[CVE-2018-8287] Edge - Chakra Internet Explorer - Use after free in jscript9.dll after closing WebBrowserControl - Internal.

Author: atulkatti

lib/Runtime/Base/ThreadServiceWrapperBase.cpp

@@ -78,6 +78,13 @@ bool ThreadServiceWrapperBase::ScheduleIdleCollect(uint ticks, bool scheduleAsTa
 
 bool ThreadServiceWrapperBase::IdleCollect()
 {
+    // Tracking service does not AddRef/Release the thread service and only keeps a function pointer and context parameter (this pointer)
+    // to execute the IdleCollect callback. It is possible that the tracking service gets destroyed as part of the collection
+    // during this IdleCollect. If that happens then we need to make sure ThreadService (which may be owned by the tracking service)
+    // is kept alive until this callback completes. Any pending timer is killed in the thread service destructor so we should not get
+    // any new callbacks after the thread service is destroyed.
+    AutoAddRefReleaseThreadService autoThreadServiceKeepAlive(this);
+
     Assert(hasScheduledIdleCollect);
     IDLE_COLLECT_VERBOSE_TRACE(_u("IdleCollect- reset hasScheduledIdleCollect\n"));
     hasScheduledIdleCollect = false;

lib/Runtime/Base/ThreadServiceWrapperBase.h

@@ -41,10 +41,29 @@ class ThreadServiceWrapperBase : public ThreadServiceWrapper
     virtual bool OnScheduleIdleCollect(uint delta, bool scheduleAsTask) = 0;
     virtual void OnFinishIdleCollect() = 0;
     virtual bool ShouldFinishConcurrentCollectOnIdleCallback() = 0;
+    virtual void AddRefThreadService() { /* do nothing */ };
+    virtual void ReleaseThreadService() { /* do nothing */ };
 
     ThreadContext *GetThreadContext() { return threadContext; }
 
 private:
+    class AutoAddRefReleaseThreadService
+    {
+    public:
+        AutoAddRefReleaseThreadService(ThreadServiceWrapperBase * threadService)
+        {
+            this->threadService = threadService;
+            threadService->AddRefThreadService();
+        }
+
+        ~AutoAddRefReleaseThreadService()
+        {
+            threadService->ReleaseThreadService();
+        }
+
+        ThreadServiceWrapperBase * threadService;
+    };
+
     static const unsigned int IdleTicks = 1000; // 1 second
     static const unsigned int IdleFinishTicks = 100; // 100 ms;