[CVE-2018-0872] edge Array buffer UAF vulnerability

pleath · akroshg · commit 8b229ce07220 · 2018-03-12T11:56:15.000-07:00
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -13443,6 +13443,9 @@ GlobOpt::OptArraySrc(IR::Instr * *const instrRef)
         return;
     }
 
+    const bool isLikelyVirtualTypedArray = baseValueType.IsLikelyOptimizedVirtualTypedArray();
+    Assert(!(isLikelyJsArray && isLikelyVirtualTypedArray));
+
     ValueType newBaseValueType(baseValueType.ToDefiniteObject());
     if(isLikelyJsArray && newBaseValueType.HasNoMissingValues() && !DoArrayMissingValueCheckHoist())
     {
@@ -13773,7 +13776,7 @@ GlobOpt::OptArraySrc(IR::Instr * *const instrRef)
             {
                 const JsArrayKills loopKills(loop->jsArrayKills);
                 Value *baseValueInLoopLandingPad = nullptr;
-                if((isLikelyJsArray && loopKills.KillsValueType(newBaseValueType)) ||
+                if(((isLikelyJsArray || isLikelyVirtualTypedArray) && loopKills.KillsValueType(newBaseValueType)) ||
                     !OptIsInvariant(baseOpnd->m_sym, currentBlock, loop, baseValue, true, true, &baseValueInLoopLandingPad) ||
                     !(doArrayChecks || baseValueInLoopLandingPad->GetValueInfo()->IsObject()))
                 {
@@ -17387,7 +17390,9 @@ GlobOpt::DoArrayCheckHoist(const ValueType baseValueType, Loop* loop, IR::Instr
         return false;
     }
 
-    if(!baseValueType.IsLikelyArrayOrObjectWithArray() ||
+    // This includes typed arrays, but not virtual typed arrays, whose vtable can change if the buffer goes away.
+    // Note that in the virtual case the vtable check is the only way to catch this, since there's no bound check.
+    if(!(baseValueType.IsLikelyArrayOrObjectWithArray() || baseValueType.IsLikelyOptimizedVirtualTypedArray()) ||
         (loop ? ImplicitCallFlagsAllowOpts(loop) : ImplicitCallFlagsAllowOpts(func)))
     {
         return true;
diff --git a/lib/Backend/GlobOpt.h b/lib/Backend/GlobOpt.h
@@ -332,12 +332,16 @@ class JsArrayKills
 public:
     bool KillsValueType(const ValueType valueType) const
     {
-        Assert(valueType.IsArrayOrObjectWithArray());
+        Assert(valueType.IsArrayOrObjectWithArray() || valueType.IsOptimizedVirtualTypedArray());
 
         return
             killsAllArrays ||
-            (killsArraysWithNoMissingValues && valueType.HasNoMissingValues()) ||
-            (killsNativeArrays && !valueType.HasVarElements());
+            (valueType.IsArrayOrObjectWithArray() && 
+             (
+              (killsArraysWithNoMissingValues && valueType.HasNoMissingValues()) ||
+              (killsNativeArrays && !valueType.HasVarElements())
+             )
+            );
     }
 
     bool AreSubsetOf(const JsArrayKills &other) const

Original file line number	Diff line number	Diff line change
`@@ -13443,6 +13443,9 @@ GlobOpt::OptArraySrc(IR::Instr * *const instrRef)`
`13443`	`13443`	`return;`
`13444`	`13444`	`}`
`13445`	`13445`
	`13446`	`+ const bool isLikelyVirtualTypedArray = baseValueType.IsLikelyOptimizedVirtualTypedArray();`
	`13447`	`+ Assert(!(isLikelyJsArray && isLikelyVirtualTypedArray));`
	`13448`	`+`
`13446`	`13449`	`ValueType newBaseValueType(baseValueType.ToDefiniteObject());`
`13447`	`13450`	`if(isLikelyJsArray && newBaseValueType.HasNoMissingValues() && !DoArrayMissingValueCheckHoist())`
`13448`	`13451`	`{`
`@@ -13773,7 +13776,7 @@ GlobOpt::OptArraySrc(IR::Instr * *const instrRef)`
`13773`	`13776`	`{`
`13774`	`13777`	`const JsArrayKills loopKills(loop->jsArrayKills);`
`13775`	`13778`	`Value *baseValueInLoopLandingPad = nullptr;`
`13776`		`- if((isLikelyJsArray && loopKills.KillsValueType(newBaseValueType)) \|\|`
	`13779`	`+ if(((isLikelyJsArray \|\| isLikelyVirtualTypedArray) && loopKills.KillsValueType(newBaseValueType)) \|\|`
`13777`	`13780`	`!OptIsInvariant(baseOpnd->m_sym, currentBlock, loop, baseValue, true, true, &baseValueInLoopLandingPad) \|\|`
`13778`	`13781`	`!(doArrayChecks \|\| baseValueInLoopLandingPad->GetValueInfo()->IsObject()))`
`13779`	`13782`	`{`
`@@ -17387,7 +17390,9 @@ GlobOpt::DoArrayCheckHoist(const ValueType baseValueType, Loop* loop, IR::Instr`
`17387`	`17390`	`return false;`
`17388`	`17391`	`}`
`17389`	`17392`
`17390`		`- if(!baseValueType.IsLikelyArrayOrObjectWithArray() \|\|`
	`17393`	`+ // This includes typed arrays, but not virtual typed arrays, whose vtable can change if the buffer goes away.`
	`17394`	`+ // Note that in the virtual case the vtable check is the only way to catch this, since there's no bound check.`
	`17395`	`+ if(!(baseValueType.IsLikelyArrayOrObjectWithArray() \|\| baseValueType.IsLikelyOptimizedVirtualTypedArray()) \|\|`
`17391`	`17396`	`(loop ? ImplicitCallFlagsAllowOpts(loop) : ImplicitCallFlagsAllowOpts(func)))`
`17392`	`17397`	`{`
`17393`	`17398`	`return true;`