Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

18-01 Security Update #4503

Merged
merged 20 commits into from
Jan 5, 2018
Merged

18-01 Security Update #4503

merged 20 commits into from
Jan 5, 2018

Conversation

thomasmo
Copy link
Contributor

@thomasmo thomasmo commented Jan 5, 2018

pleath
pleath approved these changes Jan 5, 2018
View reviewed changes
Copy link
Contributor

@pleath pleath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My 4 changes look good.

rajatd
rajatd approved these changes Jan 5, 2018
View reviewed changes
Copy link
Contributor

@rajatd rajatd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

boingoing
boingoing approved these changes Jan 5, 2018
View reviewed changes
Copy link
Contributor

@boingoing boingoing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@obastemur
Copy link
Collaborator

Not sure why my commits are here? (side note; they are already on 1.7)

@thomasmo
Copy link
Contributor Author

thomasmo commented Jan 5, 2018

@obastemur -- yeah...I will look into fixing this before I submit. that was fallout from my rebasing

pleath and others added 13 commits January 5, 2018 09:58
@pleath
[CVE-2018-0769] JIT: Incorrect bounds calculation - Google, Inc.
0ea8624
@pleath
[CVE-2018-0774] Incorrect scope handling - Google, Inc.
5c26851
[CVE-2018-0768] Use of PropertyString and SubString,GetString() could…
985a82f 
… lead to UAF - Individual
[CVE-2018-0776] JIT: stack-to-heap copy bug - Google, Inc.
40e45fc 
This change fixes a type-confusion bug that can occur with Native arrays allocated on the stack. Once JIT'd code expects a Native array to be used on the stack, the POC converts it to a Var array. This is combined with current behavior of the Arguments property, which moves the array from the stack to the heap. The result of these two assumptions is natively setting a Float value where a Var value is expected, letting any arbitrary floating-point number be written to memory and subsequently accessed as a Var.

This fix forces a deep copy of Arrays that are returned via Arguments. This ensures that the new object created points to its own buffers. This also indicates a divergence with the original object and the one created by Arguments; however, there is currently no standard to define this behavior.
@Cellule
[CVE-2018-0767] OOB read in AppendLeftOverItemsFromEndSegment - Googl…
82825da 
…e, Inc.
@Cellule
[CVE-2018-0780] AsmJSByteCodeGenerator::EmitCall call handling result…
7013465 
…s in OOB Read - Google, Inc.
@Cellule
Fix for xplat build for CVE-2018-0767
9a77b67
@pleath
[CVE-2018-0775] Deferred parsing makes wrong scopes chakra-core#2 - G…
ee5ac64 
…oogle, Inc.
@pleath
[CVE-2018-0777] JIT: Loop analysis bug - Google, Inc.
14c752b
@aneeshdk
[CVE-2018-0778] Stack use after scope in Emit
be3b212 
The variable was declared inside an if-else condition and is used outside the block.
@aneeshdk
[CVE-2018-0781] Stack-use-after-scope in Js::JavascriptFunction::Call…
1d0a527 
…AsConstructor

stackArgs variable is declared inside an if block but used outside of the block.
@rajatd
[CVE-2018-0770] JIT: Incomplete fix for issue 1365 - Google, Inc.
b0ff4cc
@leirocks
[CVE-2018-0762] 2 crashes : jscript9!JsJavascriptOperatorsPatchGetMet…
51a6b6a 
…hodJsPolymorphicInlineCache - Palo Alto Networks, Inc.
leirocks and others added 7 commits January 5, 2018 09:58
@leirocks
[CVE-2018-0772] Chakra Access violation - chakracore!Memory::HeapBloc…
a1c8240 
…kMap32::L2MapChunk::Set+2e - Individual
[CVE-2018-0758] Integer overflow bug in the latest version of Edge ca…
4db0bd2 
…using RCE - Individual
@boingoing
[CVE-2018-0773] An uaf bug in the latest version of Edge,lead to rce …
a267c5b 
…- Qihoo 360

Dynamic import keyword should have been disabled. The bug exploits our use of JavascriptError::SetErrorMessageProperties with the underlying buffer from a JavascriptString object which might get collected leading to use after free of that buffer.

Fix here disables dynamic import feature and fixes the exploit since some of that code is shared with other components.
@leirocks
Disable SharedArrayBuffer by default
ee2538d 
This feature is now experimental.
Update ChakraCore version to 1.7.6
50677d3
Fix xplat build error
2281a73
Fix copyright build error
7b59f02
@chakrabot chakrabot merged commit 7b59f02 into chakra-core:release/1.7 Jan 5, 2018
chakrabot pushed a commit that referenced this pull request Jan 5, 2018
[MERGE #4503 @thomasmo] 18-01 Security Update
e02b39a 
Merge pull request #4503 from thomasmo:1801

18-01 Security Update that addresses the following issues in ChakraCore:
CVE-2018-0758
CVE-2018-0762
CVE-2018-0767
CVE-2018-0768
CVE-2018-0769
CVE-2018-0770
CVE-2018-0772
CVE-2018-0773
CVE-2018-0774
CVE-2018-0775
CVE-2018-0776
CVE-2018-0777
CVE-2018-0778
CVE-2018-0780
CVE-2018-0781
chakrabot pushed a commit that referenced this pull request Jan 9, 2018
[1.7>1.8] [MERGE #4503 @thomasmo] 18-01 Security Update
0be1e74 
Merge pull request #4503 from thomasmo:1801

18-01 Security Update that addresses the following issues in ChakraCore:
CVE-2018-0758
CVE-2018-0762
CVE-2018-0767
CVE-2018-0768
CVE-2018-0769
CVE-2018-0770
CVE-2018-0772
CVE-2018-0773
CVE-2018-0774
CVE-2018-0775
CVE-2018-0776
CVE-2018-0777
CVE-2018-0778
CVE-2018-0780
CVE-2018-0781
chakrabot pushed a commit that referenced this pull request Jan 9, 2018
[1.8>master] [1.7>1.8] [MERGE #4503 @thomasmo] 18-01 Security Update
635e8f5 
Merge pull request #4503 from thomasmo:1801

18-01 Security Update that addresses the following issues in ChakraCore:
CVE-2018-0758
CVE-2018-0762
CVE-2018-0767
CVE-2018-0768
CVE-2018-0769
CVE-2018-0770
CVE-2018-0772
CVE-2018-0773
CVE-2018-0774
CVE-2018-0775
CVE-2018-0776
CVE-2018-0777
CVE-2018-0778
CVE-2018-0780
CVE-2018-0781
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@boingoing boingoing boingoing approved these changes

@Cellule Cellule Cellule approved these changes

@rajatd rajatd rajatd approved these changes

@leirocks leirocks leirocks approved these changes

@pleath pleath pleath approved these changes

@atulkatti atulkatti atulkatti approved these changes

@meg-gupta meg-gupta meg-gupta approved these changes

@aneeshdk aneeshdk Awaiting requested review from aneeshdk

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.