[CVE-2018-0953] Edge Chakra - JIT: Magic value can cause type confusion - Google, Inc.

rajatd · MSLaguana · commit 71d7b389a8e0 · 2018-05-08T11:17:40.000-07:00
diff --git a/lib/Backend/BackwardPass.cpp b/lib/Backend/BackwardPass.cpp
@@ -4124,8 +4124,9 @@ BackwardPass::UpdateArrayBailOutKind(IR::Instr *const instr)
 
     IR::BailOutKind includeBailOutKinds = IR::BailOutInvalid;
     if(!baseValueType.IsNotNativeArray() &&
-        (!baseValueType.IsLikelyNativeArray() || instr->GetSrc1()->IsVar()) &&
-        !currentBlock->noImplicitCallNativeArrayUses->IsEmpty())
+        (!baseValueType.IsLikelyNativeArray() || !instr->GetSrc1()->IsInt32()) &&
+        !currentBlock->noImplicitCallNativeArrayUses->IsEmpty() &&
+        !(instr->GetBailOutKind() & IR::BailOutOnArrayAccessHelperCall))
     {
         // There is an upwards-exposed use of a native array. Since the array referenced by this instruction can be aliased,
         // this instruction needs to bail out if it converts the native array even if this array specifically is not
diff --git a/lib/Runtime/Language/JavascriptOperators.cpp b/lib/Runtime/Language/JavascriptOperators.cpp
@@ -4530,6 +4530,10 @@ namespace Js
         ScriptContext* scriptContext,
         PropertyOperationFlags flags)
     {
+        
+        INT_PTR vt = (INT_PTR)nullptr;
+        vt = VirtualTableInfoBase::GetVirtualTable(instance);
+
         if (TaggedInt::Is(aElementIndex))
         {
             int32 indexInt = TaggedInt::ToInt32(aElementIndex);
@@ -4540,11 +4544,12 @@ namespace Js
                 {
                     arr->SetItem(indexInt, iValue);
                 }
-                return TRUE;
+                return vt != VirtualTableInfoBase::GetVirtualTable(instance);
             }
         }
 
-        return JavascriptOperators::OP_SetElementI(instance, aElementIndex, JavascriptNumber::ToVar(iValue, scriptContext), scriptContext, flags);
+        JavascriptOperators::OP_SetElementI(instance, aElementIndex, JavascriptNumber::ToVar(iValue, scriptContext), scriptContext, flags);
+        return vt != VirtualTableInfoBase::GetVirtualTable(instance);
     }
 
     BOOL JavascriptOperators::OP_SetNativeIntElementI_UInt32(
@@ -4586,6 +4591,10 @@ namespace Js
         PropertyOperationFlags flags,
         double dValue)
     {
+        
+        INT_PTR vt = (INT_PTR)nullptr;
+        vt = VirtualTableInfoBase::GetVirtualTable(instance);
+
         if (TaggedInt::Is(aElementIndex))
         {
             int32 indexInt = TaggedInt::ToInt32(aElementIndex);
@@ -4596,16 +4605,17 @@ namespace Js
                 {
                     arr->SetItem(indexInt, dValue);
                 }
-                return TRUE;
+                return vt != VirtualTableInfoBase::GetVirtualTable(instance);
             }
         }
 
-        return JavascriptOperators::OP_SetElementI(instance, aElementIndex, JavascriptNumber::ToVarWithCheck(dValue, scriptContext), scriptContext, flags);
+        JavascriptOperators::OP_SetElementI(instance, aElementIndex, JavascriptNumber::ToVarWithCheck(dValue, scriptContext), scriptContext, flags);
+        return vt != VirtualTableInfoBase::GetVirtualTable(instance);
     }
 
     BOOL JavascriptOperators::OP_SetNativeFloatElementI_UInt32(
-        Var instance, uint32
-        aElementIndex,
+        Var instance,
+        uint32 aElementIndex,
         ScriptContext* scriptContext,
         PropertyOperationFlags flags,
         double dValue)

