CVE-2018-8624 Edge - Chakra JIT Overflow

wyrichte · akroshg · commit 8264b9bcdb08 · 2018-12-10T10:53:00.000-08:00
diff --git a/lib/Backend/BackwardPass.cpp b/lib/Backend/BackwardPass.cpp
@@ -8669,7 +8669,15 @@ BackwardPass::RestoreInductionVariableValuesAfterMemOp(Loop *loop)
 
         IR::Opnd *inductionVariableOpnd = IR::RegOpnd::New(sym, IRType::TyInt32, localFunc);
         IR::Opnd *sizeOpnd = globOpt->GenerateInductionVariableChangeForMemOp(loop, inductionVariableChangeInfo.unroll);
-        loop->landingPad->InsertAfter(IR::Instr::New(opCode, inductionVariableOpnd, inductionVariableOpnd, sizeOpnd, loop->GetFunc()));
+        IR::Instr* restoreInductionVarInstr = IR::Instr::New(opCode, inductionVariableOpnd, inductionVariableOpnd, sizeOpnd, loop->GetFunc());
+
+        // The IR that restores the induction variable's value is placed before the MemOp. Since this IR can
+        // bailout to the loop's landing pad, placing this IR before the MemOp avoids performing the MemOp,
+        // bailing out because of this IR, and then performing the effects of the loop again.
+        loop->landingPad->InsertInstrBefore(restoreInductionVarInstr, loop->memOpInfo->instr);
+
+        // If restoring an induction variable results in an overflow, bailout to the loop's landing pad.
+        restoreInductionVarInstr->ConvertToBailOutInstr(loop->bailOutInfo, IR::BailOutOnOverflow);
     };
 
     for (auto it = loop->memOpInfo->inductionVariableChangeInfoMap->GetIterator(); it.IsValid(); it.MoveNext())
diff --git a/lib/Backend/FlowGraph.h b/lib/Backend/FlowGraph.h
@@ -694,6 +694,7 @@ class Loop
         // Temporary map to reuse existing startIndexOpnd while emitting
         // 0 = !increment & !alreadyChanged, 1 = !increment & alreadyChanged, 2 = increment & !alreadyChanged, 3 = increment & alreadyChanged
         IR::RegOpnd* startIndexOpndCache[4];
+        IR::Instr* instr;
     } MemOpInfo;
 
     bool doMemOp : 1;
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -16854,6 +16854,9 @@ GlobOpt::EmitMemop(Loop * loop, LoopCount *loopCount, const MemOpEmitData* emitD
     memopInstr->SetSrc2(sizeOpnd);
     insertBeforeInstr->InsertBefore(memopInstr);
 
+
+    loop->memOpInfo->instr = memopInstr;
+
 #if DBG_DUMP
     if (DO_MEMOP_TRACE())
     {

Original file line number	Diff line number	Diff line change
`@@ -16854,6 +16854,9 @@ GlobOpt::EmitMemop(Loop * loop, LoopCount loopCount, const MemOpEmitData emitD`
`16854`	`16854`	`memopInstr->SetSrc2(sizeOpnd);`
`16855`	`16855`	`insertBeforeInstr->InsertBefore(memopInstr);`
`16856`	`16856`
	`16857`	`+`
	`16858`	`+ loop->memOpInfo->instr = memopInstr;`
	`16859`	`+`
`16857`	`16860`	`#if DBG_DUMP`
`16858`	`16861`	`if (DO_MEMOP_TRACE())`
`16859`	`16862`	`{`