[CVE-2017-11836] Edge - Assertion only bound check can lead to user controlled allocation size and write - Individual

tcare · leirocks · commit 79edb68d6dbb · 2017-11-12T14:12:22.000-08:00
When parsing a string template literal, we temporarily suspend updating some of the offset counters. If an attacker crafts a string template that contains multibyte characters, it is possible to overflow the minLine counter. The attacker can directly control the size of the overflow, which is then used in an allocation and offset calculation when handling a parse error. Further control can be gained by triggering a scanner capture and restore to propagate this bad counter value.
Unfortunately this would have been caught by existing bounds checks, but they are asserts only. There are other instances of these around the codebase, but I did not see any exploits for those.
To fix this, we manually update the minLine counter at the point where it would normally have been updated outside of a string template. I also changed the subtraction overflow asserts to be failfasts and added an assert for detecting overflow with multibyte characters. In the non-assert case, we will return 0. Other similar checks in IchMinTok and IchLimTok have also been converted.
diff --git a/lib/Parser/Scan.cpp b/lib/Parser/Scan.cpp
@@ -1110,6 +1110,10 @@ tokens Scanner<EncodingPolicy>::ScanStringConstant(OLECHAR delim, EncodedCharPtr
             {
                 // Notify the scanner to update current line, number of lines etc
                 NotifyScannedNewLine();
+
+                // We haven't updated m_currentCharacter yet, so make sure the MinLine info is correct in case we error out.
+                m_pchMinLine = p;
+
                 break;
             }
 
@@ -1400,6 +1404,10 @@ tokens Scanner<EncodingPolicy>::ScanStringConstant(OLECHAR delim, EncodedCharPtr
 
                     // Template literal strings ignore all escaped line continuation tokens
                     NotifyScannedNewLine();
+
+                    // We haven't updated m_currentCharacter yet, so make sure the MinLine info is correct in case we error out.
+                    m_pchMinLine = p;
+
                     continue;
                 }
 
diff --git a/lib/Parser/Scan.h b/lib/Parser/Scan.h
@@ -480,17 +480,31 @@ class Scanner : public IScanner, public EncodingPolicy
     // have if the entire file was converted to Unicode (UTF16-LE).
     charcount_t IchMinTok(void) const
     {
-        Assert(m_pchMinTok - m_pchBase >= 0);
-        Assert(m_pchMinTok - m_pchBase <= LONG_MAX);
-        return static_cast< charcount_t >(m_pchMinTok - m_pchBase - m_cMinTokMultiUnits);
+
+        AssertOrFailFast(m_pchMinTok - m_pchBase >= 0);
+        AssertOrFailFast(m_pchMinTok - m_pchBase <= LONG_MAX);
+        if (static_cast<charcount_t>(m_pchMinTok - m_pchBase) < m_cMinTokMultiUnits)
+        {
+            AssertMsg(false, "IchMinTok subtraction overflow");
+            return 0;
+        }
+
+        return static_cast<charcount_t>(m_pchMinTok - m_pchBase - m_cMinTokMultiUnits);
     }
 
     // Returns the character offset of the character immediately following the token. The character offset is the offset the first
     // character of the token would have if the entire file was converted to Unicode (UTF16-LE).
     charcount_t IchLimTok(void) const
     {
-        Assert(m_currentCharacter - m_pchBase >= 0);
-        Assert(m_currentCharacter - m_pchBase <= LONG_MAX);
+
+        AssertOrFailFast(m_currentCharacter - m_pchBase >= 0);
+        AssertOrFailFast(m_currentCharacter - m_pchBase <= LONG_MAX);
+        if (static_cast<charcount_t>(m_currentCharacter - m_pchBase) < this->m_cMultiUnits)
+        {
+            AssertMsg(false, "IchLimTok subtraction overflow");
+            return 0;
+        }
+
         return static_cast< charcount_t >(m_currentCharacter - m_pchBase - this->m_cMultiUnits);
     }
 
@@ -542,8 +556,15 @@ class Scanner : public IScanner, public EncodingPolicy
     // Returns the character offset within the stream of the first character on the current line.
     charcount_t IchMinLine(void) const
     {
-        Assert(m_pchMinLine - m_pchBase >= 0);
-        Assert(m_pchMinLine - m_pchBase <= LONG_MAX);
+
+        AssertOrFailFast(m_pchMinLine - m_pchBase >= 0);
+        AssertOrFailFast(m_pchMinLine - m_pchBase <= LONG_MAX);
+        if (static_cast<charcount_t>(m_pchMinLine - m_pchBase) < m_cMinLineMultiUnits)
+        {
+            AssertMsg(false, "IchMinLine subtraction overflow");
+            return 0;
+        }
+
         return static_cast<charcount_t>(m_pchMinLine - m_pchBase - m_cMinLineMultiUnits);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -1110,6 +1110,10 @@ tokens Scanner<EncodingPolicy>::ScanStringConstant(OLECHAR delim, EncodedCharPtr`
`1110`	`1110`	`{`
`1111`	`1111`	`// Notify the scanner to update current line, number of lines etc`
`1112`	`1112`	`NotifyScannedNewLine();`
	`1113`	`+`
	`1114`	`+ // We haven't updated m_currentCharacter yet, so make sure the MinLine info is correct in case we error out.`
	`1115`	`+ m_pchMinLine = p;`
	`1116`	`+`
`1113`	`1117`	`break;`
`1114`	`1118`	`}`
`1115`	`1119`
`@@ -1400,6 +1404,10 @@ tokens Scanner<EncodingPolicy>::ScanStringConstant(OLECHAR delim, EncodedCharPtr`
`1400`	`1404`
`1401`	`1405`	`// Template literal strings ignore all escaped line continuation tokens`
`1402`	`1406`	`NotifyScannedNewLine();`
	`1407`	`+`
	`1408`	`+ // We haven't updated m_currentCharacter yet, so make sure the MinLine info is correct in case we error out.`
	`1409`	`+ m_pchMinLine = p;`
	`1410`	`+`
`1403`	`1411`	`continue;`
`1404`	`1412`	`}`
`1405`	`1413`