[CVE-2018-8473] Edge - Chakra: Stack corruption in the presence of nested inlinees

paolosevMSFT · Thomas Moore (CHAKRA) · commit a27864395a53 · 2018-10-08T11:26:36.000-07:00
In the presence of nested inlined functions, jitted code can bail out to the wrong function.
This fix disables the inline-args-optimization when it detects that the value of the functionObject symbol for an inlinee has changed between its InlineeStart and its InlineeEnd.
diff --git a/lib/Backend/GlobOptBailOut.cpp b/lib/Backend/GlobOptBailOut.cpp
@@ -583,6 +583,8 @@ GlobOpt::TrackCalls(IR::Instr * instr)
             instr->m_func->m_hasInlineArgsOpt = true;
             InlineeFrameInfo* frameInfo = InlineeFrameInfo::New(func->m_alloc);
             instr->m_func->frameInfo = frameInfo;
+            frameInfo->functionSymStartValue = instr->GetSrc1()->GetSym() ?
+                CurrentBlockData()->FindValue(instr->GetSrc1()->GetSym()) : nullptr;
             frameInfo->floatSyms = CurrentBlockData()->liveFloat64Syms->CopyNew(this->alloc);
             frameInfo->intSyms = CurrentBlockData()->liveInt32Syms->MinusNew(CurrentBlockData()->liveLossyInt32Syms, this->alloc);
             frameInfo->varSyms = CurrentBlockData()->liveVarSyms->CopyNew(this->alloc);
@@ -762,6 +764,15 @@ void GlobOpt::RecordInlineeFrameInfo(IR::Instr* inlineeEnd)
             }
             else
             {
+                // If the value of the functionObject symbol has changed between the inlineeStart and the inlineeEnd,
+                // we don't record the inlinee frame info (see OS#18318884).
+                Assert(frameInfo->functionSymStartValue != nullptr);
+                if (!frameInfo->functionSymStartValue->IsEqualTo(CurrentBlockData()->FindValue(functionObject->m_sym)))
+                {
+                    argInstr->m_func->DisableCanDoInlineArgOpt();
+                    return true;
+                }
+
                 frameInfo->function = InlineFrameInfoValue(functionObject->m_sym);
             }
         }
diff --git a/lib/Backend/InlineeFrameInfo.h b/lib/Backend/InlineeFrameInfo.h
@@ -5,6 +5,8 @@
 
 #pragma once
 
+class Value;
+
 struct BailoutConstantValue {
 public:
     void InitIntConstValue(int32 value) { this->type = TyInt32; this->u.intConst.value = (IntConstType)value; };
@@ -150,6 +152,7 @@ struct InlineeFrameInfo
     BVSparse<JitArenaAllocator>* floatSyms;
     BVSparse<JitArenaAllocator>* intSyms;
     BVSparse<JitArenaAllocator>* varSyms;
+    Value* functionSymStartValue;
 
     bool isRecorded;
 

Original file line number	Diff line number	Diff line change
`@@ -583,6 +583,8 @@ GlobOpt::TrackCalls(IR::Instr * instr)`
`583`	`583`	`instr->m_func->m_hasInlineArgsOpt = true;`
`584`	`584`	`InlineeFrameInfo* frameInfo = InlineeFrameInfo::New(func->m_alloc);`
`585`	`585`	`instr->m_func->frameInfo = frameInfo;`
	`586`	`+ frameInfo->functionSymStartValue = instr->GetSrc1()->GetSym() ?`
	`587`	`+ CurrentBlockData()->FindValue(instr->GetSrc1()->GetSym()) : nullptr;`
`586`	`588`	`frameInfo->floatSyms = CurrentBlockData()->liveFloat64Syms->CopyNew(this->alloc);`
`587`	`589`	`frameInfo->intSyms = CurrentBlockData()->liveInt32Syms->MinusNew(CurrentBlockData()->liveLossyInt32Syms, this->alloc);`
`588`	`590`	`frameInfo->varSyms = CurrentBlockData()->liveVarSyms->CopyNew(this->alloc);`
`@@ -762,6 +764,15 @@ void GlobOpt::RecordInlineeFrameInfo(IR::Instr* inlineeEnd)`
`762`	`764`	`}`
`763`	`765`	`else`
`764`	`766`	`{`
	`767`	`+ // If the value of the functionObject symbol has changed between the inlineeStart and the inlineeEnd,`
	`768`	`+ // we don't record the inlinee frame info (see OS#18318884).`
	`769`	`+ Assert(frameInfo->functionSymStartValue != nullptr);`
	`770`	`+ if (!frameInfo->functionSymStartValue->IsEqualTo(CurrentBlockData()->FindValue(functionObject->m_sym)))`
	`771`	`+ {`
	`772`	`+ argInstr->m_func->DisableCanDoInlineArgOpt();`
	`773`	`+ return true;`
	`774`	`+ }`
	`775`	`+`
`765`	`776`	`frameInfo->function = InlineFrameInfoValue(functionObject->m_sym);`
`766`	`777`	`}`
`767`	`778`	`}`