Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ChakraCore 2018-03 Security updates #4812

Merged
merged 16 commits into from
Mar 13, 2018
Merged

ChakraCore 2018-03 Security updates #4812

merged 16 commits into from
Mar 13, 2018

Conversation

akroshg
Copy link
Contributor

@akroshg akroshg commented Mar 13, 2018

Pushing 18-03 changes.

akroshg and others added 12 commits March 12, 2018 11:52
@akroshg
[CVE-2018-0930] Invalid stack restore when destructuring is used as a…
2021bcb 
… call param under Eval - Individual

We missed handing call node destructuring pattern for the call node generated using tagged string template. Fixed that.
@akroshg
[CVE-2018-0891] RegExp.lastMatch memory disclosure - Google, Inc.
63a49d8 
While updating the lastInput, we have caused the .match function to be called which made the regexp
data to be invalid. Fixed that by Ensuring again in-case the reset flag is set or not.
@akroshg
[CVE-2018-0873] Scripting Engine Out-Of-Bounds Read Information Discl…
024353a 
…osure - Individual

We should be updating the fullname length once we have concatenated strings.
@akroshg
[CVE-2018-0874] - Chakra Array Includes Uninitialized Memory RCE - In…
7087c31 
…dividual

Callbacks while sorting causes the head of an array to not have any missing value, although later we cause an exception in the sorting. Which left the array
in the inconsistent state. Later in the HeadSegmentIndexOfHelper we exploit that situation.
Fixed that by reseting the no-missing value state in the no-exception case. And also put fail-fast where we don't expect it happen.
@akroshg
[CVE-2018-0937] Edge - Use after free of LdFld instruction in prePass…
069c3fb 
…InstrMap - Google, Inc

Run TryReplaceLdLen only when not in loop prepass

Found by OSSFuzz
@pleath @akroshg
[CVE-2018-0872] edge Array buffer UAF vulnerability
8b229ce
@pleath @akroshg
[CVE-2018-0936] Incorrect byte code for captured function expression …
64e7619 
…name may lead to OOB - Internal
@agarwal-sandeep @akroshg
[CVE-2018-0939] Edge - chakra arguments bug version 2.0 - Individual
090277e 
Object destructuring should track assignment in case of default value
@leirocks @akroshg
[CVE-2018-0876] Edge - Chakra UAF for HeapBlockMap Node in MemGC duri…
4bd01df 
…ng concurrent FindImplicitRoot calls - Individual
@tcare @akroshg
[CVE-2018-0931] CallInfo.Count converted to wrong type while passed a…
46c98f0 
…s function parameter - Individual

There are a few places where we are silently truncating the 24 bit CallInfo to 16 bits. It is possible in spread scenarios that we could use >16bits.

I changed these shorts to uints and added the non-default warnings for truncation which would have found these issues.
@akroshg
[CVE-2018-0934] Chakra JIT - Incomplete fix for MSRC-41913 chakra-core#2
6d0f5de 
 - Google, Inc.

This change completes a previous fix by not caching deep-copied arrays to ensure that only shallow-copied arrays are reused.
@akroshg
[CVE-2018-0933] Chakra: JIT - Incomplete Fix for MSRC-41913 - Google,…
6d5532d 
… Inc.

This change addresses a scenario where a deepCopy of a native array is needed when its head segment is already on the heap. In this case, it bypasses the previous fix because the head is on the stack and thus fails to do a deepCopy.
The fix is to unconditionally reallocate both the array object and its segments when deepCopy is true.
@akroshg
Copy link
Contributor Author

akroshg commented Mar 13, 2018

@meg-gupta @pleath @agarwal-sandeep @leirocks @tcare @thomasmo @MikeHolman ... FYI...
You guys have already reviewed before. I am going to push once checks pass.

MikeHolman and others added 3 commits March 13, 2018 11:39
@MikeHolman @akroshg
Edge - ACG bypass using UnmapViewOfFile - Google, Inc.
7c5326f 
Modifying page protections cross-process is an issue, as attacker could possibly unmap JIT code and map in their own read/write memory where we expect JIT code, and trick JIT process into making it executable.
To avoid this we need something to replace our ZeroMemory/VirtualProtectEx(PAGE_NOACCESS) method of mock-decommit (since files have no decommit support), as this later requires a VirtualProtectEx(PAGE_READEXECUTE) to recommit. The solution is to use VirtualUnlockEx, which will serve the same function for us.
@akroshg
Bumping ChakraCore version prior to release
d6aa949
@akroshg
Disable the warning on the nativetests.cpp
f305964
@akroshg
Copy link
Contributor Author

akroshg commented Mar 13, 2018

@MSLaguana fyi...

MSLaguana
MSLaguana approved these changes Mar 13, 2018
View reviewed changes
Copy link
Contributor

@MSLaguana MSLaguana left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

version changes LGTM

@chakrabot chakrabot merged commit 66bba57 into chakra-core:release/1.8 Mar 13, 2018
chakrabot pushed a commit that referenced this pull request Mar 13, 2018
@akroshg
[MERGE #4812 @akroshg] ChakraCore 2018-03 Security updates
e9293b1 
Merge pull request #4812 from akroshg:test1803_1

Pushing 18-03 changes.
chakrabot pushed a commit that referenced this pull request Mar 14, 2018
@akroshg
[1.8>1.9] [MERGE #4812 @akroshg] ChakraCore 2018-03 Security updates
8b56bb5 
Merge pull request #4812 from akroshg:test1803_1

Pushing 18-03 changes.
chakrabot pushed a commit that referenced this pull request Mar 14, 2018
@akroshg
[1.9>master] [1.8>1.9] [MERGE #4812 @akroshg] ChakraCore 2018-03 Secu…
5c86a63 
…rity updates

Merge pull request #4812 from akroshg:test1803_1

Pushing 18-03 changes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tcare tcare tcare approved these changes

@MikeHolman MikeHolman MikeHolman approved these changes

@MSLaguana MSLaguana MSLaguana approved these changes

@leirocks leirocks leirocks approved these changes

@thomasmo thomasmo thomasmo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@akroshg @tcare @MikeHolman @MSLaguana @leirocks @thomasmo @chakrabot @pleath @agarwal-sandeep