[CVE-2019-1197] Chakra JIT Type Confusion

MikeHolman · wyrichte · commit bf52b6cfa96d · 2019-08-13T08:48:32.000-07:00
diff --git a/lib/Backend/GlobOptIntBounds.cpp b/lib/Backend/GlobOptIntBounds.cpp
@@ -1278,13 +1278,20 @@ GlobOpt::InvalidateInductionVariables(IR::Instr * instr)
     }
 
     // If this is an induction variable, then treat it the way the prepass would have if it had seen
-    // the assignment and the resulting change to the value number, and mark it as indeterminate.
+    // the assignment and the resulting change to the value number, and mark induction variables
+    // for the loop as indeterminate.
+    // We need to invalidate all induction variables for the loop, because we might have used the
+    // invalidated induction variable to calculate the loopCount, and this now invalid loopCount
+    // also impacts bound checks for secondary induction variables
     for (Loop * loop = this->currentBlock->loop; loop; loop = loop->parent)
     {
-        InductionVariable *iv = nullptr;
-        if (loop->inductionVariables && loop->inductionVariables->TryGetReference(dstSym->m_id, &iv))
+        if (loop->inductionVariables && loop->inductionVariables->ContainsKey(dstSym->m_id))
         {
-            iv->SetChangeIsIndeterminate();
+            for (auto it = loop->inductionVariables->GetIterator(); it.IsValid(); it.MoveNext())
+            {
+                InductionVariable& inductionVariable = it.CurrentValueReference();
+                inductionVariable.SetChangeIsIndeterminate();
+            }
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -1278,13 +1278,20 @@ GlobOpt::InvalidateInductionVariables(IR::Instr * instr)`
`1278`	`1278`	`}`
`1279`	`1279`
`1280`	`1280`	`// If this is an induction variable, then treat it the way the prepass would have if it had seen`
`1281`		`- // the assignment and the resulting change to the value number, and mark it as indeterminate.`
	`1281`	`+ // the assignment and the resulting change to the value number, and mark induction variables`
	`1282`	`+ // for the loop as indeterminate.`
	`1283`	`+ // We need to invalidate all induction variables for the loop, because we might have used the`
	`1284`	`+ // invalidated induction variable to calculate the loopCount, and this now invalid loopCount`
	`1285`	`+ // also impacts bound checks for secondary induction variables`
`1282`	`1286`	`for (Loop * loop = this->currentBlock->loop; loop; loop = loop->parent)`
`1283`	`1287`	`{`
`1284`		`- InductionVariable *iv = nullptr;`
`1285`		`- if (loop->inductionVariables && loop->inductionVariables->TryGetReference(dstSym->m_id, &iv))`
	`1288`	`+ if (loop->inductionVariables && loop->inductionVariables->ContainsKey(dstSym->m_id))`
`1286`	`1289`	`{`
`1287`		`- iv->SetChangeIsIndeterminate();`
	`1290`	`+ for (auto it = loop->inductionVariables->GetIterator(); it.IsValid(); it.MoveNext())`
	`1291`	`+ {`
	`1292`	`+ InductionVariable& inductionVariable = it.CurrentValueReference();`
	`1293`	`+ inductionVariable.SetChangeIsIndeterminate();`
	`1294`	`+ }`
`1288`	`1295`	`}`
`1289`	`1296`	`}`
`1290`	`1297`	`}`