Skip to content

Commit

Permalink
CVE-2018-8624 Edge - Chakra JIT Overflow
Browse files Browse the repository at this point in the history
  • Loading branch information
wyrichte authored and akroshg committed Dec 10, 2018
1 parent 8d21cde commit 8264b9b
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 1 deletion.
10 changes: 9 additions & 1 deletion lib/Backend/BackwardPass.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -8669,7 +8669,15 @@ BackwardPass::RestoreInductionVariableValuesAfterMemOp(Loop *loop)

IR::Opnd *inductionVariableOpnd = IR::RegOpnd::New(sym, IRType::TyInt32, localFunc);
IR::Opnd *sizeOpnd = globOpt->GenerateInductionVariableChangeForMemOp(loop, inductionVariableChangeInfo.unroll);
loop->landingPad->InsertAfter(IR::Instr::New(opCode, inductionVariableOpnd, inductionVariableOpnd, sizeOpnd, loop->GetFunc()));
IR::Instr* restoreInductionVarInstr = IR::Instr::New(opCode, inductionVariableOpnd, inductionVariableOpnd, sizeOpnd, loop->GetFunc());

// The IR that restores the induction variable's value is placed before the MemOp. Since this IR can
// bailout to the loop's landing pad, placing this IR before the MemOp avoids performing the MemOp,
// bailing out because of this IR, and then performing the effects of the loop again.
loop->landingPad->InsertInstrBefore(restoreInductionVarInstr, loop->memOpInfo->instr);

// If restoring an induction variable results in an overflow, bailout to the loop's landing pad.
restoreInductionVarInstr->ConvertToBailOutInstr(loop->bailOutInfo, IR::BailOutOnOverflow);
};

for (auto it = loop->memOpInfo->inductionVariableChangeInfoMap->GetIterator(); it.IsValid(); it.MoveNext())
Expand Down
1 change: 1 addition & 0 deletions lib/Backend/FlowGraph.h
Original file line number Diff line number Diff line change
Expand Up @@ -694,6 +694,7 @@ class Loop
// Temporary map to reuse existing startIndexOpnd while emitting
// 0 = !increment & !alreadyChanged, 1 = !increment & alreadyChanged, 2 = increment & !alreadyChanged, 3 = increment & alreadyChanged
IR::RegOpnd* startIndexOpndCache[4];
IR::Instr* instr;
} MemOpInfo;

bool doMemOp : 1;
Expand Down
3 changes: 3 additions & 0 deletions lib/Backend/GlobOpt.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -16854,6 +16854,9 @@ GlobOpt::EmitMemop(Loop * loop, LoopCount *loopCount, const MemOpEmitData* emitD
memopInstr->SetSrc2(sizeOpnd);
insertBeforeInstr->InsertBefore(memopInstr);


loop->memOpInfo->instr = memopInstr;

#if DBG_DUMP
if (DO_MEMOP_TRACE())
{
Expand Down

0 comments on commit 8264b9b

Please sign in to comment.