Skip to content

buffer: disallow ArrayBuffer transfer on pooled buffer #61372

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
legendecas wants to merge 2 commits into
base: main
Choose a base branch
from
Open

buffer: disallow ArrayBuffer transfer on pooled buffer #61372

legendecas wants to merge 2 commits into from
+106 −2

Conversation

@legendecas
Copy link
Member

@legendecas legendecas commented Jan 13, 2026
edited
Loading

deps: V8: cherry-pick c5ff7c4d6cde

Original commit message:

[builtins] disallow ArrayBuffer transfer with a detach key

This allows embedder to disallow `ArrayBuffer.prototype.transfer()` on
an arraybuffer that is not detachable. This also fix the check on
`ArrayBufferCopyAndDetach` step 8 of `ArrayBuffer.prototype.transfer`.

Refs: https://github.com/nodejs/node/issues/61362
Refs: https://tc39.es/ecma262/#sec-arraybuffercopyanddetach
Change-Id: I3c6e156a8fad007fd100218d8b16aed5c4e1db68
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7454288
Commit-Queue: Chengzhong Wu <[email protected]>
Reviewed-by: Olivier Flückiger <[email protected]>
Cr-Commit-Position: refs/heads/main@{#104697}

Refs: v8/v8@c5ff7c4

buffer: disallow ArrayBuffer transfer on pooled buffer

This is an alternative solution that disallows transfer operation on buffer pool.

Depends on https://chromium-review.googlesource.com/c/v8/v8/+/7454288.

Fixes: #61362

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jan 13, 2026

Review requested:

  • @nodejs/security-wg
  • @nodejs/v8-update

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Jan 13, 2026
@ChALkeR ChALkeR mentioned this pull request Jan 13, 2026
Open
@Renegade334
Copy link
Member

Renegade334 commented Jan 13, 2026
edited
Loading

This requires V8 changes to properly work.

I don't believe so – calling SetDetachKey() on the array buffer object should effectively mark the object as untransferable, without setting the flag on the object handle directly?

@ChALkeR ChALkeR mentioned this pull request Jan 13, 2026
Open
@legendecas
Copy link
Member Author

legendecas commented Jan 13, 2026

https://chromium-review.googlesource.com/c/v8/v8/+/7454288 would be required to have SetDetachKey() properly disables arrayBuffer.transfer().

@Renegade334 Renegade334 mentioned this pull request Jan 14, 2026
Open
@legendecas
deps: V8: cherry-pick c5ff7c4d6cde
2209d95 
Original commit message:

    [builtins] disallow ArrayBuffer transfer with a detach key

    This allows embedder to disallow `ArrayBuffer.prototype.transfer()` on
    an arraybuffer that is not detachable. This also fix the check on
    `ArrayBufferCopyAndDetach` step 8 of `ArrayBuffer.prototype.transfer`.

    Refs: nodejs#61362
    Refs: https://tc39.es/ecma262/#sec-arraybuffercopyanddetach
    Change-Id: I3c6e156a8fad007fd100218d8b16aed5c4e1db68
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7454288
    Commit-Queue: Chengzhong Wu <[email protected]>
    Reviewed-by: Olivier Flückiger <[email protected]>
    Cr-Commit-Position: refs/heads/main@{#104697}

Refs: v8/v8@c5ff7c4
@legendecas
buffer: disallow ArrayBuffer transfer on pooled buffer
749c2fc
@legendecas legendecas marked this pull request as ready for review January 15, 2026 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Can not construct Buffer after different Buffer was previously transfererd

3 participants

@legendecas @nodejs-github-bot @Renegade334