Startsida Utforska Hjälp
Logga in
SunnyMirror
/
ChakraCore
spegling av https://github.com/microsoft/ChakraCore.git
2
0
Fork 0
Filer Ärenden 0 Wiki
Bläddra i källkod

CVE-2018-8583 Edge - Chakra JIT OOB 9 13 leads to RCE

In the loop range check we emit add instruction to add 1 to the range. That can overflow. We did't have overflow bailout over there.
Fixed that by adding bailout over there.
Akrosh Gandhi 7 år sedan
förälder
abb5d88df1
incheckning
8d21cde342
1 ändrade filer med 10 tillägg och 5 borttagningar
Delad Vy Visa Diff Statistik
  1. 10 5
      lib/Backend/GlobOptIntBounds.cpp

+ 10 - 5
lib/Backend/GlobOptIntBounds.cpp
Visa fil 

@@ -1822,11 +1822,16 @@ void GlobOpt::GenerateLoopCountPlusOne(Loop *const loop, LoopCount *const loopCo
 
         IR::RegOpnd *loopCountOpnd = IR::RegOpnd::New(type, func);
 
         IR::RegOpnd *minusOneOpnd = IR::RegOpnd::New(loopCount->LoopCountMinusOneSym(), type, func);
 
         minusOneOpnd->SetIsJITOptimizedReg(true);
 
-        insertBeforeInstr->InsertBefore(IR::Instr::New(Js::OpCode::Add_I4,
 
-                                                       loopCountOpnd,
 
-                                                       minusOneOpnd,
 
-                                                       IR::IntConstOpnd::New(1, type, func, true),
 
-                                                       func));
 
+        IR::Instr* incrInstr = IR::Instr::New(Js::OpCode::Add_I4,
 
+            loopCountOpnd,
 
+            minusOneOpnd,
 
+            IR::IntConstOpnd::New(1, type, func, true),
 
+            func);
 
+
 
+        insertBeforeInstr->InsertBefore(incrInstr);
 
+
 
+        // Incrementing to 1 can overflow - add a bounds check bailout here
 
+        incrInstr->ConvertToBailOutInstr(bailOutInfo, IR::BailOutOnFailedHoistedLoopCountBasedBoundCheck);
 
         loopCount->SetLoopCountSym(loopCountOpnd->GetStackSym());
 
     }
 
 }