Browse files

[1.3>master] [1.2>1.3] Changes addressing CVE_2016-3382, CVE-2016-338…

…5, CVE-2016-3386, CVE-2016-3389,

CVE-2016-3390, CVE-2016-7189, and a mitigation of a CFG bypass.


Calls that target the external thunks should decrement the callinfo param count if the extra-param flag is set.

Don't optimize spread operation in a parameter list if the array we're spreading may have gaps. Accessing an element in the prototype chain may have side-effects that invalidate the optimization.

Port disabling of UT that times out

Type confusion in JavascriptArray
Type confusion in JavascriptArray::TemplatedGetItem()

Type confusion in JavascriptArray::TemplatedGetItem()

Type confusion in JavascriptArray::MapHelper()

CRC computation and validation for the encoder buffer

Encoder phase takes longer time for a relatively larger function. So the buffer to which we write the encoded bytes will be RWX all the while till it completes the encoding.
This time is big enough for the main thread to write in this region.
We then transfer the data to the final buffer and execute the code in the buffer(which, now, also contains the modified code).

We can check the integrity of the buffer data using CRC32(Cyclic Redundancy Check) at suitable spots.
Following is the mechanism for validation:
- Start with a random CRC seed.
- Compute the CRC1 during the encoding phase.
- Validate the CRC1 during branch shortening.
- Compute CRC2 during branch shortening.
- Validate CRC2 (or CRC1, if branch shortening didn't happen) after copying the entire buffer to the final RX buffer.
- Finally, register the entry point as a valid CFG target.

CRC32 Intrinsic instruction is available only on SSE4 and above. Hence for other cases, CRC32 algorithm is implemented.
We were storing LabelInstr* directly in the encoded bytes - Moved it to be stored in a property. - To enable CRC calculation.

Perf results:
No visible changes in console benchmark run (desktop and low-memory device).

Fixes to use-after-free in Globopt, Lowering.

Tail duplication consists of the following code :

 branchEntry->ReplaceTarget(mergeLabel, tailBranch->GetTarget());
 instr = branchEntry;

branchEntry is a reference to a SList node that can get deleted within
ReplaceTarget function. Subsequent use of the same reference is referring
to a freed value. Fix by caching branchEntry before ReplaceTarget.

Lowering floor builtin code creates a 'zero' MemRefOpnd, which gets passed
through Legalizer, which can delete the Opnd. Subsequent uses of the
MemRefOpnd in Lowering refers to a freed value. This is fixed by
AutoReuseOpnd which will avoid this scenario.

Correcting the version check for SSE4
  • Loading branch information...
pleath committed Oct 13, 2016
2 parents 42c7199 + 6da3d9f commit 097edcd2e452e423b5f83b64b47f6bb7f5cd520d



COPYRIGHT (C) 1986 Gary S. Brown. You may use this program, or code or tables
extracted from it, as desired without restriction.

@@ -37,6 +37,7 @@ git diff --name-only `git merge-base origin/master HEAD` HEAD |
grep -v -E 'bin/NativeTests/Scripts/splay.js$' |
grep -v -E 'pal/.*' |
grep -v -E 'libChakraCoreLib.version|ch.version' |
grep -v -E 'lib/Backend/CRC.h' |
xargs -I % sh -c "echo 'Check Copyright > Checking %'; python jenkins/ % > $ERRFILETEMP || cat $ERRFILETEMP >> $ERRFILE"

if [ -e $ERRFILE ]; then # if error file exists then there were errors
@@ -0,0 +1,51 @@
* CRC32 code derived from work by Gary S. Brown.

