[CVE-2018-8381] Edge - Child Case of type confusion with EntrySimpleObjectSlotGetter

akroshg · aneeshdk · commit 1b77d5594161 · 2018-08-14T11:49:01.000-07:00
Marshalling should not be re-entrant. But due to proxy in the prototype chain - we could have prototype trap invoked and things can get worse from there.
We had put no-reentrancy macro in there but that protect us on RS3 and up.
In order to fix this, we need to check if the current object is proxy or not - in that case break the chain.
diff --git a/lib/Runtime/Base/CrossSite.cpp b/lib/Runtime/Base/CrossSite.cpp
@@ -99,6 +99,11 @@ namespace Js
             {
                 MarshalDynamicObject(scriptContext, prototypeObject);
             }
+            if (JavascriptProxy::Is(prototypeObject))
+            {
+                // Fetching prototype of proxy can invoke trap - which we don't want during the marshalling time.
+                break;
+            }
             prototype = prototypeObject->GetPrototype();
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,11 @@ namespace Js`
`99`	`99`	`{`
`100`	`100`	`MarshalDynamicObject(scriptContext, prototypeObject);`
`101`	`101`	`}`
	`102`	`+ if (JavascriptProxy::Is(prototypeObject))`
	`103`	`+ {`
	`104`	`+ // Fetching prototype of proxy can invoke trap - which we don't want during the marshalling time.`
	`105`	`+ break;`
	`106`	`+ }`
`102`	`107`	`prototype = prototypeObject->GetPrototype();`
`103`	`108`	`}`
`104`	`109`	`}`