[CVE-2019-0610] Chakra JIT server EnsureLoopBodyLoadSlot out-of-bounds read&write

MikeHolman · MikeHolman · commit bdd22d1b6e11 · 2019-02-07T11:33:41.000-08:00
diff --git a/lib/Backend/IRBuilder.cpp b/lib/Backend/IRBuilder.cpp
@@ -774,6 +774,8 @@ IRBuilder::Build()
                     if (!this->RegIsTemp(dstRegSlot) && !this->RegIsConstant(dstRegSlot))
                     {
                         SymID symId = dstSym->m_id;
+
+                        AssertOrFailFast(symId < m_stSlots->Length());
                         if (this->m_stSlots->Test(symId))
                         {
                             // For jitted loop bodies that are in a try block, we consider any symbol that has a
@@ -4135,7 +4137,12 @@ IRBuilder::EnsureLoopBodyLoadSlot(SymID symId, bool isCatchObjectSym)
         return;
     }
     StackSym * symDst = StackSym::FindOrCreate(symId, (Js::RegSlot)symId, m_func);
-    if (symDst->m_isCatchObjectSym || this->m_ldSlots->TestAndSet(symId))
+    if (symDst->m_isCatchObjectSym)
+    {
+        return;
+    }
+    AssertOrFailFast(symId < m_ldSlots->Length());
+    if (this->m_ldSlots->TestAndSet(symId))
     {
         return;
     }
@@ -4179,6 +4186,7 @@ IRBuilder::SetLoopBodyStSlot(SymID symID, bool isCatchObjectSym)
             return;
         }
     }
+    AssertOrFailFast(symID < m_stSlots->Length());
     this->m_stSlots->Set(symID);
 }
 
diff --git a/lib/Backend/IRBuilderAsmJs.cpp b/lib/Backend/IRBuilderAsmJs.cpp
@@ -3570,7 +3570,10 @@ IRBuilderAsmJs::BuildAsmJsLoopBodySlotOpnd(Js::RegSlot regSlot, IRType opndType)
 void
 IRBuilderAsmJs::EnsureLoopBodyAsmJsLoadSlot(Js::RegSlot regSlot, IRType type)
 {
-    if (GetJitLoopBodyData().GetLdSlots()->TestAndSet(regSlot))
+    BVFixed* ldSlotsBV = GetJitLoopBodyData().GetLdSlots();
+
+    AssertOrFailFast(regSlot < ldSlotsBV->Length());
+    if (ldSlotsBV->TestAndSet(regSlot))
     {
         return;
     }
@@ -3592,7 +3595,6 @@ void
 IRBuilderAsmJs::EnsureLoopBodyAsmJsStoreSlot(Js::RegSlot regSlot, IRType type)
 {
     Assert(!RegIsTemp(regSlot) || RegIsJitLoopYield(regSlot));
-    GetJitLoopBodyData().GetStSlots()->Set(regSlot);
     EnsureLoopBodyAsmJsLoadSlot(regSlot, type);
 }
 
diff --git a/lib/Backend/IRBuilderAsmJs.h b/lib/Backend/IRBuilderAsmJs.h
@@ -26,7 +26,6 @@ struct JitLoopBodyData
 {
 private:
     BVFixed* m_ldSlots = nullptr;
-    BVFixed* m_stSlots = nullptr;
     StackSym* m_loopBodyRetIPSym = nullptr;
     BVFixed* m_yieldRegs = nullptr;
     uint32 m_loopCurRegs[WAsmJs::LIMIT];
@@ -36,7 +35,6 @@ struct JitLoopBodyData
     {
         Assert(ldSlots && stSlots && loopBodyRetIPSym);
         m_ldSlots = ldSlots;
-        m_stSlots = stSlots;
         m_loopBodyRetIPSym = loopBodyRetIPSym;
     }
     // Use m_yieldRegs initialization to determine if m_loopCurRegs is initialized
@@ -57,14 +55,19 @@ struct JitLoopBodyData
     }
     bool IsYieldReg(Js::RegSlot reg) const
     {
-        return  m_yieldRegs && m_yieldRegs->Test(reg);
+        if (!m_yieldRegs)
+        {
+            return false;
+        }
+        AssertOrFailFast(reg < m_yieldRegs->Length());
+        return m_yieldRegs->Test(reg);
     }
     void SetRegIsYield(Js::RegSlot reg)
     {
         Assert(m_yieldRegs);
+        AssertOrFailFast(reg < m_yieldRegs->Length());
         m_yieldRegs->Set(reg);
     }
-    BVFixed* GetStSlots() const { return m_stSlots; }
     BVFixed* GetLdSlots() const { return m_ldSlots; }
     StackSym* GetLoopBodyRetIPSym() const { return m_loopBodyRetIPSym; }
 

