[CVE-2019-1106] Chakra JIT Overflow

MikeHolman · atulkatti · commit 362e96537af2 · 2019-07-01T12:08:27.000-07:00
diff --git a/lib/Backend/Func.cpp b/lib/Backend/Func.cpp
@@ -345,6 +345,9 @@ Func::Codegen(JitArenaAllocator *alloc, JITTimeWorkItem * workItem,
             case RejitReason::TrackIntOverflowDisabled:
                 outputData->disableTrackCompoundedIntOverflow = TRUE;
                 break;
+            case RejitReason::MemOpDisabled:
+                outputData->disableMemOp = TRUE;
+                break;
             default:
                 Assume(UNREACHED);
             }
@@ -1124,6 +1127,12 @@ Func::IsTrackCompoundedIntOverflowDisabled() const
     return (HasProfileInfo() && GetReadOnlyProfileInfo()->IsTrackCompoundedIntOverflowDisabled()) || m_output.IsTrackCompoundedIntOverflowDisabled();
 }
 
+bool
+Func::IsMemOpDisabled() const
+{
+    return (HasProfileInfo() && GetReadOnlyProfileInfo()->IsMemOpDisabled()) || m_output.IsMemOpDisabled();
+}
+
 bool
 Func::IsArrayCheckHoistDisabled() const
 {
diff --git a/lib/Backend/Func.h b/lib/Backend/Func.h
@@ -995,6 +995,7 @@ static const unsigned __int64 c_debugFillPattern8 = 0xcececececececece;
     void SetScopeObjSym(StackSym * sym);
     StackSym * GetScopeObjSym();
     bool IsTrackCompoundedIntOverflowDisabled() const;
+    bool IsMemOpDisabled() const;
     bool IsArrayCheckHoistDisabled() const;
     bool IsStackArgOptDisabled() const;
     bool IsSwitchOptDisabled() const;
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -2624,7 +2624,7 @@ GlobOpt::OptInstr(IR::Instr *&instr, bool* isInstrRemoved)
         !(instr->IsJitProfilingInstr()) &&
         this->currentBlock->loop && !IsLoopPrePass() &&
         !func->IsJitInDebugMode() &&
-        (func->HasProfileInfo() && !func->GetReadOnlyProfileInfo()->IsMemOpDisabled()) &&
+        !func->IsMemOpDisabled() &&
         this->currentBlock->loop->doMemOp)
     {
         CollectMemOpInfo(instrPrev, instr, src1Val, src2Val);
@@ -16686,7 +16686,14 @@ GlobOpt::GenerateInductionVariableChangeForMemOp(Loop *loop, byte unroll, IR::In
     }
     else
     {
-        uint size = (loopCount->LoopCountMinusOneConstantValue() + 1)  * unroll;
+        int32 loopCountMinusOnePlusOne;
+        int32 size;
+        if (Int32Math::Add(loopCount->LoopCountMinusOneConstantValue(), 1, &loopCountMinusOnePlusOne) ||
+            Int32Math::Mul(loopCountMinusOnePlusOne, unroll, &size))
+        {
+            throw Js::RejitException(RejitReason::MemOpDisabled);
+        }
+        Assert(size > 0);
         sizeOpnd = IR::IntConstOpnd::New(size, IRType::TyUint32, localFunc);
     }
     loop->memOpInfo->inductionVariableOpndPerUnrollMap->Add(unroll, sizeOpnd);
diff --git a/lib/Backend/JITOutput.cpp b/lib/Backend/JITOutput.cpp
@@ -65,6 +65,12 @@ JITOutput::IsTrackCompoundedIntOverflowDisabled() const
     return m_outputData->disableTrackCompoundedIntOverflow != FALSE;
 }
 
+bool
+JITOutput::IsMemOpDisabled() const
+{
+    return m_outputData->disableMemOp != FALSE;
+}
+
 bool
 JITOutput::IsArrayCheckHoistDisabled() const
 {
diff --git a/lib/Backend/JITOutput.h b/lib/Backend/JITOutput.h
@@ -22,6 +22,7 @@ class JITOutput
     void RecordXData(BYTE * xdata);
 #endif
     bool IsTrackCompoundedIntOverflowDisabled() const;
+    bool IsMemOpDisabled() const;
     bool IsArrayCheckHoistDisabled() const;
     bool IsStackArgOptDisabled() const;
     bool IsSwitchOptDisabled() const;
diff --git a/lib/Backend/NativeCodeGenerator.cpp b/lib/Backend/NativeCodeGenerator.cpp
@@ -1234,6 +1234,10 @@ NativeCodeGenerator::CodeGen(PageAllocator * pageAllocator, CodeGenWorkItem* wor
         {
             body->GetAnyDynamicProfileInfo()->DisableTrackCompoundedIntOverflow();
         }
+        if (jitWriteData.disableMemOp)
+        {
+            body->GetAnyDynamicProfileInfo()->DisableMemOp();
+        }
     }
 
     if (jitWriteData.disableInlineApply)
diff --git a/lib/JITIDL/JITTypes.h b/lib/JITIDL/JITTypes.h
@@ -838,37 +838,42 @@ typedef struct JITOutputIDL
     boolean disableStackArgOpt;
     boolean disableSwitchOpt;
     boolean disableTrackCompoundedIntOverflow;
-    boolean isInPrereservedRegion;
+    boolean disableMemOp;
 
