[CVE-2018-8133] Edge - Chakra: Type confusion with EntrySimpleObjectSlotGetter

akroshg · MSLaguana · commit 1b56f9fedf07 · 2018-05-08T11:17:42.000-07:00
diff --git a/lib/Runtime/Base/CrossSite.cpp b/lib/Runtime/Base/CrossSite.cpp
@@ -228,6 +228,9 @@ namespace Js
         }
 #endif
 
+        // Marshaling should not cause any re-entrancy.
+        JS_REENTRANCY_LOCK(jsReentLock, scriptContext->GetThreadContext());
+
 #if ENABLE_COPYONACCESS_ARRAY
         JavascriptLibrary::CheckAndConvertCopyOnAccessNativeIntArray<Var>(object);
 #endif
@@ -297,9 +300,18 @@ namespace Js
         {
             if (!dynamicObject->IsCrossSiteObject())
             {
-                TTD_XSITE_LOG(object->GetScriptContext(), "MarshalDynamicObjectAndPrototype", object);
+                if (JavascriptProxy::Is(dynamicObject))
+                {
+                    // We don't need to marshal the prototype chain in the case of Proxy. Otherwise we will go to the user code.
+                    TTD_XSITE_LOG(object->GetScriptContext(), "MarshalDynamicObject", object);
+                    MarshalDynamicObject(scriptContext, dynamicObject);
+                }
+                else
+                {
+                    TTD_XSITE_LOG(object->GetScriptContext(), "MarshalDynamicObjectAndPrototype", object);
 
-                MarshalDynamicObjectAndPrototype(scriptContext, dynamicObject);
+                    MarshalDynamicObjectAndPrototype(scriptContext, dynamicObject);
+                }
             }
         }
         else

Original file line number	Diff line number	Diff line change
`@@ -228,6 +228,9 @@ namespace Js`
`228`	`228`	`}`
`229`	`229`	`#endif`
`230`	`230`
	`231`	`+ // Marshaling should not cause any re-entrancy.`
	`232`	`+ JS_REENTRANCY_LOCK(jsReentLock, scriptContext->GetThreadContext());`
	`233`	`+`
`231`	`234`	`#if ENABLE_COPYONACCESS_ARRAY`
`232`	`235`	`JavascriptLibrary::CheckAndConvertCopyOnAccessNativeIntArray<Var>(object);`
`233`	`236`	`#endif`
`@@ -297,9 +300,18 @@ namespace Js`
`297`	`300`	`{`
`298`	`301`	`if (!dynamicObject->IsCrossSiteObject())`
`299`	`302`	`{`
`300`		`- TTD_XSITE_LOG(object->GetScriptContext(), "MarshalDynamicObjectAndPrototype", object);`
	`303`	`+ if (JavascriptProxy::Is(dynamicObject))`
	`304`	`+ {`
	`305`	`+ // We don't need to marshal the prototype chain in the case of Proxy. Otherwise we will go to the user code.`
	`306`	`+ TTD_XSITE_LOG(object->GetScriptContext(), "MarshalDynamicObject", object);`
	`307`	`+ MarshalDynamicObject(scriptContext, dynamicObject);`
	`308`	`+ }`
	`309`	`+ else`
	`310`	`+ {`
	`311`	`+ TTD_XSITE_LOG(object->GetScriptContext(), "MarshalDynamicObjectAndPrototype", object);`
`301`	`312`
`302`		`- MarshalDynamicObjectAndPrototype(scriptContext, dynamicObject);`
	`313`	`+ MarshalDynamicObjectAndPrototype(scriptContext, dynamicObject);`
	`314`	`+ }`
`303`	`315`	`}`
`304`	`316`	`}`
`305`	`317`	`else`