Please sign in to comment.
[CVE-2018-0776] JIT: stack-to-heap copy bug - Google, Inc.
This change fixes a type-confusion bug that can occur with Native arrays allocated on the stack. Once JIT'd code expects a Native array to be used on the stack, the POC converts it to a Var array. This is combined with current behavior of the Arguments property, which moves the array from the stack to the heap. The result of these two assumptions is natively setting a Float value where a Var value is expected, letting any arbitrary floating-point number be written to memory and subsequently accessed as a Var. This fix forces a deep copy of Arrays that are returned via Arguments. This ensures that the new object created points to its own buffers. This also indicates a divergence with the original object and the one created by Arguments; however, there is currently no standard to define this behavior.
- Loading branch information...
Showing with 112 additions and 60 deletions.
- +4 −4 lib/Backend/BailOut.cpp
- +10 −7 lib/Backend/InlineeFrameInfo.cpp
- +3 −3 lib/Backend/InlineeFrameInfo.h
- +1 −1 lib/Runtime/Debug/DiagObjectModel.h
- +1 −1 lib/Runtime/Debug/DiagStackFrame.cpp
Oops, something went wrong.