+    boolean isInPrereservedRegion;
     boolean hasBailoutInstr;
-
     boolean hasJittedStackClosure;
+    IDL_PAD1(0)
 
     unsigned short pdataCount;
     unsigned short xdataSize;
 
     unsigned short argUsedForBranch;
+    IDL_PAD2(1)
 
     int localVarSlotsOffset; // FunctionEntryPointInfo only
+
     int localVarChangedOffset; // FunctionEntryPointInfo only
     unsigned int frameHeight;
 
-
     unsigned int codeSize;
     unsigned int throwMapOffset;
+
     unsigned int throwMapCount;
     unsigned int inlineeFrameOffsetArrayOffset;
-    unsigned int inlineeFrameOffsetArrayCount;
 
+    unsigned int inlineeFrameOffsetArrayCount;
     unsigned int propertyGuardCount;
+
     unsigned int ctorCachesCount;
+    X64_PAD4(2)
 
 #if TARGET_64
     CHAKRA_PTR xdataAddr;
 #elif defined(_M_ARM)
     unsigned int xdataOffset;
 #else
-    X86_PAD4(0)
+    X86_PAD4(3)
 #endif
     CHAKRA_PTR codeAddress;
     CHAKRA_PTR thunkAddress;

Original file line number	Diff line number	Diff line change
`@@ -2624,7 +2624,7 @@ GlobOpt::OptInstr(IR::Instr &instr, bool isInstrRemoved)`
`2624`	`2624`	`!(instr->IsJitProfilingInstr()) &&`
`2625`	`2625`	`this->currentBlock->loop && !IsLoopPrePass() &&`
`2626`	`2626`	`!func->IsJitInDebugMode() &&`
`2627`		`- (func->HasProfileInfo() && !func->GetReadOnlyProfileInfo()->IsMemOpDisabled()) &&`
	`2627`	`+ !func->IsMemOpDisabled() &&`
`2628`	`2628`	`this->currentBlock->loop->doMemOp)`
`2629`	`2629`	`{`
`2630`	`2630`	`CollectMemOpInfo(instrPrev, instr, src1Val, src2Val);`
`@@ -16686,7 +16686,14 @@ GlobOpt::GenerateInductionVariableChangeForMemOp(Loop *loop, byte unroll, IR::In`
`16686`	`16686`	`}`
`16687`	`16687`	`else`
`16688`	`16688`	`{`
`16689`		`- uint size = (loopCount->LoopCountMinusOneConstantValue() + 1) * unroll;`
	`16689`	`+ int32 loopCountMinusOnePlusOne;`
	`16690`	`+ int32 size;`
	`16691`	`+ if (Int32Math::Add(loopCount->LoopCountMinusOneConstantValue(), 1, &loopCountMinusOnePlusOne) \|\|`
	`16692`	`+ Int32Math::Mul(loopCountMinusOnePlusOne, unroll, &size))`
	`16693`	`+ {`
	`16694`	`+ throw Js::RejitException(RejitReason::MemOpDisabled);`
	`16695`	`+ }`
	`16696`	`+ Assert(size > 0);`
`16690`	`16697`	`sizeOpnd = IR::IntConstOpnd::New(size, IRType::TyUint32, localFunc);`
`16691`	`16698`	`}`
`16692`	`16699`	`loop->memOpInfo->inductionVariableOpndPerUnrollMap->Add(unroll, sizeOpnd);`
Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,12 @@ JITOutput::IsTrackCompoundedIntOverflowDisabled() const`
`65`	`65`	`return m_outputData->disableTrackCompoundedIntOverflow != FALSE;`
`66`	`66`	`}`
`67`	`67`
	`68`	`+bool`
	`69`	`+JITOutput::IsMemOpDisabled() const`
	`70`	`+{`
	`71`	`+ return m_outputData->disableMemOp != FALSE;`
	`72`	`+}`
	`73`	`+`
`68`	`74`	`bool`
`69`	`75`	`JITOutput::IsArrayCheckHoistDisabled() const`
`70`	`76`	`{`
Original file line number	Diff line number	Diff line change
`@@ -1234,6 +1234,10 @@ NativeCodeGenerator::CodeGen(PageAllocator * pageAllocator, CodeGenWorkItem* wor`
`1234`	`1234`	`{`
`1235`	`1235`	`body->GetAnyDynamicProfileInfo()->DisableTrackCompoundedIntOverflow();`
`1236`	`1236`	`}`
	`1237`	`+ if (jitWriteData.disableMemOp)`
	`1238`	`+ {`
	`1239`	`+ body->GetAnyDynamicProfileInfo()->DisableMemOp();`
	`1240`	`+ }`
`1237`	`1241`	`}`
`1238`	`1242`
`1239`	`1243`	`if (jitWriteData.disableInlineApply)`