From 9dd36b4c1120c40ffc4c62bc1b727b784c10a7d4 Mon Sep 17 00:00:00 2001 From: Michael Holman Date: Thu, 12 Nov 2020 10:20:40 -0800 Subject: [PATCH 1/2] [CVE-2020-17131] --- lib/Backend/BackwardPass.cpp | 55 +++++++++++++++++++++++++----------- 1 file changed, 39 insertions(+), 16 deletions(-) diff --git a/lib/Backend/BackwardPass.cpp b/lib/Backend/BackwardPass.cpp index 2cdeac4c9ca..0403f185a23 100644 --- a/lib/Backend/BackwardPass.cpp +++ b/lib/Backend/BackwardPass.cpp @@ -3856,7 +3856,7 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev) IR::Instr * instr = this->currentInstr; Func * currFunc = instr->m_func; - if (this->tag == Js::DeadStorePhase && instr->m_func->IsStackArgsEnabled() && !IsPrePass()) + if (this->tag == Js::DeadStorePhase && instr->m_func->IsStackArgsEnabled()) { switch (instr->m_opcode) { @@ -3875,28 +3875,37 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev) if (IsFormalParamSym(currFunc, sym)) { AssertMsg(!currFunc->GetJITFunctionBody()->HasImplicitArgIns(), "We don't have mappings between named formals and arguments object here"); - - instr->m_opcode = Js::OpCode::Ld_A; + PropertySym * propSym = sym->AsPropertySym(); Js::ArgSlot value = (Js::ArgSlot)propSym->m_propertyId; Assert(currFunc->HasStackSymForFormal(value)); StackSym * paramStackSym = currFunc->GetStackSymForFormal(value); - IR::RegOpnd * srcOpnd = IR::RegOpnd::New(paramStackSym, TyVar, currFunc); - instr->ReplaceSrc1(srcOpnd); - this->ProcessSymUse(paramStackSym, true, true); - if (PHASE_VERBOSE_TRACE1(Js::StackArgFormalsOptPhase)) + if (!IsPrePass()) { - Output::Print(_u("StackArgFormals : %s (%d) :Replacing LdSlot with Ld_A in Deadstore pass. \n"), instr->m_func->GetJITFunctionBody()->GetDisplayName(), instr->m_func->GetFunctionNumber()); - Output::Flush(); + IR::RegOpnd * srcOpnd = IR::RegOpnd::New(paramStackSym, TyVar, currFunc); + instr->ReplaceSrc1(srcOpnd); + instr->m_opcode = Js::OpCode::Ld_A; + + if (PHASE_VERBOSE_TRACE1(Js::StackArgFormalsOptPhase)) + { + Output::Print(_u("StackArgFormals : %s (%d) :Replacing LdSlot with Ld_A in Deadstore pass. \n"), instr->m_func->GetJITFunctionBody()->GetDisplayName(), instr->m_func->GetFunctionNumber()); + Output::Flush(); + } } + + this->ProcessSymUse(paramStackSym, true, true); } } break; } case Js::OpCode::CommitScope: { + if (IsPrePass()) + { + break; + } if (instr->GetSrc1()->IsScopeObjOpnd(currFunc)) { instr->Remove(); @@ -3907,6 +3916,10 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev) case Js::OpCode::BrFncCachedScopeEq: case Js::OpCode::BrFncCachedScopeNeq: { + if (IsPrePass()) + { + break; + } if (instr->GetSrc2()->IsScopeObjOpnd(currFunc)) { instr->Remove(); @@ -3916,6 +3929,10 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev) } case Js::OpCode::CallHelper: { + if (IsPrePass()) + { + break; + } //Remove the CALL and all its Argout instrs. if (instr->GetSrc1()->AsHelperCallOpnd()->m_fnHelper == IR::JnHelperMethod::HelperOP_InitCachedFuncs) { @@ -3954,15 +3971,21 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev) if (instr->GetSrc1()->IsScopeObjOpnd(currFunc)) { - instr->m_opcode = Js::OpCode::NewScFunc; - IR::Opnd * intConstOpnd = instr->UnlinkSrc2(); - Assert(intConstOpnd->IsIntConstOpnd()); + StackSym * frameDisplaySym = currFunc->GetLocalFrameDisplaySym(); + if (!IsPrePass()) + { + instr->m_opcode = Js::OpCode::NewScFunc; + IR::Opnd * intConstOpnd = instr->UnlinkSrc2(); + Assert(intConstOpnd->IsIntConstOpnd()); - uint nestedFuncIndex = instr->m_func->GetJITFunctionBody()->GetNestedFuncIndexForSlotIdInCachedScope(intConstOpnd->AsIntConstOpnd()->AsUint32()); - intConstOpnd->Free(instr->m_func); + uint nestedFuncIndex = instr->m_func->GetJITFunctionBody()->GetNestedFuncIndexForSlotIdInCachedScope(intConstOpnd->AsIntConstOpnd()->AsUint32()); + intConstOpnd->Free(instr->m_func); + + instr->ReplaceSrc1(IR::IntConstOpnd::New(nestedFuncIndex, TyUint32, instr->m_func)); + instr->SetSrc2(IR::RegOpnd::New(frameDisplaySym, IRType::TyVar, currFunc)); + } - instr->ReplaceSrc1(IR::IntConstOpnd::New(nestedFuncIndex, TyUint32, instr->m_func)); - instr->SetSrc2(IR::RegOpnd::New(currFunc->GetLocalFrameDisplaySym(), IRType::TyVar, currFunc)); + this->ProcessSymUse(frameDisplaySym, true, true); } break; } From c8b56ec0bcb744247f17c6281e72e3ff3d043919 Mon Sep 17 00:00:00 2001 From: Michael Holman Date: Fri, 13 Nov 2020 10:10:25 -0800 Subject: [PATCH 2/2] Update version to 1.11.24 --- Build/NuGet/.pack-version | 2 +- lib/Common/ChakraCoreVersion.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Build/NuGet/.pack-version b/Build/NuGet/.pack-version index 33fb4acf145..f2a994ecb35 100644 --- a/Build/NuGet/.pack-version +++ b/Build/NuGet/.pack-version @@ -1 +1 @@ -1.11.23 +1.11.24 diff --git a/lib/Common/ChakraCoreVersion.h b/lib/Common/ChakraCoreVersion.h index d6d376a71d9..0ed2efd8823 100644 --- a/lib/Common/ChakraCoreVersion.h +++ b/lib/Common/ChakraCoreVersion.h @@ -17,7 +17,7 @@ // ChakraCore version number definitions (used in ChakraCore binary metadata) #define CHAKRA_CORE_MAJOR_VERSION 1 #define CHAKRA_CORE_MINOR_VERSION 11 -#define CHAKRA_CORE_PATCH_VERSION 23 +#define CHAKRA_CORE_PATCH_VERSION 24 #define CHAKRA_CORE_VERSION_RELEASE_QFE 0 // Redundant with PATCH_VERSION. Keep this value set to 0. // -------------