[CVE-2019-1298]

pleath · MikeHolman · commit fe8f981f8e42 · 2019-09-09T11:22:09.000-07:00
diff --git a/lib/Backend/BackwardPass.cpp b/lib/Backend/BackwardPass.cpp
@@ -5422,7 +5422,14 @@ BackwardPass::TrackObjTypeSpecProperties(IR::PropertySymOpnd *opnd, BasicBlock *
                         // Some instr protected by this one requires a monomorphic type check. (E.g., final type opt,
                         // fixed field not loaded from prototype.) Note the IsTypeAvailable test above: only do this at
                         // the initial type check that protects this path.
-                        opnd->SetMonoGuardType(bucket->GetMonoGuardType());
+                        if (!opnd->SetMonoGuardType(bucket->GetMonoGuardType()))
+                        {
+                            // We can't safely check for the required type here. Clear the objtypespec info to disable optimization
+                            // using this inline cache, since there appears to be a mismatch, and re-jit.
+                            // (Dead store pass is too late to generate the bailout points we need to use this type correctly.)
+                            this->currentInstr->m_func->ClearObjTypeSpecFldInfo(opnd->m_inlineCacheIndex);
+                            throw Js::RejitException(RejitReason::FailedEquivalentTypeCheck);
+                        }
                         this->currentInstr->ChangeEquivalentToMonoTypeCheckBailOut();
                     }
                     bucket->SetMonoGuardType(nullptr);
diff --git a/lib/Backend/Func.cpp b/lib/Backend/Func.cpp
@@ -348,6 +348,9 @@ Func::Codegen(JitArenaAllocator *alloc, JITTimeWorkItem * workItem,
             case RejitReason::MemOpDisabled:
                 outputData->disableMemOp = TRUE;
                 break;
+            case RejitReason::FailedEquivalentTypeCheck:
+                // No disable flag. The thrower of the re-jit exception must guarantee that objtypespec is disabled where appropriate.
+                break;
             default:
                 Assume(UNREACHED);
             }
@@ -1521,6 +1524,12 @@ Func::GetObjTypeSpecFldInfo(const uint index) const
     return GetWorkItem()->GetJITTimeInfo()->GetObjTypeSpecFldInfo(index);
 }
 
+void
+Func::ClearObjTypeSpecFldInfo(const uint index)
+{
+    GetWorkItem()->GetJITTimeInfo()->ClearObjTypeSpecFldInfo(index);
+}
+
 ObjTypeSpecFldInfo*
 Func::GetGlobalObjTypeSpecFldInfo(uint propertyInfoId) const
 {
diff --git a/lib/Backend/Func.h b/lib/Backend/Func.h
@@ -579,6 +579,7 @@ static const unsigned __int64 c_debugFillPattern8 = 0xcececececececece;
     Js::Var AllocateNumber(double value);
 
     ObjTypeSpecFldInfo* GetObjTypeSpecFldInfo(const uint index) const;
+    void ClearObjTypeSpecFldInfo(const uint index);
     ObjTypeSpecFldInfo* GetGlobalObjTypeSpecFldInfo(uint propertyInfoId) const;
 
     // Gets an inline cache pointer to use in jitted code. Cached data may not be stable while jitting. Does not return null.
diff --git a/lib/Backend/FunctionJITTimeInfo.cpp b/lib/Backend/FunctionJITTimeInfo.cpp
@@ -311,6 +311,18 @@ FunctionJITTimeInfo::GetObjTypeSpecFldInfo(uint index) const
     return reinterpret_cast<ObjTypeSpecFldInfo *>(m_data.objTypeSpecFldInfoArray[index]);
 }
 
+void
+FunctionJITTimeInfo::ClearObjTypeSpecFldInfo(uint index)
+{
+    if (m_data.objTypeSpecFldInfoArray == nullptr)
+    {
+        return;
+    }
+    AssertOrFailFast(index < m_data.objTypeSpecFldInfoCount);
+
+    m_data.objTypeSpecFldInfoArray[index] = nullptr;
+}
+
 ObjTypeSpecFldInfo *
 FunctionJITTimeInfo::GetGlobalObjTypeSpecFldInfo(uint index) const
 {
diff --git a/lib/Backend/FunctionJITTimeInfo.h b/lib/Backend/FunctionJITTimeInfo.h
@@ -38,6 +38,7 @@ class FunctionJITTimeInfo
     const BVFixed * GetInlineesBV() const;
     const FunctionJITTimeInfo * GetJitTimeDataFromFunctionInfoAddr(intptr_t polyFuncInfo) const;
     ObjTypeSpecFldInfo * GetObjTypeSpecFldInfo(uint index) const;
+    void ClearObjTypeSpecFldInfo(uint index);
     ObjTypeSpecFldInfo * GetGlobalObjTypeSpecFldInfo(uint index) const;
     uint GetGlobalObjTypeSpecFldInfoCount() const;
     const FunctionJITRuntimeInfo * GetInlineeForTargetInlineeRuntimeData(const Js::ProfileId profiledCallSiteId, intptr_t inlineeFuncBodyAddr) const;
diff --git a/lib/Backend/Opnd.h b/lib/Backend/Opnd.h
@@ -799,9 +799,17 @@ class PropertySymOpnd sealed : public SymOpnd
         return this->monoGuardType;
     }
 
-    void SetMonoGuardType(JITTypeHolder type)
+    bool SetMonoGuardType(JITTypeHolder type)
     {
+        if (!(this->monoGuardType == nullptr || this->monoGuardType == type) ||
+            !((HasEquivalentTypeSet() && GetEquivalentTypeSet()->Contains(type)) ||
+              (!HasEquivalentTypeSet() && GetType() == type)))
+        {
+            // Required type is not in the available set, or we already set the type to something else. Inform the caller.
+            return false;
+        }
         this->monoGuardType = type;
+        return true;
     }
 
     bool NeedsMonoCheck() const

Original file line number	Diff line number	Diff line change
`@@ -799,9 +799,17 @@ class PropertySymOpnd sealed : public SymOpnd`
`799`	`799`	`return this->monoGuardType;`
`800`	`800`	`}`
`801`	`801`
`802`		`- void SetMonoGuardType(JITTypeHolder type)`
	`802`	`+ bool SetMonoGuardType(JITTypeHolder type)`
`803`	`803`	`{`
	`804`	`+ if (!(this->monoGuardType == nullptr \|\| this->monoGuardType == type) \|\|`
	`805`	`+ !((HasEquivalentTypeSet() && GetEquivalentTypeSet()->Contains(type)) \|\|`
	`806`	`+ (!HasEquivalentTypeSet() && GetType() == type)))`
	`807`	`+ {`
	`808`	`+ // Required type is not in the available set, or we already set the type to something else. Inform the caller.`
	`809`	`+ return false;`
	`810`	`+ }`
`804`	`811`	`this->monoGuardType = type;`
	`812`	`+ return true;`
`805`	`813`	`}`
`806`	`814`
`807`	`815`	`bool NeedsMonoCheck() const`