[CVE-2019-1139] Chakra JIT Type Confusion

array.slice converts the native array to var array which was not captured during the optimization. Due to that the native array type is forced to var array which leads to the type confusion. Fixed this by killing the object type for the slice (as well as concat)
chakra-core · Aug 13, 2019 · ae8a8d9 · ae8a8d9
1 parent dce7443
commit ae8a8d9
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -13470,6 +13470,7 @@ GlobOpt::CheckJsArrayKills(IR::Instr *const instr)
  case IR::HelperArray_Splice:
  case IR::HelperArray_Unshift:
  case IR::HelperArray_Concat:
+ case IR::HelperArray_Slice:
  kills.SetKillsArrayHeadSegments();
  kills.SetKillsArrayHeadSegmentLengths();
  break;

diff --git a/lib/Backend/GlobOptFields.cpp b/lib/Backend/GlobOptFields.cpp
@@ -518,6 +518,18 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
  }
  break;
 
+ case IR::JnHelperMethod::HelperArray_Slice:
+ case IR::JnHelperMethod::HelperArray_Concat:
+ if (inGlobOpt && this->objectTypeSyms)
+ {
+ if (this->currentBlock->globOptData.maybeWrittenTypeSyms == nullptr)
+ {
+ this->currentBlock->globOptData.maybeWrittenTypeSyms = JitAnew(this->alloc, BVSparse<JitArenaAllocator>, this->alloc);
+ }
+ this->currentBlock->globOptData.maybeWrittenTypeSyms->Or(this->objectTypeSyms);
+ }
+ break;
+
  case IR::JnHelperMethod::HelperRegExp_Exec:
  case IR::JnHelperMethod::HelperRegExp_ExecResultNotUsed:
  case IR::JnHelperMethod::HelperRegExp_ExecResultUsed: