[CVE-2018-8456] Edge - Chakra JIT Loop LandingPad ImplicitCall Bypass - Qihoo 360

Meghana Gupta · MikeHolman · commit 98360625854f · 2018-09-11T09:47:03.000-07:00
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -14500,13 +14500,23 @@ GlobOpt::OptHoistUpdateValueType(
                 // Replace above will free srcOpnd, so reassign it
                 *srcOpndPtr = srcOpnd = reinterpret_cast<IR::Opnd *>(strOpnd);
 
-                if (loop->bailOutInfo->bailOutInstr)
+                if (IsImplicitCallBailOutCurrentlyNeeded(convPrimStrInstr, opndValueInLandingPad, nullptr, landingPad, landingPad->globOptData.liveFields->IsEmpty(), true, true))
                 {
+                    EnsureBailTarget(loop);
                     loop->bailOutInfo->bailOutInstr->InsertBefore(convPrimStrInstr);
+                    convPrimStrInstr = convPrimStrInstr->ConvertToBailOutInstr(convPrimStrInstr, IR::BailOutOnImplicitCallsPreOp, loop->bailOutInfo->bailOutOffset);
+                    convPrimStrInstr->ReplaceBailOutInfo(loop->bailOutInfo);
                 }
                 else
                 {
-                    landingPad->InsertAfter(convPrimStrInstr);
+                    if (loop->bailOutInfo->bailOutInstr)
+                    {
+                        loop->bailOutInfo->bailOutInstr->InsertBefore(convPrimStrInstr);
+                    }
+                    else
+                    {
+                        landingPad->InsertAfter(convPrimStrInstr);
+                    }
                 }
 
                 // If we came here opndSym can't be PropertySym

Original file line number	Diff line number	Diff line change
`@@ -14500,13 +14500,23 @@ GlobOpt::OptHoistUpdateValueType(`
`14500`	`14500`	`// Replace above will free srcOpnd, so reassign it`
`14501`	`14501`	`srcOpndPtr = srcOpnd = reinterpret_cast<IR::Opnd >(strOpnd);`
`14502`	`14502`
`14503`		`- if (loop->bailOutInfo->bailOutInstr)`
	`14503`	`+ if (IsImplicitCallBailOutCurrentlyNeeded(convPrimStrInstr, opndValueInLandingPad, nullptr, landingPad, landingPad->globOptData.liveFields->IsEmpty(), true, true))`
`14504`	`14504`	`{`
	`14505`	`+ EnsureBailTarget(loop);`
`14505`	`14506`	`loop->bailOutInfo->bailOutInstr->InsertBefore(convPrimStrInstr);`
	`14507`	`+ convPrimStrInstr = convPrimStrInstr->ConvertToBailOutInstr(convPrimStrInstr, IR::BailOutOnImplicitCallsPreOp, loop->bailOutInfo->bailOutOffset);`
	`14508`	`+ convPrimStrInstr->ReplaceBailOutInfo(loop->bailOutInfo);`
`14506`	`14509`	`}`
`14507`	`14510`	`else`
`14508`	`14511`	`{`
`14509`		`- landingPad->InsertAfter(convPrimStrInstr);`
	`14512`	`+ if (loop->bailOutInfo->bailOutInstr)`
	`14513`	`+ {`
	`14514`	`+ loop->bailOutInfo->bailOutInstr->InsertBefore(convPrimStrInstr);`
	`14515`	`+ }`
	`14516`	`+ else`
	`14517`	`+ {`
	`14518`	`+ landingPad->InsertAfter(convPrimStrInstr);`
	`14519`	`+ }`
`14510`	`14520`	`}`
`14511`	`14521`
`14512`	`14522`	`// If we came here opndSym can't be PropertySym`