-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
17-11 Security Update #4226
17-11 Security Update #4226
Commits on Nov 12, 2017
-
[CVE-2017-11843] Edge - UAF in chakra the bug is in Js::GlobalObject:…
…:VEval function - Individual do not use eval map if we are eval-ing PropertyString
Configuration menu - View commit details
-
Copy full SHA for 14f44de - Browse repository at this point
Copy the full SHA 14f44deView commit details -
Configuration menu - View commit details
-
Copy full SHA for 38a37ac - Browse repository at this point
Copy the full SHA 38a37acView commit details -
[CVE-2017-11870] Edge - Exploitable write-AV when writing to a slot o…
…f a javascript null scope object. - Internal
Configuration menu - View commit details
-
Copy full SHA for b44ee83 - Browse repository at this point
Copy the full SHA b44ee83View commit details -
[CVE-2017-11841] JIT: Inline::InlineCallApplyTarget_Shared doesn't re…
…turn the return instruction - Google, Inc.
Configuration menu - View commit details
-
Copy full SHA for f8098c2 - Browse repository at this point
Copy the full SHA f8098c2View commit details -
[CVE-2017-11858] Chakra - Regular Expression Integer Overflow Leads t…
…o RCE - Zero Day Initiative Fix *::TransferPass0 overflowing the returning integer, the allocation part is the only point that using the returning value.
Configuration menu - View commit details
-
Copy full SHA for b54e0d6 - Browse repository at this point
Copy the full SHA b54e0d6View commit details -
[CVE-2017-11836] Edge - Assertion only bound check can lead to user c…
…ontrolled allocation size and write - Individual When parsing a string template literal, we temporarily suspend updating some of the offset counters. If an attacker crafts a string template that contains multibyte characters, it is possible to overflow the minLine counter. The attacker can directly control the size of the overflow, which is then used in an allocation and offset calculation when handling a parse error. Further control can be gained by triggering a scanner capture and restore to propagate this bad counter value. Unfortunately this would have been caught by existing bounds checks, but they are asserts only. There are other instances of these around the codebase, but I did not see any exploits for those. To fix this, we manually update the minLine counter at the point where it would normally have been updated outside of a string template. I also changed the subtraction overflow asserts to be failfasts and added an assert for detecting overflow with multibyte characters. In the non-assert case, we will return 0. Other similar checks in IchMinTok and IchLimTok have also been converted.
Configuration menu - View commit details
-
Copy full SHA for 79edb68 - Browse repository at this point
Copy the full SHA 79edb68View commit details
Commits on Nov 14, 2017
-
[CVE-2017-11873] Edge - Chakra: JIT: Bailouts must be generated for O…
…P_Memset: Type Confusion - Google, Inc.
Configuration menu - View commit details
-
Copy full SHA for a8d64f1 - Browse repository at this point
Copy the full SHA a8d64f1View commit details -
[CVE-2017-11791] Fix code patterns where accessing a local Javascript…
…String's buffer could cause UAF.
Configuration menu - View commit details
-
Copy full SHA for 2c9654e - Browse repository at this point
Copy the full SHA 2c9654eView commit details -
[CVE-2017-11840] [ChakraCore]: JIT: GlobOpt::OptTagChecks must consid…
…er IsLoopPrePass properly - Google, Inc.
Configuration menu - View commit details
-
Copy full SHA for 874551d - Browse repository at this point
Copy the full SHA 874551dView commit details -
[CVE-2017-11874] [ChakraCore]: CFG bypass due to a bug in ServerFreeA…
…llocation - Google, Inc.
Configuration menu - View commit details
-
Copy full SHA for 5a4e655 - Browse repository at this point
Copy the full SHA 5a4e655View commit details -
[CVE-2017-11838] [ChakraCore] - JIT optimization vulnerability could …
…lead to RCE - Individual
Configuration menu - View commit details
-
Copy full SHA for c1bdfff - Browse repository at this point
Copy the full SHA c1bdfffView commit details -
[CVE-2017-11861] [ChakraCore] Chakra JIT - Incorrect integer overflow…
… check in Lowerer::LowerBoundCheck - Google, Inc. Math on IntConstType should be bounded by IRType of the Opnd. In case of Lowerer::LowerBoundCheck, it ended up that the IntConstOpnd is a TyInt32 and the overflow leads to bad bound check being emitted. For this I added a new IntConstMath class which takes an IRType as a parameter and validates that the result can be represented by that IRType.
Configuration menu - View commit details
-
Copy full SHA for 85d42e7 - Browse repository at this point
Copy the full SHA 85d42e7View commit details -
[CVE-2017-11846] [ChakraCore]- Chakra Array.Shift Heap Overflow RCE -…
… Qihoo 360 OOM in the Array.Shift method have left the array in the bad state and later it got overlapped and exploited. Fixed that by making the any exception as failfast in that region
Configuration menu - View commit details
-
Copy full SHA for 3f8cc2d - Browse repository at this point
Copy the full SHA 3f8cc2dView commit details -
[CVE-2017-11862] [ChakraCore] Type confusion in module exports - Indi…
…vidual Export was not taking care of destructuring nodes, leading to type confusion. Fixed that by adding support for walking those nodes.
Configuration menu - View commit details
-
Copy full SHA for 66d733b - Browse repository at this point
Copy the full SHA 66d733bView commit details -
[CVE-2017-11871] Redeferal - Invalid pointer read during native codeg…
…en for function objects with inline cache When trying to get inlineCaches for a ScriptFunctionWithInlineCache if the function got redefered and didn't got reparsed function body won’t be there (hence no inlineCache on function body). Check that and reset the inlineCache of ScriptFunctionWithInlineCache for such case.
Configuration menu - View commit details
-
Copy full SHA for 9d211a4 - Browse repository at this point
Copy the full SHA 9d211a4View commit details -
Configuration menu - View commit details
-
Copy full SHA for dcf8c7a - Browse repository at this point
Copy the full SHA dcf8c7aView commit details
Commits on Nov 15, 2017
-
after fixing eval map to not be used with property string, repeatedly…
… eval on property will be slower, especially in debug build. here empty string or single char string is backed by property string (an optimazation for using inline buffer), and these two tests keep eval on empty string until stack overflow, which causes timeout on debug build. changing to eval on two spaces instead of empty string to avoid the issue
Configuration menu - View commit details
-
Copy full SHA for c9855d9 - Browse repository at this point
Copy the full SHA c9855d9View commit details -
Configuration menu - View commit details
-
Copy full SHA for 1be2d26 - Browse repository at this point
Copy the full SHA 1be2d26View commit details