From d73c5f12d9c5cbbf64f59ae04e76a531b3e844b3 Mon Sep 17 00:00:00 2001 From: Rajat Dua Date: Tue, 11 Dec 2018 18:06:23 -0800 Subject: [PATCH 1/2] CVE-2019-0568 Edge - Chakra: JIT: JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode just clears DisableImplicitFlags - Google, Inc. --- ...sBuiltInEngineInterfaceExtensionObject.cpp | 36 ++++++++++++++----- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/lib/Runtime/Library/JsBuiltInEngineInterfaceExtensionObject.cpp b/lib/Runtime/Library/JsBuiltInEngineInterfaceExtensionObject.cpp index 14e43dea2a6..d5d92ad1ee4 100644 --- a/lib/Runtime/Library/JsBuiltInEngineInterfaceExtensionObject.cpp +++ b/lib/Runtime/Library/JsBuiltInEngineInterfaceExtensionObject.cpp @@ -100,6 +100,26 @@ namespace Js { return; } + + struct AutoRestoreFlags + { + ThreadContext * ctx; + ImplicitCallFlags savedImplicitCallFlags; + DisableImplicitFlags savedDisableImplicitFlags; + AutoRestoreFlags(ThreadContext *ctx, Js::ImplicitCallFlags implFlags, DisableImplicitFlags disableImplFlags) : + ctx(ctx), + savedImplicitCallFlags(implFlags), + savedDisableImplicitFlags(disableImplFlags) + { + ctx->ClearDisableImplicitFlags(); + } + + ~AutoRestoreFlags() + { + ctx->SetImplicitCallFlags((Js::ImplicitCallFlags)(savedImplicitCallFlags)); + ctx->SetDisableImplicitFlags((DisableImplicitFlags)savedDisableImplicitFlags); + } + }; try { EnsureJsBuiltInByteCode(scriptContext); @@ -138,19 +158,19 @@ namespace Js scriptContext->GetThreadContext()->SetNoJsReentrancy(false); #endif // Clear disable implicit call bit as initialization code doesn't have any side effect - Js::ImplicitCallFlags saveImplicitCallFlags = scriptContext->GetThreadContext()->GetImplicitCallFlags(); - scriptContext->GetThreadContext()->ClearDisableImplicitFlags(); - JavascriptFunction::CallRootFunctionInScript(functionGlobal, Js::Arguments(callInfo, args)); - scriptContext->GetThreadContext()->SetImplicitCallFlags((Js::ImplicitCallFlags)(saveImplicitCallFlags)); + { + AutoRestoreFlags autoRestoreFlags(scriptContext->GetThreadContext(), scriptContext->GetThreadContext()->GetImplicitCallFlags(), scriptContext->GetThreadContext()->GetDisableImplicitFlags()); + JavascriptFunction::CallRootFunctionInScript(functionGlobal, Js::Arguments(callInfo, args)); + } Js::ScriptFunction *functionBuiltins = scriptContext->GetLibrary()->CreateScriptFunction(jsBuiltInByteCode->GetNestedFunctionForExecution(0)); functionBuiltins->SetPrototype(scriptContext->GetLibrary()->nullValue); // Clear disable implicit call bit as initialization code doesn't have any side effect - saveImplicitCallFlags = scriptContext->GetThreadContext()->GetImplicitCallFlags(); - scriptContext->GetThreadContext()->ClearDisableImplicitFlags(); - JavascriptFunction::CallRootFunctionInScript(functionBuiltins, Js::Arguments(callInfo, args)); - scriptContext->GetThreadContext()->SetImplicitCallFlags((Js::ImplicitCallFlags)(saveImplicitCallFlags)); + { + AutoRestoreFlags autoRestoreFlags(scriptContext->GetThreadContext(), scriptContext->GetThreadContext()->GetImplicitCallFlags(), scriptContext->GetThreadContext()->GetDisableImplicitFlags()); + JavascriptFunction::CallRootFunctionInScript(functionBuiltins, Js::Arguments(callInfo, args)); + } InitializePrototypes(scriptContext); #if DBG_DUMP From 788f17b0ce06ea84553b123c174d1ff7052112a0 Mon Sep 17 00:00:00 2001 From: Chakra Automation Date: Sun, 18 Nov 2018 22:22:42 -0800 Subject: [PATCH 2/2] CVE-2019-0539, CVE-2019-0567 Edge - Chakra: JIT: Type confusion via NewScObjectNoCtor or InitProto - Google, Inc. --- lib/Backend/GlobOptFields.cpp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lib/Backend/GlobOptFields.cpp b/lib/Backend/GlobOptFields.cpp index fade2e3e331..5ea4b6f0b70 100644 --- a/lib/Backend/GlobOptFields.cpp +++ b/lib/Backend/GlobOptFields.cpp @@ -456,6 +456,15 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse *bv, bo } break; + case Js::OpCode::InitClass: + case Js::OpCode::InitProto: + case Js::OpCode::NewScObjectNoCtor: + if (inGlobOpt) + { + KillObjectHeaderInlinedTypeSyms(this->currentBlock, false); + } + break; + default: if (instr->UsesAllFields()) {