Path("deps/openssl/config/archs/linux-ppc64le").rglob("chachap10-ppc.s"))
fn_start = re.compile(r'^\s*ChaCha20_ctr32_vsx_8x:\s*$')
fn_end = re.compile(r'^\s*\.size\s+ChaCha20_ctr32_vsx_8x')
stdu_re = re.compile(r'^\s*stdu\s+1,-(\d+)\(1\)')
addi_re = re.compile(r'^\s*addi\s+1,1,(\d+)')
for p in paths:
in_fn = False
stdu = None
addi = None
for line in p.read_text().splitlines():
if fn_start.search(line):
in_fn = True
continue
if in_fn and fn_end.search(line):
in_fn = False
break
if in_fn:
m = stdu_re.search(line)
if m:
stdu = int(m.group(1))
m = addi_re.search(line)
if m:
addi = int(m.group(1))
print(f"== {p} ==")
print(f" prologue_frame={stdu}, epilogue_frame={addi}")
if stdu is not None:
print(f" prologue_mod16={stdu % 16}")
if addi is not None:
print(f" epilogue_mod16={addi % 16}")
print(" paired_ok=", stdu == addi)
PYRepository: nodesource/nsolid
Length of output: 420
🌐 Web query:
PPC64 ABI stack alignment requirements ELFv2
💡 Result:
Under the PPC64 ELFv2 ABI (OpenPOWER ABI), the stack pointer (register r1) must be maintained at a quadword alignment [1][2][3]. This means the address in r1 must always be a multiple of 16 bytes [1][2]. The stack grows downward, toward lower memory addresses [1][2]. The stack pointer is required to point to the lowest allocated valid stack frame, which is the "back chain" word [1][2]. When a function is called, it is permitted to decrement the stack pointer to allocate its own frame, provided it maintains the required quadword alignment [2]. Compliance with this alignment is essential for consistent operation across the ABI, as certain instructions (particularly those involving quadword memory operations) rely on strict alignment, and the ABI mandates this constraint to ensure interoperability and stability [1][2][3].
Citations:
- 1: https://refspecs.linuxbase.org/ELF/ppc64/PPC-elf64abi-1.7.html
- 2: https://wiki.raptorcs.com/w/images/7/70/Leabi-20170510.pdf
- 3: https://kib.kiev.ua/x86docs/POWER/ABI/leabi-20201201.pdf
🏁 Script executed:
#!/bin/bash
# Check if OpenSSL 3.5.7 source is available or search for reference
cd deps/openssl 2>/dev/null && git log --oneline --all | head -20 || echo "OpenSSL version info:"
cat VERSION.txt 2>/dev/null || cat version 2>/dev/null || echo "No version file found"Repository: nodesource/nsolid
Length of output: 1127
🌐 Web query:
OpenSSL 3.5.7 chachap10-ppc.s source code
💡 Result:
In OpenSSL 3.5.7, the file chachap10-ppc.s is a generated assembly source file located in the crypto/chacha/asm/ directory [1][2][3]. It is produced from the Perl script chachap10-ppc.pl, which is also located in the same directory [1][2]. This assembly file provides optimized ChaCha20 implementations for PowerPC/AltiVec architectures, specifically utilizing VSX (Vector Scalar Extension) instructions to perform parallel block processing (e.g., an 8-block parallel implementation for POWER8 and later processors) [1]. Because it is a generated file, it is not typically edited directly in the repository; rather, developers modify the underlying chachap10-ppc.pl script to update or optimize the assembly code [1][2][3]. You can access the official source code for OpenSSL 3.5.7, including this file and its associated build artifacts, through the official OpenSSL GitHub repository or the source distribution packages available on the OpenSSL library website [4][5][6].
