Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

17-03 ChakraCore servicing release #2697

Merged
merged 23 commits into from
Mar 16, 2017
Merged

17-03 ChakraCore servicing release #2697

merged 23 commits into from
Mar 16, 2017

Conversation

MikeHolman
Copy link
Contributor

tcare and others added 22 commits March 16, 2017 15:35
@tcare @MikeHolman
[CVE-2017-0094] Type confusion in JavascriptProxy::SetPropertyTrap wh…
7061486 
…en using a Symbol

When setting a property trap with JavascriptProxy::SetPropertyTrap using a symbol as a property id, we incorrectly assume that JavascriptProxy::GetName returns a PropertyString. The case for a JavascriptSymbol is unhandled, and we do a static cast leading to type confusion. Fix is to handle any cases other than PropertyString by using nullptr, as is the convention elsewhere.
@tcare @MikeHolman
Add test for proxy type confusion
c30253b
@pleath @MikeHolman
[CVE-2017-0071] Handle conversion of src operand on store to a typed …
ff21352 
…array if the bailout kind tells us to bail out on helper calls.
@Penguinwizzard @MikeHolman
Check for post-lower opcodes earlier than normal.
bf4ef6c 
This change promotes several asserts to failfasts, and adds two additional ones,
in order to ensure that no post-lower opcodes are added earlier than the lowerer
phase, either by being added to the incoming bytecode buffer, or by corrupting a
part of the IR during the earlier phases of the JIT.
@MikeHolman
[CVE-2017-0067] prevent parser from getting into inconsistent state w…
80cfdbb 
…hen asm.js parse fails
@MikeHolman
[CVE-2017-0133] add check to ensure asm.js module has return statement
f778167
@MikeHolman
[CVE-2017-0134 CVE-2017-0137] add conversion checks after calls to Is…
aba0507 
…ConcatSpreadable

Signed-off-by: Michael Holman <Michael.Holman@microsoft.com>
@MikeHolman
[CVE-2017-0150] DeferDeserialize is not working properly with asm.js …
dd61e04 
…ChangeHeap
@MikeHolman
[CVE-2017-0138] fix issue with ExtraArg not being accounted correctly…
1750d47 
… in stackwalker
@MikeHolman
[CVE-2017-0132] fix incorrect assumption in JIT about array nativeness
94993f2
@MikeHolman
[CVE-2017-0151] fix issue with using wrong size reg when lowering bou…
e701fc7 
…nd check
@MikeHolman
fix bug in lowering of simd.js bound checks
70e23dc
@MikeHolman
[CVE-2017-0010] asm.js return object with no properties should not va…
f1a8c50 
…lidate
@leirocks @MikeHolman
[CVE-2017-0015] Fix SpreadArgs uninitialized memory
720bacd
@Cellule @MikeHolman
[CVE-2017-0035] Asm.Js: Assign function number in order using interna…
b7854cd 
…l list instead of parse node index.
@pleath @MikeHolman
[CVE-2017-0028] Fix binding of 'async' identifier in the presence of …
402f3d9 
…async arrow function.
@MikeHolman
ArrayBuffer.Transfer needs Detached ArrayBuffer check
fb08c4d
@MikeHolman
[CVE-2017-0141] ReverseHelper Heap Overflow
db504eb
@MikeHolman
add few missing CopyOnAccessNativeIntArray conversions
05af363
@akroshg @MikeHolman
[CVE-2017-0196] Fixing an heap overread during slice.
065b797 
The MissingItem check is happening on the array in a loop. It is possible that we get called into script and that mutates the array. So the Array's head is newly created with length.
However the loop is still performing over the old length.
Fixed this by checking the length In IsMissingItem function.
Added a unittest.
@MikeHolman
[CVE-2017-0136] UAF of ScriptContext in OOM scenario
b75b9e8
@aneeshdk @MikeHolman
[CVE-2017-0152] MSFT: 10592731 : Issue with Function name capturing i…
9da0194 
…n param scope

In a function expression with name, where the name is captured in one
of the param scope functions, if there is a function or var declaration
with the same name as the function expression name we were marking the
function expression name as shadowed. In non-eval case this causes
issue because the name symbol won't get added to the body. This change is to
fix it in such a way if the name is captured in the param scope then we
split the param and body scope such that the name symbol is added to the
param scope not body scope.
@MikeHolman
Copy link
Contributor Author

@Cellule @Penguinwizzard @agarwal-sandeep @tcare @pleath @akroshg @aneeshdk @suwc @leirocks FYI

@pleath
Copy link
Contributor

pleath commented Mar 16, 2017

My 2 commits look good.

@akroshg
Copy link
Contributor

akroshg commented Mar 16, 2017

LGTM.

@leirocks
Copy link
Contributor

LGTM

1 similar comment
@tcare
Copy link
Contributor

tcare commented Mar 16, 2017

LGTM

@suwc
Copy link

suwc commented Mar 16, 2017

LGTM

1 similar comment
@Cellule
Copy link
Contributor

Cellule commented Mar 16, 2017

LGTM

@chakrabot chakrabot merged commit cd6f65b into chakra-core:release/1.4 Mar 16, 2017
chakrabot pushed a commit that referenced this pull request Mar 16, 2017
@MikeHolman
[MERGE #2697 @MikeHolman] 17-03 ChakraCore servicing release
6c529db 
Merge pull request #2697 from MikeHolman:release/1703

Fixes the following CVEs impacting ChakraCore:
CVE-2017-0067
CVE-2017-0150
CVE-2017-0138
CVE-2017-0094
CVE-2017-0132
CVE-2017-0133
CVE-2017-0134
CVE-2017-0137
CVE-2017-0071
CVE-2017-0151
CVE-2017-0141
CVE-2017-0196
CVE-2017-0136
CVE-2017-0152
CVE-2017-0010
CVE-2017-0035
CVE-2017-0015
CVE-2017-0028
chakrabot pushed a commit that referenced this pull request Mar 17, 2017
@MikeHolman
[1.4>2.0] [MERGE #2697 @MikeHolman] 17-03 ChakraCore servicing release
e5d4107 
Merge pull request #2697 from MikeHolman:release/1703

Fixes the following CVEs impacting ChakraCore:
CVE-2017-0067
CVE-2017-0150
CVE-2017-0138
CVE-2017-0094
CVE-2017-0132
CVE-2017-0133
CVE-2017-0134
CVE-2017-0137
CVE-2017-0071
CVE-2017-0151
CVE-2017-0141
CVE-2017-0196
CVE-2017-0136
CVE-2017-0152
CVE-2017-0010
CVE-2017-0035
CVE-2017-0015
CVE-2017-0028
chakrabot pushed a commit that referenced this pull request Mar 17, 2017
@MikeHolman
[2.0>master] [1.4>2.0] [MERGE #2697 @MikeHolman] 17-03 ChakraCore ser…
afb61a6 
…vicing release

Merge pull request #2697 from MikeHolman:release/1703

Fixes the following CVEs impacting ChakraCore:
CVE-2017-0067
CVE-2017-0150
CVE-2017-0138
CVE-2017-0094
CVE-2017-0132
CVE-2017-0133
CVE-2017-0134
CVE-2017-0137
CVE-2017-0071
CVE-2017-0151
CVE-2017-0141
CVE-2017-0196
CVE-2017-0136
CVE-2017-0152
CVE-2017-0010
CVE-2017-0035
CVE-2017-0015
CVE-2017-0028
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.