[CVE-2018-8500] RCE after cleanup of jitted entry points

pleath · Thomas Moore (CHAKRA) · commit cd84a0b85b4b · 2018-10-08T11:30:09.000-07:00
diff --git a/lib/Runtime/Base/FunctionBody.cpp b/lib/Runtime/Base/FunctionBody.cpp
@@ -2105,7 +2105,7 @@ namespace Js
     {
         FunctionTypeWeakRefList* typeList = EnsureFunctionObjectTypeList();
 
-        Assert(functionType != deferredPrototypeType);
+        Assert(functionType != deferredPrototypeType && functionType != undeferredFunctionType);
         Recycler * recycler = this->GetScriptContext()->GetRecycler();
         FunctionTypeWeakRef* weakRef = recycler->CreateWeakReferenceHandle(functionType);
         typeList->SetAtFirstFreeSpot(weakRef);
diff --git a/lib/Runtime/Base/FunctionBody.h b/lib/Runtime/Base/FunctionBody.h
@@ -1088,8 +1088,10 @@ namespace Js
             {
                 func(this->deferredPrototypeType);
             }
-            // NOTE: We deliberately do not map the undeferredFunctionType here, since it's in the list
-            // of registered function object types we processed above.
+            if (this->undeferredFunctionType)
+            {
+                func(this->undeferredFunctionType);
+            }
         }
 
         static uint GetOffsetOfDeferredPrototypeType() { return static_cast<uint>(offsetof(Js::FunctionProxy, deferredPrototypeType)); }

Original file line number	Diff line number	Diff line change
`@@ -2105,7 +2105,7 @@ namespace Js`
`2105`	`2105`	`{`
`2106`	`2106`	`FunctionTypeWeakRefList* typeList = EnsureFunctionObjectTypeList();`
`2107`	`2107`
`2108`		`- Assert(functionType != deferredPrototypeType);`
	`2108`	`+ Assert(functionType != deferredPrototypeType && functionType != undeferredFunctionType);`
`2109`	`2109`	`Recycler * recycler = this->GetScriptContext()->GetRecycler();`
`2110`	`2110`	`FunctionTypeWeakRef* weakRef = recycler->CreateWeakReferenceHandle(functionType);`
`2111`	`2111`	`typeList->SetAtFirstFreeSpot(weakRef);`
Original file line number	Diff line number	Diff line change
`@@ -1088,8 +1088,10 @@ namespace Js`
`1088`	`1088`	`{`
`1089`	`1089`	`func(this->deferredPrototypeType);`
`1090`	`1090`	`}`
`1091`		`- // NOTE: We deliberately do not map the undeferredFunctionType here, since it's in the list`
`1092`		`- // of registered function object types we processed above.`
	`1091`	`+ if (this->undeferredFunctionType)`
	`1092`	`+ {`
	`1093`	`+ func(this->undeferredFunctionType);`
	`1094`	`+ }`
`1093`	`1095`	`}`
`1094`	`1096`
`1095`	`1097`	`static uint GetOffsetOfDeferredPrototypeType() { return static_cast<uint>(offsetof(Js::FunctionProxy, deferredPrototypeType)); }`