* Pre-populated Table used for calculating CRC32.
static const unsigned int crc_32_tab[] =
0x00000000L, 0x77073096L, 0xEE0E612CL, 0x990951BAL, 0x076DC419L, 0x706AF48FL, 0xE963A535L, 0x9E6495A3L,
0x0EDB8832L, 0x79DCB8A4L, 0xE0D5E91EL, 0x97D2D988L, 0x09B64C2BL, 0x7EB17CBDL, 0xE7B82D07L, 0x90BF1D91L,
0x1DB71064L, 0x6AB020F2L, 0xF3B97148L, 0x84BE41DEL, 0x1ADAD47DL, 0x6DDDE4EBL, 0xF4D4B551L, 0x83D385C7L,
0x136C9856L, 0x646BA8C0L, 0xFD62F97AL, 0x8A65C9ECL, 0x14015C4FL, 0x63066CD9L, 0xFA0F3D63L, 0x8D080DF5L,
0x3B6E20C8L, 0x4C69105EL, 0xD56041E4L, 0xA2677172L, 0x3C03E4D1L, 0x4B04D447L, 0xD20D85FDL, 0xA50AB56BL,
0x35B5A8FAL, 0x42B2986CL, 0xDBBBC9D6L, 0xACBCF940L, 0x32D86CE3L, 0x45DF5C75L, 0xDCD60DCFL, 0xABD13D59L,
0x26D930ACL, 0x51DE003AL, 0xC8D75180L, 0xBFD06116L, 0x21B4F4B5L, 0x56B3C423L, 0xCFBA9599L, 0xB8BDA50FL,
0x2802B89EL, 0x5F058808L, 0xC60CD9B2L, 0xB10BE924L, 0x2F6F7C87L, 0x58684C11L, 0xC1611DABL, 0xB6662D3DL,
0x76DC4190L, 0x01DB7106L, 0x98D220BCL, 0xEFD5102AL, 0x71B18589L, 0x06B6B51FL, 0x9FBFE4A5L, 0xE8B8D433L,
0x7807C9A2L, 0x0F00F934L, 0x9609A88EL, 0xE10E9818L, 0x7F6A0DBBL, 0x086D3D2DL, 0x91646C97L, 0xE6635C01L,
0x6B6B51F4L, 0x1C6C6162L, 0x856530D8L, 0xF262004EL, 0x6C0695EDL, 0x1B01A57BL, 0x8208F4C1L, 0xF50FC457L,
0x65B0D9C6L, 0x12B7E950L, 0x8BBEB8EAL, 0xFCB9887CL, 0x62DD1DDFL, 0x15DA2D49L, 0x8CD37CF3L, 0xFBD44C65L,
0x4DB26158L, 0x3AB551CEL, 0xA3BC0074L, 0xD4BB30E2L, 0x4ADFA541L, 0x3DD895D7L, 0xA4D1C46DL, 0xD3D6F4FBL,
0x4369E96AL, 0x346ED9FCL, 0xAD678846L, 0xDA60B8D0L, 0x44042D73L, 0x33031DE5L, 0xAA0A4C5FL, 0xDD0D7CC9L,
0x5005713CL, 0x270241AAL, 0xBE0B1010L, 0xC90C2086L, 0x5768B525L, 0x206F85B3L, 0xB966D409L, 0xCE61E49FL,
0x5EDEF90EL, 0x29D9C998L, 0xB0D09822L, 0xC7D7A8B4L, 0x59B33D17L, 0x2EB40D81L, 0xB7BD5C3BL, 0xC0BA6CADL,
0xEDB88320L, 0x9ABFB3B6L, 0x03B6E20CL, 0x74B1D29AL, 0xEAD54739L, 0x9DD277AFL, 0x04DB2615L, 0x73DC1683L,
0xE3630B12L, 0x94643B84L, 0x0D6D6A3EL, 0x7A6A5AA8L, 0xE40ECF0BL, 0x9309FF9DL, 0x0A00AE27L, 0x7D079EB1L,
0xF00F9344L, 0x8708A3D2L, 0x1E01F268L, 0x6906C2FEL, 0xF762575DL, 0x806567CBL, 0x196C3671L, 0x6E6B06E7L,
0xFED41B76L, 0x89D32BE0L, 0x10DA7A5AL, 0x67DD4ACCL, 0xF9B9DF6FL, 0x8EBEEFF9L, 0x17B7BE43L, 0x60B08ED5L,