Original file line number	Diff line number	Diff line change
`@@ -774,6 +774,8 @@ IRBuilder::Build()`
`774`	`774`	`if (!this->RegIsTemp(dstRegSlot) && !this->RegIsConstant(dstRegSlot))`
`775`	`775`	`{`
`776`	`776`	`SymID symId = dstSym->m_id;`
	`777`	`+`
	`778`	`+ AssertOrFailFast(symId < m_stSlots->Length());`
`777`	`779`	`if (this->m_stSlots->Test(symId))`
`778`	`780`	`{`
`779`	`781`	`// For jitted loop bodies that are in a try block, we consider any symbol that has a`
`@@ -4135,7 +4137,12 @@ IRBuilder::EnsureLoopBodyLoadSlot(SymID symId, bool isCatchObjectSym)`
`4135`	`4137`	`return;`
`4136`	`4138`	`}`
`4137`	`4139`	`StackSym * symDst = StackSym::FindOrCreate(symId, (Js::RegSlot)symId, m_func);`
`4138`		`- if (symDst->m_isCatchObjectSym \|\| this->m_ldSlots->TestAndSet(symId))`
	`4140`	`+ if (symDst->m_isCatchObjectSym)`
	`4141`	`+ {`
	`4142`	`+ return;`
	`4143`	`+ }`
	`4144`	`+ AssertOrFailFast(symId < m_ldSlots->Length());`
	`4145`	`+ if (this->m_ldSlots->TestAndSet(symId))`
`4139`	`4146`	`{`
`4140`	`4147`	`return;`
`4141`	`4148`	`}`
`@@ -4179,6 +4186,7 @@ IRBuilder::SetLoopBodyStSlot(SymID symID, bool isCatchObjectSym)`
`4179`	`4186`	`return;`
`4180`	`4187`	`}`
`4181`	`4188`	`}`
	`4189`	`+ AssertOrFailFast(symID < m_stSlots->Length());`
`4182`	`4190`	`this->m_stSlots->Set(symID);`
`4183`	`4191`	`}`
`4184`	`4192`
Original file line number	Diff line number	Diff line change
`@@ -3570,7 +3570,10 @@ IRBuilderAsmJs::BuildAsmJsLoopBodySlotOpnd(Js::RegSlot regSlot, IRType opndType)`
`3570`	`3570`	`void`
`3571`	`3571`	`IRBuilderAsmJs::EnsureLoopBodyAsmJsLoadSlot(Js::RegSlot regSlot, IRType type)`
`3572`	`3572`	`{`
`3573`		`- if (GetJitLoopBodyData().GetLdSlots()->TestAndSet(regSlot))`
	`3573`	`+ BVFixed* ldSlotsBV = GetJitLoopBodyData().GetLdSlots();`
	`3574`	`+`
	`3575`	`+ AssertOrFailFast(regSlot < ldSlotsBV->Length());`
	`3576`	`+ if (ldSlotsBV->TestAndSet(regSlot))`
`3574`	`3577`	`{`
`3575`	`3578`	`return;`
`3576`	`3579`	`}`
`@@ -3592,7 +3595,6 @@ void`
`3592`	`3595`	`IRBuilderAsmJs::EnsureLoopBodyAsmJsStoreSlot(Js::RegSlot regSlot, IRType type)`
`3593`	`3596`	`{`
`3594`	`3597`	`Assert(!RegIsTemp(regSlot) \|\| RegIsJitLoopYield(regSlot));`
`3595`		`- GetJitLoopBodyData().GetStSlots()->Set(regSlot);`
`3596`	`3598`	`EnsureLoopBodyAsmJsLoadSlot(regSlot, type);`
`3597`	`3599`	`}`
`3598`	`3600`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,6 @@ struct JitLoopBodyData`
`26`	`26`	`{`
`27`	`27`	`private:`
`28`	`28`	`BVFixed* m_ldSlots = nullptr;`
`29`		`- BVFixed* m_stSlots = nullptr;`
`30`	`29`	`StackSym* m_loopBodyRetIPSym = nullptr;`
`31`	`30`	`BVFixed* m_yieldRegs = nullptr;`
`32`	`31`	`uint32 m_loopCurRegs[WAsmJs::LIMIT];`
`@@ -36,7 +35,6 @@ struct JitLoopBodyData`
`36`	`35`	`{`
`37`	`36`	`Assert(ldSlots && stSlots && loopBodyRetIPSym);`
`38`	`37`	`m_ldSlots = ldSlots;`
`39`		`- m_stSlots = stSlots;`
`40`	`38`	`m_loopBodyRetIPSym = loopBodyRetIPSym;`
`41`	`39`	`}`
`42`	`40`	`// Use m_yieldRegs initialization to determine if m_loopCurRegs is initialized`
`@@ -57,14 +55,19 @@ struct JitLoopBodyData`
`57`	`55`	`}`
`58`	`56`	`bool IsYieldReg(Js::RegSlot reg) const`
`59`	`57`	`{`
`60`		`- return m_yieldRegs && m_yieldRegs->Test(reg);`
	`58`	`+ if (!m_yieldRegs)`
	`59`	`+ {`
	`60`	`+ return false;`
	`61`	`+ }`
	`62`	`+ AssertOrFailFast(reg < m_yieldRegs->Length());`
	`63`	`+ return m_yieldRegs->Test(reg);`
`61`	`64`	`}`
`62`	`65`	`void SetRegIsYield(Js::RegSlot reg)`
`63`	`66`	`{`
`64`	`67`	`Assert(m_yieldRegs);`
	`68`	`+ AssertOrFailFast(reg < m_yieldRegs->Length());`
`65`	`69`	`m_yieldRegs->Set(reg);`
`66`	`70`	`}`
`67`		`- BVFixed* GetStSlots() const { return m_stSlots; }`
`68`	`71`	`BVFixed* GetLdSlots() const { return m_ldSlots; }`
`69`	`72`	`StackSym* GetLoopBodyRetIPSym() const { return m_loopBodyRetIPSym; }`
`70`	`73`