Permalink
Browse files

[CVE-2017-11837] [ChakraCore] Edge - TypedArray UaF leads to RCE - Qi…

…hoo 360
  • Loading branch information...
rajatd authored and leirocks committed Oct 20, 2017
1 parent 14f44de commit 38a37acb69805c9e1197a58d4ab5fa84e1dfbacd
Showing with 27 additions and 2 deletions.
  1. +26 −2 lib/Backend/BackwardPass.cpp
  2. +1 −0 lib/Backend/BackwardPass.h
@@ -2047,8 +2047,8 @@ BackwardPass::ProcessBailOutInfo(IR::Instr * instr)
bool
BackwardPass::IsImplicitCallBailOutCurrentlyNeeded(IR::Instr * instr, bool mayNeedImplicitCallBailOut, bool hasLiveFields)
{
return this->globOpt->IsImplicitCallBailOutCurrentlyNeeded(
instr, nullptr, nullptr, this->currentBlock, hasLiveFields, mayNeedImplicitCallBailOut, false);
return this->globOpt->IsImplicitCallBailOutCurrentlyNeeded(instr, nullptr, nullptr, this->currentBlock, hasLiveFields, mayNeedImplicitCallBailOut, false) ||
this->NeedBailOutOnImplicitCallsForTypedArrayStore(instr);
}

void
@@ -2235,6 +2235,30 @@ BackwardPass::DeadStoreImplicitCallBailOut(IR::Instr * instr, bool hasLiveFields
}
}

bool
BackwardPass::NeedBailOutOnImplicitCallsForTypedArrayStore(IR::Instr* instr)
{
if ((instr->m_opcode == Js::OpCode::StElemI_A || instr->m_opcode == Js::OpCode::StElemI_A_Strict) &&
instr->GetDst()->IsIndirOpnd() &&
instr->GetDst()->AsIndirOpnd()->GetBaseOpnd()->GetValueType().IsLikelyTypedArray())
{
IR::Opnd * opnd = instr->GetSrc1();
if (opnd->IsRegOpnd())
{
return !opnd->AsRegOpnd()->GetValueType().IsPrimitive() &&
!opnd->AsRegOpnd()->m_sym->IsInt32() &&
!opnd->AsRegOpnd()->m_sym->IsFloat64() &&
!opnd->AsRegOpnd()->m_sym->IsFloatConst() &&
!opnd->AsRegOpnd()->m_sym->IsIntConst();
}
else
{
Assert(opnd->IsIntConstOpnd() || opnd->IsInt64ConstOpnd() || opnd->IsFloat32ConstOpnd() || opnd->IsFloatConstOpnd() || opnd->IsAddrOpnd());
}
}
return false;
}

void
BackwardPass::ProcessPendingPreOpBailOutInfo(IR::Instr *const currentInstr)
{
@@ -101,6 +101,7 @@ class BackwardPass
void DeadStoreImplicitCallBailOut(IR::Instr * instr, bool hasLiveFields);
void DeadStoreTypeCheckBailOut(IR::Instr * instr);
bool IsImplicitCallBailOutCurrentlyNeeded(IR::Instr * instr, bool mayNeedImplicitCallBailOut, bool hasLiveFields);
bool NeedBailOutOnImplicitCallsForTypedArrayStore(IR::Instr* instr);
bool TrackNoImplicitCallInlinees(IR::Instr *instr);
bool ProcessBailOnNoProfile(IR::Instr *instr, BasicBlock *block);

0 comments on commit 38a37ac

Please sign in to comment.