17-12 Security Update #4411
Merged
17-12 Security Update #4411
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… and leak stack contents
… insert branches / make break control flow - Google, Inc.
A large numeric or spread array literal can lead to an overflow in ByteCodeGenerator that enables an OOB write. Fix is to use Int32Math to detect overflow and follow the overflow policy. Also preventatively added a bunch of UInt32Math operations around sizeof size calculations.
…ly call user defined JavaScript functions - Google, Inc.
…a call param
The destructuring element in the call argslist was not correctly determined as we were not restoring the previous state.
Fixed that
…oses scriptFunction - Google, Inc. While trying to get the length property pass the generator function as this not the inner script function.
…o 360 In ConstructName the finalName is copied over from propertyName which can contain null character in between. In that case part of finalName will remain uninitialized as we use RecyclerNewArrayLeaf to allocate finalName with the length of propertyName.
This change addresses a UAF that occurs when jitted code tries to index into a detached ArrayBuffer. The POC involves the convergence of JITing - a virtual type buffer (a certain performant type buffer that meets certain criteria) - A proxy object whose setter can cause the type buffer to be detached With this, it's possible to JIT code that indexes into the buffer without any checks. Thus, it's possible to index into the freed memory that backed the ArrayBuffer. The fix is to make sure that any call before a virtual ArrayBuffer access has a bailout to detect and protect against this assertion.
Avoid integer overflow in implementation of `String.prototype.replace`: - Failfast in Chakra regex parser if a regex contains more than 2^15 capturing groups, thus avoiding overflow when passing the matching string's to `replace`'s second argument. - Add comments to `RegexHelper::ReplaceFormatString` explaining why the capture index cannot overflow; add asserts to guard against it.
MikeHolman
requested review from
Penguinwizzard,
tcare,
Cellule,
aneeshdk,
akroshg,
rajatd,
thomasmo and
ricobbe
rajatd
approved these changes
Dec 12, 2017
ricobbe
approved these changes
Dec 12, 2017
thomasmo
approved these changes
Dec 12, 2017
tcare
approved these changes
Dec 12, 2017
Cellule
approved these changes
Dec 12, 2017
Penguinwizzard
approved these changes
Dec 12, 2017
chakrabot
pushed a commit
that referenced
this pull request
Dec 12, 2017
Merge pull request #4411 from MikeHolman:1712 17-12 Security Update that addresses the following issues in ChakraCore: CVE-2017-11889 CVE-2017-11893 CVE-2017-11894 CVE-2017-11905 CVE-2017-11908 CVE-2017-11909 CVE-2017-11910 CVE-2017-11911 CVE-2017-11912 CVE-2017-11914 CVE-2017-11916 CVE-2017-11918 CVE-2017-11919 CVE-2017-11930
chakrabot
pushed a commit
that referenced
this pull request
Dec 12, 2017
Merge pull request #4411 from MikeHolman:1712 17-12 Security Update that addresses the following issues in ChakraCore: CVE-2017-11889 CVE-2017-11893 CVE-2017-11894 CVE-2017-11905 CVE-2017-11908 CVE-2017-11909 CVE-2017-11910 CVE-2017-11911 CVE-2017-11912 CVE-2017-11914 CVE-2017-11916 CVE-2017-11918 CVE-2017-11919 CVE-2017-11930
chakrabot
pushed a commit
that referenced
this pull request
Dec 12, 2017
Merge pull request #4411 from MikeHolman:1712 17-12 Security Update that addresses the following issues in ChakraCore: CVE-2017-11889 CVE-2017-11893 CVE-2017-11894 CVE-2017-11905 CVE-2017-11908 CVE-2017-11909 CVE-2017-11910 CVE-2017-11911 CVE-2017-11912 CVE-2017-11914 CVE-2017-11916 CVE-2017-11918 CVE-2017-11919 CVE-2017-11930
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
17-12 Security Update that addresses the following issues in ChakraCore:
CVE-2017-11889
CVE-2017-11893
CVE-2017-11894
CVE-2017-11905
CVE-2017-11908
CVE-2017-11909
CVE-2017-11910
CVE-2017-11911
CVE-2017-11912
CVE-2017-11914
CVE-2017-11916
CVE-2017-11918
CVE-2017-11919
CVE-2017-11930