CVE-2018-8543

sethbrenith · pleath · commit ef75eace57c0 · 2018-11-09T12:34:05.000-08:00
diff --git a/lib/Backend/IRBuilder.cpp b/lib/Backend/IRBuilder.cpp
@@ -3749,7 +3749,7 @@ IRBuilder::BuildElementSlotI1(Js::OpCode newOpcode, uint32 offset, Js::RegSlot r
 IR::Opnd*
 IRBuilder::GetEnvironmentOperand(uint32 offset)
 {
-    SymID symID;
+    StackSym* sym = nullptr;
     // The byte code doesn't refer directly to a closure environment. Get the implicit one
     // that's pointed to by the function body.
     if (m_func->DoStackFrameDisplay() && m_func->GetLocalFrameDisplaySym())
@@ -3760,19 +3760,35 @@ IRBuilder::GetEnvironmentOperand(uint32 offset)
         this->AddInstr(
             IR::Instr::New(Js::OpCode::LdSlotArr, regOpnd, fieldOpnd, m_func),
             offset);
-        symID = regOpnd->m_sym->m_id;
+        sym = regOpnd->m_sym;
     }
     else
     {
+        SymID symID;
         symID = this->GetEnvRegForInnerFrameDisplay();
         Assert(symID != Js::Constants::NoRegister);
         if (IsLoopBody() && !RegIsConstant(symID))
         {
             this->EnsureLoopBodyLoadSlot(symID);
         }
+
+        if (m_func->DoStackNestedFunc() && symID == GetEnvReg())
+        {
+            // Environment is not guaranteed constant during this function because it could become boxed during execution,
+            // so load the environment every time you need it.
+            IR::RegOpnd *regOpnd = IR::RegOpnd::New(TyVar, m_func);
+            this->AddInstr(
+                IR::Instr::New(Js::OpCode::LdEnv, regOpnd, m_func),
+                offset);
+            sym = regOpnd->m_sym;
+        }
+        else
+        {
+            sym = StackSym::FindOrCreate(symID, (Js::RegSlot)symID, m_func);
+        }
     }
 
-    return IR::RegOpnd::New(StackSym::FindOrCreate(symID, (Js::RegSlot)symID, m_func), TyVar, m_func);
+    return IR::RegOpnd::New(sym, TyVar, m_func);
 }
 
 template <typename SizePolicy>
diff --git a/lib/Backend/Inline.cpp b/lib/Backend/Inline.cpp
@@ -5146,6 +5146,10 @@ Inline::MapFormals(Func *inlinee,
                 else
                 {
                     instr->SetSrc1(funcObjOpnd);
+
+                    // This usage doesn't correspond with any byte code register, since interpreter stack frames
+                    // get their function reference via this->function rather than from a register.
+                    instr->GetSrc1()->SetIsJITOptimizedReg(true);
                 }
             }
             else

Original file line number	Diff line number	Diff line change
`@@ -5146,6 +5146,10 @@ Inline::MapFormals(Func *inlinee,`
`5146`	`5146`	`else`
`5147`	`5147`	`{`
`5148`	`5148`	`instr->SetSrc1(funcObjOpnd);`
	`5149`	`+`
	`5150`	`+ // This usage doesn't correspond with any byte code register, since interpreter stack frames`
	`5151`	`+ // get their function reference via this->function rather than from a register.`
	`5152`	`+ instr->GetSrc1()->SetIsJITOptimizedReg(true);`
`5149`	`5153`	`}`
`5150`	`5154`	`}`
`5151`	`5155`	`else`