[CVE-2017-0093] Type confusion in asm.js arguments

When calling eval we pass an additional argument to the function. If we've assigned an asm.js function to eval, then we need to remove that additional argument before getting the arguments
chakra-core · Apr 13, 2017 · 303d997 · 303d997
1 parent 54d6d08
commit 303d997
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/lib/Runtime/Language/AsmJsUtils.cpp b/lib/Runtime/Language/AsmJsUtils.cpp
@@ -217,7 +217,8 @@ namespace Js
 
         AsmJsModuleInfo::EnsureHeapAttached(func);
 
-        uint actualArgCount = callInfo.Count - 1; // -1 for ScriptFunction
+        ArgumentReader reader(&callInfo, origArgs);
+        uint actualArgCount = reader.Info.Count - 1; // -1 for ScriptFunction
         argDst = argDst + MachPtr; // add one first so as to skip the ScriptFunction argument
         for (ArgSlot i = 0; i < info->GetArgCount(); i++)
         {

diff --git a/test/AsmJs/evalbug.js b/test/AsmJs/evalbug.js
@@ -0,0 +1,18 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+function asm() {
+  "use asm"
+  function f(a, b) {
+    a = a|0;
+    b = b|0;
+    return a|0;
+  }
+  return f;
+}
+
+eval = asm();
+eval("some string");
+print("PASSED");
diff --git a/test/AsmJs/rlexe.xml b/test/AsmJs/rlexe.xml
@@ -536,6 +536,11 @@
       <compile-flags>-testtrace:asmjs -simdjs</compile-flags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>evalbug.js</files>
+    </default>
+  </test>
   <test>
     <default>
       <files>constTest.js</files>