Original file line number	Diff line number	Diff line change
`@@ -4530,6 +4530,10 @@ namespace Js`
`4530`	`4530`	`ScriptContext* scriptContext,`
`4531`	`4531`	`PropertyOperationFlags flags)`
`4532`	`4532`	`{`
	`4533`	`+`
	`4534`	`+ INT_PTR vt = (INT_PTR)nullptr;`
	`4535`	`+ vt = VirtualTableInfoBase::GetVirtualTable(instance);`
	`4536`	`+`
`4533`	`4537`	`if (TaggedInt::Is(aElementIndex))`
`4534`	`4538`	`{`
`4535`	`4539`	`int32 indexInt = TaggedInt::ToInt32(aElementIndex);`
`@@ -4540,11 +4544,12 @@ namespace Js`
`4540`	`4544`	`{`
`4541`	`4545`	`arr->SetItem(indexInt, iValue);`
`4542`	`4546`	`}`
`4543`		`- return TRUE;`
	`4547`	`+ return vt != VirtualTableInfoBase::GetVirtualTable(instance);`
`4544`	`4548`	`}`
`4545`	`4549`	`}`
`4546`	`4550`
`4547`		`- return JavascriptOperators::OP_SetElementI(instance, aElementIndex, JavascriptNumber::ToVar(iValue, scriptContext), scriptContext, flags);`
	`4551`	`+ JavascriptOperators::OP_SetElementI(instance, aElementIndex, JavascriptNumber::ToVar(iValue, scriptContext), scriptContext, flags);`
	`4552`	`+ return vt != VirtualTableInfoBase::GetVirtualTable(instance);`
`4548`	`4553`	`}`
`4549`	`4554`
`4550`	`4555`	`BOOL JavascriptOperators::OP_SetNativeIntElementI_UInt32(`
`@@ -4586,6 +4591,10 @@ namespace Js`
`4586`	`4591`	`PropertyOperationFlags flags,`
`4587`	`4592`	`double dValue)`
`4588`	`4593`	`{`
	`4594`	`+`
	`4595`	`+ INT_PTR vt = (INT_PTR)nullptr;`
	`4596`	`+ vt = VirtualTableInfoBase::GetVirtualTable(instance);`
	`4597`	`+`
`4589`	`4598`	`if (TaggedInt::Is(aElementIndex))`
`4590`	`4599`	`{`
`4591`	`4600`	`int32 indexInt = TaggedInt::ToInt32(aElementIndex);`
`@@ -4596,16 +4605,17 @@ namespace Js`
`4596`	`4605`	`{`
`4597`	`4606`	`arr->SetItem(indexInt, dValue);`
`4598`	`4607`	`}`
`4599`		`- return TRUE;`
	`4608`	`+ return vt != VirtualTableInfoBase::GetVirtualTable(instance);`
`4600`	`4609`	`}`
`4601`	`4610`	`}`
`4602`	`4611`
`4603`		`- return JavascriptOperators::OP_SetElementI(instance, aElementIndex, JavascriptNumber::ToVarWithCheck(dValue, scriptContext), scriptContext, flags);`
	`4612`	`+ JavascriptOperators::OP_SetElementI(instance, aElementIndex, JavascriptNumber::ToVarWithCheck(dValue, scriptContext), scriptContext, flags);`
	`4613`	`+ return vt != VirtualTableInfoBase::GetVirtualTable(instance);`
`4604`	`4614`	`}`
`4605`	`4615`
`4606`	`4616`	`BOOL JavascriptOperators::OP_SetNativeFloatElementI_UInt32(`
`4607`		`- Var instance, uint32`
`4608`		`- aElementIndex,`
	`4617`	`+ Var instance,`
	`4618`	`+ uint32 aElementIndex,`
`4609`	`4619`	`ScriptContext* scriptContext,`
`4610`	`4620`	`PropertyOperationFlags flags,`
`4611`	`4621`	`double dValue)`