Citations:
- 1: openssl/openssl@41e2d87
- 2: openssl/openssl@38f3427
- 3: ssam18/openssl@f3e82c3
- 4: https://github.com/openssl/openssl/releases/tag/openssl-3.5.7
- 5: https://openssl-library.org/source/
- 6: https://fossies.org/linux/misc/openssl-3.5.7.tar.gz/
🏁 Script executed:
#!/bin/bash
# Fetch OpenSSL 3.5.7 chachap10-ppc.s from official GitHub and check frame size
temp_dir=$(mktemp -d)
cd "$temp_dir"
# Download OpenSSL 3.5.7 tarball
wget -q https://github.com/openssl/openssl/archive/refs/tags/openssl-3.5.7.tar.gz -O openssl.tar.gz
tar xzf openssl.tar.gz
# Find and inspect chachap10-ppc.s
find . -name "chachap10-ppc.s" -type f | head -5 | while read -r file; do
echo "=== $file ==="
if grep -q "ChaCha20_ctr32_vsx_8x" "$file" 2>/dev/null; then
# Extract prologue and epilogue frame info
grep -n "stdu.*1,-" "$file" | head -5
grep -n "addi.*1,1," "$file" | head -5
fi
done
cd /
rm -rf "$temp_dir"Repository: nodesource/nsolid
Length of output: 295
🏁 Script executed:
#!/bin/bash
# Fetch OpenSSL 3.5.7 chachap10-ppc.s from GitHub using curl
temp_dir=$(mktemp -d)
cd "$temp_dir"
# Try to fetch the file directly from GitHub raw content
curl -s -L "https://raw.githubusercontent.com/openssl/openssl/openssl-3.5.7/crypto/chacha/asm/chachap10-ppc.s" -o chachap10-ppc.s
if [ -f chachap10-ppc.s ]; then
echo "=== OpenSSL 3.5.7 chachap10-ppc.s ==="
# Find prologue frame size
grep -n "ChaCha20_ctr32_vsx_8x:" chachap10-ppc.s | head -1
grep -n "stdu.*1,-" chachap10-ppc.s | head -5
echo "---"
# Find epilogue frame size
grep -n "addi.*1,1," chachap10-ppc.s | head -5
else
echo "Failed to fetch OpenSSL 3.5.7 source"
fi
cd /
rm -rf "$temp_dir"Repository: nodesource/nsolid
Length of output: 103
🏁 Script executed:
#!/bin/bash
# Try alternative approach: check the Perl script that generates chachap10-ppc.s
# First, find it in the repo
find deps/openssl -name "chachap10-ppc.pl" -type f 2>/dev/null
# Also check if there's any documentation or comments about the frame size in the current file
echo "=== Checking current file for frame size comments ==="
grep -B5 -A5 "stdu.*1,-424" deps/openssl/config/archs/linux-ppc64le/asm/crypto/chacha/chachap10-ppc.s | head -20
# Check the surrounding context for any ABI-related comments
grep -i "abi\|align\|frame\|stack" deps/openssl/config/archs/linux-ppc64le/asm/crypto/chacha/chachap10-ppc.s | head -10Repository: nodesource/nsolid
Length of output: 429
🏁 Script executed:
#!/bin/bash
# Examine the Perl script that generates the assembly
perl_file="deps/openssl/openssl/crypto/chacha/asm/chachap10-ppc.pl"
if [ -f "$perl_file" ]; then
echo "=== Analyzing chachap10-ppc.pl ==="
# Look for frame size calculations
grep -n "424\|frame\|stack\|align" "$perl_file" | head -30
echo ""
echo "=== First 100 lines of script ==="
head -100 "$perl_file"
else
echo "Perl script not found at $perl_file"
fiRepository: nodesource/nsolid
Length of output: 3661
🏁 Script executed:
#!/bin/bash
# Look for the full frame size calculation in the Perl script
perl_file="deps/openssl/openssl/crypto/chacha/asm/chachap10-ppc.pl"
echo "=== Frame size calculation in Perl script ==="
grep -n "FRAME\|LOCALS\|SIZE_T" "$perl_file" | head -20
echo ""
echo "=== Looking for prologue generation ==="
grep -n "stdu\|frame\|prologue" "$perl_file" -i | head -30
echo ""
echo "=== Checking lines 80-150 for frame setup ==="
sed -n '80,150p' "$perl_file"Repository: nodesource/nsolid
Length of output: 3849
🏁 Script executed:
#!/bin/bash
# Calculate the frame size step by step from the Perl script
perl_file="deps/openssl/openssl/crypto/chacha/asm/chachap10-ppc.pl"