0xD6D6A3E8L, 0xA1D1937EL, 0x38D8C2C4L, 0x4FDFF252L, 0xD1BB67F1L, 0xA6BC5767L, 0x3FB506DDL, 0x48B2364BL,
0xD80D2BDAL, 0xAF0A1B4CL, 0x36034AF6L, 0x41047A60L, 0xDF60EFC3L, 0xA867DF55L, 0x316E8EEFL, 0x4669BE79L,
0xCB61B38CL, 0xBC66831AL, 0x256FD2A0L, 0x5268E236L, 0xCC0C7795L, 0xBB0B4703L, 0x220216B9L, 0x5505262FL,
0xC5BA3BBEL, 0xB2BD0B28L, 0x2BB45A92L, 0x5CB36A04L, 0xC2D7FFA7L, 0xB5D0CF31L, 0x2CD99E8BL, 0x5BDEAE1DL,
0x9B64C2B0L, 0xEC63F226L, 0x756AA39CL, 0x026D930AL, 0x9C0906A9L, 0xEB0E363FL, 0x72076785L, 0x05005713L,
0x95BF4A82L, 0xE2B87A14L, 0x7BB12BAEL, 0x0CB61B38L, 0x92D28E9BL, 0xE5D5BE0DL, 0x7CDCEFB7L, 0x0BDBDF21L,
0x86D3D2D4L, 0xF1D4E242L, 0x68DDB3F8L, 0x1FDA836EL, 0x81BE16CDL, 0xF6B9265BL, 0x6FB077E1L, 0x18B74777L,
0x88085AE6L, 0xFF0F6A70L, 0x66063BCAL, 0x11010B5CL, 0x8F659EFFL, 0xF862AE69L, 0x616BFFD3L, 0x166CCF45L,
0xA00AE278L, 0xD70DD2EEL, 0x4E048354L, 0x3903B3C2L, 0xA7672661L, 0xD06016F7L, 0x4969474DL, 0x3E6E77DBL,
0xAED16A4AL, 0xD9D65ADCL, 0x40DF0B66L, 0x37D83BF0L, 0xA9BCAE53L, 0xDEBB9EC5L, 0x47B2CF7FL, 0x30B5FFE9L,
0xBDBDF21CL, 0xCABAC28AL, 0x53B39330L, 0x24B4A3A6L, 0xBAD03605L, 0xCDD70693L, 0x54DE5729L, 0x23D967BFL,
0xB3667A2EL, 0xC4614AB8L, 0x5D681B02L, 0x2A6F2B94L, 0xB40BBE37L, 0xC30C8EA1L, 0x5A05DF1BL, 0x2D02EF8DL

static unsigned int CalculateCRC32(unsigned int bufferCRC, size_t data)
/* update running CRC calculation with contents of a buffer */

bufferCRC = bufferCRC ^ 0xffffffffL;
bufferCRC = crc_32_tab[(bufferCRC ^ data) & 0xFF] ^ (bufferCRC >> 8);
return (bufferCRC ^ 0xffffffffL);
@@ -454,6 +454,11 @@
<ClInclude Include="CRC.h">
<Import Project="$(BuildConfigPropsPath)Chakra.Build.targets" Condition="exists('$(BuildConfigPropsPath)Chakra.Build.targets')" />
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
@@ -336,6 +336,7 @@
<ClInclude Include="JITTimeFixedField.h" />
<ClInclude Include="ExternalLowerer.h" />
<ClInclude Include="JITRecyclableObject.h" />
<ClInclude Include="CRC.h" />
<MASM Include="$(MSBuildThisFileDirectory)amd64\LinearScanMdA.asm">
Oops, something went wrong.

0 comments on commit 097edcd

Please sign in to comment.