Skip to content

Commit

Permalink
[CVE-2019-1103] Chakra JIT Type Confusion
Browse files Browse the repository at this point in the history
  • Loading branch information
MikeHolman authored and atulkatti committed Jul 1, 2019
1 parent ba1f445 commit efab310
Show file tree
Hide file tree
Showing 4 changed files with 18 additions and 6 deletions.
12 changes: 8 additions & 4 deletions lib/Backend/BackwardPass.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -4151,13 +4151,17 @@ BackwardPass::UpdateImplicitCallBailOutKind(IR::Instr *const instr, bool needsBa

IR::BailOutKind implicitCallBailOutKind = needsBailOutOnImplicitCall ? IR::BailOutOnImplicitCalls : IR::BailOutInvalid;

const IR::BailOutKind instrBailOutKind = instr->GetBailOutKind();
IR::BailOutKind instrBailOutKind = instr->GetBailOutKind();
if (instrBailOutKind & IR::BailOutMarkTempObject)
{
// Don't remove the implicit call pre op bailout for mark temp object
// Remove the mark temp object bit, as we don't need it after the dead store pass
instr->SetBailOutKind(instrBailOutKind & ~IR::BailOutMarkTempObject);
return true;
instrBailOutKind &= ~IR::BailOutMarkTempObject;
instr->SetBailOutKind(instrBailOutKind);

if (!instr->GetBailOutInfo()->canDeadStore)
{
return true;
}
}

const IR::BailOutKind instrImplicitCallBailOutKind = instrBailOutKind & ~IR::BailOutKindBits;
Expand Down
3 changes: 2 additions & 1 deletion lib/Backend/BailOut.h
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ class BailOutInfo
BailOutInfo(uint32 bailOutOffset, Func* bailOutFunc) :
bailOutOffset(bailOutOffset), bailOutFunc(bailOutFunc),
byteCodeUpwardExposedUsed(nullptr), polymorphicCacheIndex((uint)-1), startCallCount(0), startCallInfo(nullptr), bailOutInstr(nullptr),
totalOutParamCount(0), argOutSyms(nullptr), bailOutRecord(nullptr), wasCloned(false), isInvertedBranch(false), sharedBailOutKind(true), isLoopTopBailOutInfo(false),
totalOutParamCount(0), argOutSyms(nullptr), bailOutRecord(nullptr), wasCloned(false), isInvertedBranch(false), sharedBailOutKind(true), isLoopTopBailOutInfo(false), canDeadStore(true),
outParamInlinedArgSlot(nullptr), liveVarSyms(nullptr), liveLosslessInt32Syms(nullptr), liveFloat64Syms(nullptr),
branchConditionOpnd(nullptr),
stackLiteralBailOutInfoCount(0), stackLiteralBailOutInfo(nullptr)
Expand Down Expand Up @@ -69,6 +69,7 @@ class BailOutInfo
#endif
bool wasCloned;
bool isInvertedBranch;
bool canDeadStore;
bool sharedBailOutKind;
bool isLoopTopBailOutInfo;

Expand Down
6 changes: 6 additions & 0 deletions lib/Backend/GlobOpt.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -16531,6 +16531,7 @@ GlobOpt::GenerateBailOutMarkTempObjectIfNeeded(IR::Instr * instr, IR::Opnd * opn
if (instr->HasBailOutInfo())
{
instr->SetBailOutKind(instr->GetBailOutKind() | IR::BailOutMarkTempObject);
instr->GetBailOutInfo()->canDeadStore = false;
}
else
{
Expand All @@ -16540,6 +16541,11 @@ GlobOpt::GenerateBailOutMarkTempObjectIfNeeded(IR::Instr * instr, IR::Opnd * opn
|| (instr->m_opcode == Js::OpCode::FromVar && !opnd->GetValueType().IsPrimitive())
|| propertySymOpnd == nullptr
|| !propertySymOpnd->IsTypeCheckProtected())
{
this->GenerateBailAtOperation(&instr, IR::BailOutMarkTempObject);
instr->GetBailOutInfo()->canDeadStore = false;
}
else if (propertySymOpnd->MayHaveImplicitCall())
{
this->GenerateBailAtOperation(&instr, IR::BailOutMarkTempObject);
}
Expand Down
3 changes: 2 additions & 1 deletion lib/Backend/Opnd.h
Original file line number Diff line number Diff line change
Expand Up @@ -1138,7 +1138,8 @@ class PropertySymOpnd sealed : public SymOpnd
// fall back on live cache. Similarly, for fixed method checks.
bool MayHaveImplicitCall() const
{
return !IsRootObjectNonConfigurableFieldLoad() && !UsesFixedValue() && (!IsTypeCheckSeqCandidate() || !IsTypeCheckProtected());
return !IsRootObjectNonConfigurableFieldLoad() && !UsesFixedValue() && (!IsTypeCheckSeqCandidate() || !IsTypeCheckProtected()
|| (IsLoadedFromProto() && NeedsWriteGuardTypeCheck()));
}

// Is the instruction involving this operand part of a type check sequence? This is different from IsObjTypeSpecOptimized
Expand Down

0 comments on commit efab310

Please sign in to comment.