17-10 Security Update that addresses the following issues in ChakraCore #3917
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…e callback function with updating ImplicitCallFlags. JIT inline string.prototype.replace for case a.replace(b,c) if 'a' and 'c' are strings and 'b' is a regex and calls helper for other cases. If c is a function RegexHelper::StringReplace will call c, this should be marked as implicit call so that JIT can bailout on implicit call check.
…g patterns. Due to a bug in super property access we were reaching the code path where we had src2 on instrcution but didn't freed it before generating bailout. After the fix for issue chakra-core#3423/chakra-core#3064 went in 2b9da66 the bu no longer reproes but for previous branches I am putting a conservative fix to always free src2 if we have it and don't have src1. For RS4 we have a WI to add asserts to better track no. of surces on instruction and add checks.
… StackScriptFunction::BoxState::Box. If closure init is not done in INTERPRETERLOOPNAME due to PROBE_STACK failing, we can’t access framedisplay scopes and scopeslots slotArray. When setting frameDisplay and ScopeSlots during initialization start with a length of 0 so that even if they are un-initialized no one can use the un-initialized array.
… the return value of a foreign import call.
…erating byte code. The FuncInfo holds a reference to the FunctionBody, and redeferral will clean up the FunctionBody and any entry points that have been created for it, as well as pointing the FunctionInfo to a new proxy. Restore the (re-)deferral attribute on candidate functions when the ByteCodeGenerator instance is being destroyed. Also make sure that disabling the CanDefer attribute doesn't prevent generation of scope info we will need if we redefer later.
…rossSite thunk. Allocation happens when the thunk marshals cross-site arguments, and this can result in redeferral, which can cause us to try to jit and/or execute a collected entry point.
… spec is disabled. We are not able to handle a non-int-type-specialized index operand on a switch table branch (today, it will cause us to read the wrong jump target and possibly read past the end of the jump table). Another option is to force type specialization of the index operand, but this seems not worth the risk as a servicing fix.
…B read/write in RPC - Internal
…array destructuring is used as call arg Destructuring will create try/catch/finally bytecode when emitting. This pattern can appear as an arg to the call node. We were emitting Argouts as when emit a parameter, so it possible that we have try/catch/finally in between argouts. The Finally optimization did not like the fact that Argouts are seperated. In order to fix we use temps to store those argouts temporarily and then later those temps will be emitted as argouts. Since we are emitting lots of temps, this change is done when we determine that args contain destructuring (We took parser help for that).
…ap if not needed Currently we always pass the newtarget flag to the function when called through a Proxy's function call trap. This is not necessary if the call is not a constructor call.
Disabling the creationg of deferred stubs. For precise capturing we can't get the information about symbol capturing for functions in deferred stubs with the current design. We will have to rethink the right design for this feature.
|
@dotnet-bot test OSX _no_jit_shared_osx_osx_test |
|
@dotnet-bot test OSX static_osx_osx_debug OSX static_osx_osx_release OSX static_osx_osx_test |
|
@dotnet-bot test OSX static_osx_osx_release |
chakrabot
pushed a commit
that referenced
this pull request
Oct 10, 2017
…he following issues in ChakraCore Merge pull request #3917 from agarwal-sandeep:1710Fixes CVE-2017-11792, CVE-2017-11796, CVE-2017-11797, CVE-2017-11799, CVE-2017-11801, CVE-2017-11802, CVE-2017-11805, CVE-2017-11806, CVE-2017-11807, CVE-2017-11808, CVE-2017-11809, CVE-2017-11811, CVE-2017-11812, CVE-2017-11821
chakrabot
pushed a commit
that referenced
this pull request
Oct 10, 2017
…t addresses the following issues in ChakraCore Merge pull request #3917 from agarwal-sandeep:1710Fixes CVE-2017-11792, CVE-2017-11796, CVE-2017-11797, CVE-2017-11799, CVE-2017-11801, CVE-2017-11802, CVE-2017-11805, CVE-2017-11806, CVE-2017-11807, CVE-2017-11808, CVE-2017-11809, CVE-2017-11811, CVE-2017-11812, CVE-2017-11821
chakrabot
pushed a commit
that referenced
this pull request
Mar 12, 2018
…ateCallNode and Parser::CreateSuperCallNode Merge pull request #4804 from irinayat-MS:ParseNodeCall https://microsoft.visualstudio.com/OS/_workitems/edit/16244108 The uninitialized field was introduced by #3917. The only read of the field is in EmitArgList, and if it ends up "true" instead of the default "false" an extra defensive load will be emitted for the constructor parameters so not a security/correctness concern.
chakrabot
pushed a commit
to nodejs/node-chakracore
that referenced
this pull request
Mar 13, 2018
[MERGE #4804 @irinayat-MS] OS#16244108: Small refactor of Parser::CreateCallNode and Parser::CreateSuperCallNode Merge pull request #4804 from irinayat-MS:ParseNodeCall https://microsoft.visualstudio.com/OS/_workitems/edit/16244108 The uninitialized field was introduced by chakra-core/ChakraCore#3917. The only read of the field is in EmitArgList, and if it ends up Reviewed-By: chakrabot <chakrabot@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CVE-2017-11792, CVE-2017-11796, CVE-2017-11797, CVE-2017-11799, CVE-2017-11801, CVE-2017-11802, CVE-2017-11805, CVE-2017-11806, CVE-2017-11807, CVE-2017-11808, CVE-2017-11809, CVE-2017-11811, CVE-2017-11812, CVE-2017-11821