-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
17-10 Security Update that addresses the following issues in ChakraCore #3917
17-10 Security Update that addresses the following issues in ChakraCore #3917
Commits on Oct 10, 2017
-
[CVE-2017-11802] Chakra - JIT RegexHelper::StringReplace must call th…
…e callback function with updating ImplicitCallFlags. JIT inline string.prototype.replace for case a.replace(b,c) if 'a' and 'c' are strings and 'b' is a regex and calls helper for other cases. If c is a function RegexHelper::StringReplace will call c, this should be marked as implicit call so that JIT can bailout on implicit call check.
Configuration menu - View commit details
-
Copy full SHA for b7dcda0 - Browse repository at this point
Copy the full SHA b7dcda0View commit details -
[CVE-2017-11799] Edge - Chakra: JIT: Incorrect GenerateBailOut callin…
…g patterns. Due to a bug in super property access we were reaching the code path where we had src2 on instrcution but didn't freed it before generating bailout. After the fix for issue chakra-core#3423/chakra-core#3064 went in 2b9da66 the bu no longer reproes but for previous branches I am putting a conservative fix to always free src2 if we have it and don't have src1. For RS4 we have a WI to add asserts to better track no. of surces on instruction and add checks.
Configuration menu - View commit details
-
Copy full SHA for 2e2270c - Browse repository at this point
Copy the full SHA 2e2270cView commit details -
[CVE-2017-11809] Edge - Chakra: Accesses to uninitialized pointers in…
… StackScriptFunction::BoxState::Box. If closure init is not done in INTERPRETERLOOPNAME due to PROBE_STACK failing, we can’t access framedisplay scopes and scopeslots slotArray. When setting frameDisplay and ScopeSlots during initialization start with a length of 0 so that even if they are un-initialized no one can use the un-initialized array.
Configuration menu - View commit details
-
Copy full SHA for e2b35ab - Browse repository at this point
Copy the full SHA e2b35abView commit details -
Configuration menu - View commit details
-
Copy full SHA for 6eba63d - Browse repository at this point
Copy the full SHA 6eba63dView commit details -
Configuration menu - View commit details
-
Copy full SHA for d79926b - Browse repository at this point
Copy the full SHA d79926bView commit details -
Configuration menu - View commit details
-
Copy full SHA for f08408b - Browse repository at this point
Copy the full SHA f08408bView commit details -
[CVE-2017-11812] Asm.js: Check if the heap is detached after coercing…
… the return value of a foreign import call.
Configuration menu - View commit details
-
Copy full SHA for 8069020 - Browse repository at this point
Copy the full SHA 8069020View commit details -
[CVE-2017-11807] Prevent redeferral of functions for which we are gen…
…erating byte code. The FuncInfo holds a reference to the FunctionBody, and redeferral will clean up the FunctionBody and any entry points that have been created for it, as well as pointing the FunctionInfo to a new proxy. Restore the (re-)deferral attribute on candidate functions when the ByteCodeGenerator instance is being destroyed. Also make sure that disabling the CanDefer attribute doesn't prevent generation of scope info we will need if we redefer later.
Configuration menu - View commit details
-
Copy full SHA for 1330a77 - Browse repository at this point
Copy the full SHA 1330a77View commit details -
[CVE-2017-11805] Disable (re)deferral of the called function in the C…
…rossSite thunk. Allocation happens when the thunk marshals cross-site arguments, and this can result in redeferral, which can cause us to try to jit and/or execute a collected entry point.
Configuration menu - View commit details
-
Copy full SHA for a9ea5c9 - Browse repository at this point
Copy the full SHA a9ea5c9View commit details -
[CVE-2017-11811] Disable switch jump table opt if aggressive int type…
… spec is disabled. We are not able to handle a non-int-type-specialized index operand on a switch table branch (today, it will cause us to read the wrong jump target and possibly read past the end of the jump table). Another option is to force type specialization of the index operand, but this seems not worth the risk as a servicing fix.
Configuration menu - View commit details
-
Copy full SHA for 775ed51 - Browse repository at this point
Copy the full SHA 775ed51View commit details -
[CVE-2017-11792] Partially initialized data in chakra JIT leads to OO…
…B read/write in RPC - Internal
Configuration menu - View commit details
-
Copy full SHA for 4e319aa - Browse repository at this point
Copy the full SHA 4e319aaView commit details -
[CVE-2017-11797] Invalid memory read of out params on a bailout when …
…array destructuring is used as call arg Destructuring will create try/catch/finally bytecode when emitting. This pattern can appear as an arg to the call node. We were emitting Argouts as when emit a parameter, so it possible that we have try/catch/finally in between argouts. The Finally optimization did not like the fact that Argouts are seperated. In order to fix we use temps to store those argouts temporarily and then later those temps will be emitted as argouts. Since we are emitting lots of temps, this change is done when we determine that args contain destructuring (We took parser help for that).
Configuration menu - View commit details
-
Copy full SHA for 9a3ad7c - Browse repository at this point
Copy the full SHA 9a3ad7cView commit details -
[CVE-2017-11821] Do not pass NewTarget flag on proxy function call tr…
…ap if not needed Currently we always pass the newtarget flag to the function when called through a Proxy's function call trap. This is not necessary if the call is not a constructor call.
Configuration menu - View commit details
-
Copy full SHA for 2a07ca6 - Browse repository at this point
Copy the full SHA 2a07ca6View commit details -
[CVE-2017-11801] Out of bound read on deferred stub - Individual
Disabling the creationg of deferred stubs. For precise capturing we can't get the information about symbol capturing for functions in deferred stubs with the current design. We will have to rethink the right design for this feature.
Configuration menu - View commit details
-
Copy full SHA for 7b936e2 - Browse repository at this point
Copy the full SHA 7b936e2View commit details -
Configuration menu - View commit details
-
Copy full SHA for 436c5c2 - Browse repository at this point
Copy the full SHA 436c5c2View commit details -
Configuration menu - View commit details
-
Copy full SHA for d7e9d0d - Browse repository at this point
Copy the full SHA d7e9d0dView commit details -
Configuration menu - View commit details
-
Copy full SHA for a2e1959 - Browse repository at this point
Copy the full SHA a2e1959View commit details