From cd58e8e6799ab11b02a1cfc30bac9a2171dabd4d Mon Sep 17 00:00:00 2001 From: Paul Leathers Date: Wed, 11 Mar 2020 12:48:33 -0700 Subject: [PATCH 1/3] [CVE-2020-0969] --- lib/Runtime/ByteCode/ByteCodeEmitter.cpp | 52 +++++++++++++------ lib/Runtime/Language/JavascriptOperators.cpp | 3 +- lib/Runtime/Types/RecyclableObject.cpp | 6 +++ lib/Runtime/Types/RecyclableObject.h | 1 + .../Types/UnscopablesWrapperObject.cpp | 6 +++ lib/Runtime/Types/UnscopablesWrapperObject.h | 3 +- 6 files changed, 53 insertions(+), 18 deletions(-) diff --git a/lib/Runtime/ByteCode/ByteCodeEmitter.cpp b/lib/Runtime/ByteCode/ByteCodeEmitter.cpp index 63bf884a993..319b64baece 100644 --- a/lib/Runtime/ByteCode/ByteCodeEmitter.cpp +++ b/lib/Runtime/ByteCode/ByteCodeEmitter.cpp @@ -4262,21 +4262,33 @@ void ByteCodeGenerator::EmitLoadInstance(Symbol *sym, IdentPtr pid, Js::RegSlot funcInfo->FindOrAddReferencedPropertyId(propertyId), envIndex + Js::FrameDisplay::GetOffsetOfScopes() / sizeof(Js::Var)); - Js::RegSlot tmpReg = funcInfo->AcquireTmpRegister(); - AssertOrFailFast(scope->GetIsObject()); - this->m_writer.SlotI1(Js::OpCode::LdEnvObj, tmpReg, - envIndex + Js::FrameDisplay::GetOffsetOfScopes() / sizeof(Js::Var)); - - Js::OpCode op = unwrapWithObj ? Js::OpCode::UnwrapWithObj : Js::OpCode::Ld_A; - this->m_writer.Reg2(op, instLocation, tmpReg); - if (thisLocation != Js::Constants::NoRegister) + if (unwrapWithObj) { - this->m_writer.Reg2(op, thisLocation, tmpReg); + Js::RegSlot tmpReg = funcInfo->AcquireTmpRegister(); + + this->m_writer.SlotI1(Js::OpCode::LdEnvObj, tmpReg, + envIndex + Js::FrameDisplay::GetOffsetOfScopes() / sizeof(Js::Var)); + + this->m_writer.Reg2(Js::OpCode::UnwrapWithObj, instLocation, tmpReg); + if (thisLocation != Js::Constants::NoRegister) + { + this->m_writer.Reg2(Js::OpCode::UnwrapWithObj, thisLocation, tmpReg); + } + + funcInfo->ReleaseTmpRegister(tmpReg); } + else + { + this->m_writer.SlotI1(Js::OpCode::LdEnvObj, instLocation, + envIndex + Js::FrameDisplay::GetOffsetOfScopes() / sizeof(Js::Var)); - funcInfo->ReleaseTmpRegister(tmpReg); + if (thisLocation != Js::Constants::NoRegister) + { + this->m_writer.Reg2(Js::OpCode::Ld_A, thisLocation, funcInfo->undefinedConstantRegister); + } + } } else if (scopeLocation != Js::Constants::NoRegister && scopeLocation == funcInfo->frameObjRegister) { @@ -4288,7 +4300,7 @@ void ByteCodeGenerator::EmitLoadInstance(Symbol *sym, IdentPtr pid, Js::RegSlot this->m_writer.Reg1(Js::OpCode::LdLocalObj, instLocation); if (thisLocation != Js::Constants::NoRegister) { - this->m_writer.Reg1(Js::OpCode::LdLocalObj, thisLocation); + this->m_writer.Reg2(Js::OpCode::Ld_A, thisLocation, funcInfo->undefinedConstantRegister); } } else @@ -4296,11 +4308,21 @@ void ByteCodeGenerator::EmitLoadInstance(Symbol *sym, IdentPtr pid, Js::RegSlot this->m_writer.BrProperty(Js::OpCode::BrOnNoProperty, nextLabel, scopeLocation, funcInfo->FindOrAddReferencedPropertyId(propertyId)); - Js::OpCode op = unwrapWithObj ? Js::OpCode::UnwrapWithObj : Js::OpCode::Ld_A; - this->m_writer.Reg2(op, instLocation, scopeLocation); - if (thisLocation != Js::Constants::NoRegister) + if (unwrapWithObj) { - this->m_writer.Reg2(op, thisLocation, scopeLocation); + this->m_writer.Reg2(Js::OpCode::UnwrapWithObj, instLocation, scopeLocation); + if (thisLocation != Js::Constants::NoRegister) + { + this->m_writer.Reg2(Js::OpCode::UnwrapWithObj, thisLocation, scopeLocation); + } + } + else + { + this->m_writer.Reg2(Js::OpCode::Ld_A, instLocation, scopeLocation); + if (thisLocation != Js::Constants::NoRegister) + { + this->m_writer.Reg2(Js::OpCode::Ld_A, thisLocation, funcInfo->undefinedConstantRegister); + } } } diff --git a/lib/Runtime/Language/JavascriptOperators.cpp b/lib/Runtime/Language/JavascriptOperators.cpp index ad4ddc749e4..12b83e62189 100644 --- a/lib/Runtime/Language/JavascriptOperators.cpp +++ b/lib/Runtime/Language/JavascriptOperators.cpp @@ -2072,8 +2072,7 @@ using namespace Js; // HasProperty will call UnscopablesWrapperObject's HasProperty which will do the filtering // All we have to do here is unwrap the object hence the api call - *thisVar = obj->GetThisObjectOrUnWrap(); - return *thisVar; + return obj->GetThisAndUnwrappedInstance(thisVar); } } diff --git a/lib/Runtime/Types/RecyclableObject.cpp b/lib/Runtime/Types/RecyclableObject.cpp index bcaa01850f5..35dcda679f6 100644 --- a/lib/Runtime/Types/RecyclableObject.cpp +++ b/lib/Runtime/Types/RecyclableObject.cpp @@ -331,6 +331,12 @@ namespace Js return this; } + RecyclableObject* RecyclableObject::GetThisAndUnwrappedInstance(Var* thisVar) const + { + *thisVar = this->GetLibrary()->GetUndefined(); + return (RecyclableObject*)this; + } + // In order to avoid a branch, every object has an entry point if it gets called like a // function - however, if it can't be called like a function, it's set to DefaultEntryPoint // which will emit an error. diff --git a/lib/Runtime/Types/RecyclableObject.h b/lib/Runtime/Types/RecyclableObject.h index c57465ad4a1..14ee2da6a3b 100644 --- a/lib/Runtime/Types/RecyclableObject.h +++ b/lib/Runtime/Types/RecyclableObject.h @@ -353,6 +353,7 @@ namespace Js { virtual uint GetSpecialPropertyCount() const { return 0; } virtual PropertyId const * GetSpecialPropertyIds() const { return nullptr; } virtual RecyclableObject* GetThisObjectOrUnWrap(); // Due to the withScope object there are times we need to unwrap + virtual RecyclableObject* GetThisAndUnwrappedInstance(Var* thisVar) const; virtual BOOL HasInstance(Var instance, ScriptContext* scriptContext, IsInstInlineCache* inlineCache = NULL); diff --git a/lib/Runtime/Types/UnscopablesWrapperObject.cpp b/lib/Runtime/Types/UnscopablesWrapperObject.cpp index aaeb6c53b93..b4dc7f12c78 100644 --- a/lib/Runtime/Types/UnscopablesWrapperObject.cpp +++ b/lib/Runtime/Types/UnscopablesWrapperObject.cpp @@ -23,6 +23,12 @@ namespace Js return static_cast(aValue); } + RecyclableObject * UnscopablesWrapperObject::GetThisAndUnwrappedInstance(Var* thisVar) const + { + *thisVar = this->GetWrappedObject(); + return this->GetWrappedObject(); + } + PropertyQueryFlags UnscopablesWrapperObject::HasPropertyQuery(PropertyId propertyId, _Inout_opt_ PropertyValueInfo* info) { return JavascriptConversion::BooleanToPropertyQueryFlags(JavascriptOperators::HasPropertyUnscopables(wrappedObject, propertyId)); diff --git a/lib/Runtime/Types/UnscopablesWrapperObject.h b/lib/Runtime/Types/UnscopablesWrapperObject.h index eaaff930df3..ddc64c61269 100644 --- a/lib/Runtime/Types/UnscopablesWrapperObject.h +++ b/lib/Runtime/Types/UnscopablesWrapperObject.h @@ -28,7 +28,8 @@ namespace Js static bool Is(Var aValue); static UnscopablesWrapperObject* FromVar(Var value); static UnscopablesWrapperObject* UnsafeFromVar(Var value); - RecyclableObject *GetWrappedObject() { return wrappedObject; } + RecyclableObject *GetWrappedObject() const { return wrappedObject; } + virtual RecyclableObject* GetThisAndUnwrappedInstance(Var* thisVar) const override; virtual PropertyQueryFlags HasPropertyQuery(PropertyId propertyId, _Inout_opt_ PropertyValueInfo* info) override; virtual BOOL HasOwnProperty(PropertyId propertyId) override; virtual BOOL SetProperty(PropertyId propertyId, Var value, PropertyOperationFlags flags, PropertyValueInfo* info) override; From 892e45ff85ed4e3899371eca950a7fb4810bde37 Mon Sep 17 00:00:00 2001 From: Paul Leathers Date: Wed, 26 Feb 2020 09:51:09 -0800 Subject: [PATCH 2/3] [CVE-2020-0970] --- lib/Runtime/Types/PathTypeHandler.cpp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/lib/Runtime/Types/PathTypeHandler.cpp b/lib/Runtime/Types/PathTypeHandler.cpp index 57cd0480c86..c329b40cd95 100644 --- a/lib/Runtime/Types/PathTypeHandler.cpp +++ b/lib/Runtime/Types/PathTypeHandler.cpp @@ -2013,6 +2013,16 @@ namespace Js { newSetters = this->UpdateSetterSlots(recycler, oldSetters, oldPathSize, newTypePath->GetPathSize()); } + +#if ENABLE_FIXED_FIELDS +#ifdef SUPPORT_FIXED_FIELDS_ON_PATH_TYPES + if (PathTypeHandlerBase::FixPropsOnPathTypes()) + { + Assert(this->HasSingletonInstanceOnlyIfNeeded()); + this->GetTypePath()->ClearSingletonInstanceIfSame(instance); + } +#endif +#endif } else if (growing) { From d75b21c97cead637f79f45b4b4edd317eaeef466 Mon Sep 17 00:00:00 2001 From: Taylor Woll Date: Tue, 14 Apr 2020 11:11:47 -0700 Subject: [PATCH 3/3] Update version to 1.11.18 --- Build/NuGet/.pack-version | 2 +- lib/Common/ChakraCoreVersion.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Build/NuGet/.pack-version b/Build/NuGet/.pack-version index a88326ef59b..bcc565f2b49 100644 --- a/Build/NuGet/.pack-version +++ b/Build/NuGet/.pack-version @@ -1 +1 @@ -1.11.17 +1.11.18 diff --git a/lib/Common/ChakraCoreVersion.h b/lib/Common/ChakraCoreVersion.h index c2ce28724bf..c8447b9a39e 100644 --- a/lib/Common/ChakraCoreVersion.h +++ b/lib/Common/ChakraCoreVersion.h @@ -17,7 +17,7 @@ // ChakraCore version number definitions (used in ChakraCore binary metadata) #define CHAKRA_CORE_MAJOR_VERSION 1 #define CHAKRA_CORE_MINOR_VERSION 11 -#define CHAKRA_CORE_PATCH_VERSION 17 +#define CHAKRA_CORE_PATCH_VERSION 18 #define CHAKRA_CORE_VERSION_RELEASE_QFE 0 // Redundant with PATCH_VERSION. Keep this value set to 0. // -------------