[1.11>master] [MERGE #6447 @rajeshpeter] ChakraCore Servicing Update …

…for 2020.05B Merge pull request #6447 from rajeshpeter:servicing/2005 **Changes to address the following issues:** **[CVE-2020-1037]** Ensure JIT bails out when there is an object marked as temporary during an implicit call, to prevent objects stored on the stack to be used outside of the function. This is done by preventing removal of the Bailout instruction for that case during the DeadStore pass of GlobOpt. **[CVE-2020-1065]** A previous MSRC fix removes the body scope of an enclosing function when a nested function is declared in the param scope of that enclosing function. This an result in us calculating incorrect envIndex for any symbols captured from enclosing scopes if this skipped body scope appears in the frameDisplay being passed to the nested function. This fix addresses the issue by marking the parameter scope also as mustInstantiate = true so we end up computing the correct envIndex. This problem and the fix only triggers when the enclosing function's param and body scopes are merged so the param and body scopes will never appear together in the scope stack and as such will not mess up the envIndex.
chakra-core · May 13, 2020 · 1b62fe7 · 1b62fe7
2 parents cf66462 + 5ed2985
commit 1b62fe7
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/lib/Backend/GlobOptBailOut.cpp b/lib/Backend/GlobOptBailOut.cpp
@@ -1388,6 +1388,7 @@ GlobOpt::IsImplicitCallBailOutCurrentlyNeeded(IR::Instr * instr, Value const * s
             NeedBailOnImplicitCallForCSE(block, isForwardPass) ||
             NeedBailOnImplicitCallWithFieldOpts(block->loop, hasLiveFields) ||
             NeedBailOnImplicitCallForArrayCheckHoist(block, isForwardPass) ||
+            (instr->HasBailOutInfo() && (instr->GetBailOutKind() & IR::BailOutMarkTempObject) != 0) ||
             mayNeedLazyBailOut
         ) &&
         (!instr->HasTypeCheckBailOut() && MayNeedBailOnImplicitCall(instr, src1Val, src2Val)))

diff --git a/lib/Runtime/ByteCode/ScopeInfo.cpp b/lib/Runtime/ByteCode/ScopeInfo.cpp
@@ -196,6 +196,23 @@ namespace Js
         ScopeInfo * scopeInfo = ScopeInfo::SaveScopeInfo(byteCodeGenerator, currentScope, byteCodeGenerator->GetScriptContext());
         if (scopeInfo != nullptr)
         {
+            if (funcInfo->root->IsDeclaredInParamScope())
+            {
+                FuncInfo* func = byteCodeGenerator->GetEnclosingFuncInfo();
+                Assert(func);
+
+                if (func->IsBodyAndParamScopeMerged())
+                {
+                    Assert(currentScope == func->GetParamScope() && currentScope->GetScopeType() == ScopeType_Parameter);
+                    Assert(scopeInfo->GetScopeType() == ScopeType_Parameter);
+                    Assert(func->GetBodyScope());
+
+                    // If the current function is nested in the param scope of it's enclosing function we may have
+                    // skipped the body scope and in may not be the scope stack but the body scope might still be
+                    // in the frame display and we will need to account for it. See ByteCodeGenerateor::FindScopeForSym.
+                    scopeInfo->mustInstantiate = func->GetBodyScope()->GetMustInstantiate();
+                }
+            }
             funcInfo->byteCodeFunction->SetScopeInfo(scopeInfo);
         }
     }