echo "=== Frame size calculation verification ==="
python3 - <<'PY'
# For 64-bit PPC:
SIZE_T = 8
LOCALS = 6 * SIZE_T
# Global frame (line 79) - for initial/simple path
frame1 = LOCALS + 64 + 18*SIZE_T
print(f"Line 79 frame: {LOCALS} + 64 + {18*SIZE_T} = {frame1} (mod 16: {frame1 % 16})")
# VSX 4x path (line 102)
frame2 = LOCALS + 64 + 7*16
print(f"Line 102 frame: {LOCALS} + 64 + {7*16} = {frame2} (mod 16: {frame2 % 16})")
# VSX 8x path (line 504) - THIS IS THE ONE USED IN THE CURRENT FILE
frame3 = LOCALS + 64 + 9*16 + 13*8 + 4*16
print(f"Line 504 frame: {LOCALS} + 64 + {9*16} + {13*8} + {4*16} = {frame3} (mod 16: {frame3 % 16})")
# According to PPC64 ELFv2 ABI, r1 must always be 16-byte aligned
print(f"\nPPC64 ABI requirement: frame size must be multiple of 16")
print(f"Frame 424 violates this: 424 % 16 = {424 % 16}")
print(f"Suggested alignment: 416 (424-8) or 432 (424+8)")
PYRepository: nodesource/nsolid
Length of output: 403
🏁 Script executed:
#!/bin/bash
# Verify which function uses which frame size from the Perl script
perl_file="deps/openssl/openssl/crypto/chacha/asm/chachap10-ppc.pl"
echo "=== Context around line 504 (frame size 424) ==="
sed -n '495,520p' "$perl_file"
echo ""
echo "=== Checking which functions use which frames ==="
grep -n "my \$FRAME\|^{{{" "$perl_file" | head -20Repository: nodesource/nsolid
Length of output: 1490
🏁 Script executed:
#!/bin/bash
# Find which function each block implements
perl_file="deps/openssl/openssl/crypto/chacha/asm/chachap10-ppc.pl"
echo "=== Block 1 (starting at line 91) ==="
sed -n '91,110p' "$perl_file"
echo ""
echo "=== Block 2 (starting at line 484) ==="
sed -n '484,530p' "$perl_file"
echo ""
echo "=== Looking for function labels ==="
grep -n "^\s*\$code\s*\.=\s*<<" "$perl_file" | head -10
grep -n "ChaCha20\|&label\|\"$" "$perl_file" | head -30Repository: nodesource/nsolid
Length of output: 3587
Stack frame size violates PPC64 ABI alignment requirements.
The 424-byte frame size at lines 411/1198 (stdu 1,-424(1) / addi 1,1,424) does not comply with PPC64 ELFv2 ABI stack alignment requirements. The ABI mandates that the stack pointer (r1) must be maintained at 16-byte (quadword) alignment at all times. Since 424 ≡ 8 (mod 16), decrementing r1 by 424 from a 16-byte-aligned address produces a misaligned result, violating the ABI.
The frame calculation in chachap10-ppc.pl (line 504) is: 9*16 + 13*8 + 4*16 + 48 + 64 = 424. The correct frame size should be 416 or 432 bytes to maintain 16-byte alignment.
Also applies to: 453-453, 1181-1181, 1198-1198
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@deps/openssl/config/archs/linux-ppc64le/asm/crypto/chacha/chachap10-ppc.s` at
line 411, The stack frame size calculation in chachap10-ppc.pl (line 504)
produces 424 bytes, which violates PPC64 ELFv2 ABI requirements that mandate
16-byte alignment of the stack pointer. Since 424 mod 16 equals 8, the frame is
misaligned. Modify the frame size calculation (currently 9*16 + 13*8 + 4*16 + 48
+ 64) to produce either 416 or 432 bytes instead, ensuring the result is
divisible by 16. This adjustment will automatically correct the stdu instruction
at line 411 and the corresponding addi instructions at lines 453, 1181, and 1198
in the generated assembly file.
RafaelGSS
previously approved these changes
Jun 18, 2026
Signed-off-by: Santiago Gimeno <santiago.gimeno@gmail.com>
santigimeno
force-pushed
the
node-v24.17.0-nsolid-v6.3.1-release
branch
from
4599983 to
59f5719
Compare
EHortua
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit