1607 servicing fixes #1291
Merged
1607 servicing fixes #1291
+390
−131
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change combined fixes for CVE-2016-3259, CVE-2016-3260, CVE-2016-3265, CVE-2016-3269, CVE-2016-3271 and MS16-085. MSFT:7558512: [MSRC 33480] Mitigation Bypass Submission - InterpreterThunkEmitter Bypass CFG Issue. InterpreterStackFrame class has a member called interpreterThunk which stores the address of our interpreter function's address (regular or the asmjs one). The hacker took advantage of this address being stored in the heap memory and corrupted the same to reference a vulnerable shell code. We do not emit a CFG check for this address before calling, because this is a direct call and not an indirect call. Fix. This field is replaced with a boolean - to decide between regular/asmjs interpreter thunk. The address of the interpreter function is obtained in the function which is emitting the code, directly. This code has been present since the beginning - But this has to serviced only for chakra.dll (till th1), as we don't have CFG support before that. Tests. MSFT:7424216: [MSRC 33319] Chakra Type Confusion JavascriptArray::InternalCopyNativeFloatArrayElements - Individual [MSRC] Type confusion bug in ChakraCore JavascriptArray::InternalCopyNativeFloatArrayElements. MSFT:7527933: [MSRC 33383] Chakra JavascriptArray::ForEachOwnMissingArrayIndexOfObject - Individual [MSRC] Uninitialized stack variable in ChakraCore JavascriptArray::ForEachOwnMissingArrayIndexOfObject Component. Fix by ensuring stack variable was assigned before using. MSFT:7572196: [MSRC 33354] Edge Chakra ArrayBuffer.transfer - Zero Day Initiative Fix malloc/realloc usage in ES6 experimental feature ArrayBuffer.transfer. Should zero extra memory in either malloc or realloc case. MSFT:7387125 7387131 7387136 7387145 7387150 7424221 7424227: [MSRC 33299] Chakra Type Confusion in JavascriptArray::EntryFrom - Individual [MSRC] Type Confusion in Array built-ins DirectSetItemAt() is used in numerous Array built-ins without type-checking, where new objects may be created through a user-defined constructor. Fix by adding type-checking for type-specialized helper functions, and replacing DirectSetItemAt() calls with calls to virtual SetItem() functions where applicable. MSFT:7424474: [MSRC 33332] Edge ReadAV in chakra!Js::JavascriptOperators::StrictEqual+0x18 - Individual During sort prep we set orig[i] to missing_item. If an exception occurs in the middle (e.g. in "toString"), orig[i] will remain value missing_item, the Array's has_missing_item state could be wrong (wasn't updated), and the Array's content is also corrupted. Fixed by removing setting orig[i] to missing_item in prep. Do that after sort completion. (It is required to maintain segment length...end to contain only missing_item value.)
chakrabot
pushed a commit
that referenced
this pull request
Jul 19, 2016
Merge pull request #1291 from jianchun:pr1.2 This change combined fixes for CVE-2016-3259, CVE-2016-3260, CVE-2016-3265, CVE-2016-3269, CVE-2016-3271 and MS16-085. MSFT:7558512: [MSRC 33480] Mitigation Bypass Submission - InterpreterThunkEmitter Bypass CFG Issue. InterpreterStackFrame class has a member called interpreterThunk which stores the address of our interpreter function's address (regular or the asmjs one). The hacker took advantage of this address being stored in the heap memory and corrupted the same to reference a vulnerable shell code. We do not emit a CFG check for this address before calling, because this is a direct call and not an indirect call. Fix. This field is replaced with a boolean - to decide between regular/asmjs interpreter thunk. The address of the interpreter function is obtained in the function which is emitting the code, directly. This code has been present since the beginning - But this has to serviced only for chakra.dll (till th1), as we don't have CFG support before that. Tests. MSFT:7424216: [MSRC 33319] Chakra Type Confusion JavascriptArray::InternalCopyNativeFloatArrayElements - Individual [MSRC] Type confusion bug in ChakraCore JavascriptArray::InternalCopyNativeFloatArrayElements. MSFT:7527933: [MSRC 33383] Chakra JavascriptArray::ForEachOwnMissingArrayIndexOfObject - Individual [MSRC] Uninitialized stack variable in ChakraCore JavascriptArray::ForEachOwnMissingArrayIndexOfObject Component. Fix by ensuring stack variable was assigned before using. MSFT:7572196: [MSRC 33354] Edge Chakra ArrayBuffer.transfer - Zero Day Initiative Fix malloc/realloc usage in ES6 experimental feature ArrayBuffer.transfer. Should zero extra memory in either malloc or realloc case. MSFT:7387125 7387131 7387136 7387145 7387150 7424221 7424227: [MSRC 33299] Chakra Type Confusion in JavascriptArray::EntryFrom - Individual [MSRC] Type Confusion in Array built-ins DirectSetItemAt() is used in numerous Array built-ins without type-checking, where new objects may be created through a user-defined constructor. Fix by adding type-checking for type-specialized helper functions, and replacing DirectSetItemAt() calls with calls to virtual SetItem() functions where applicable. MSFT:7424474: [MSRC 33332] Edge ReadAV in chakra!Js::JavascriptOperators::StrictEqual+0x18 - Individual During sort prep we set orig[i] to missing_item. If an exception occurs in the middle (e.g. in "toString"), orig[i] will remain value missing_item, the Array's has_missing_item state could be wrong (wasn't updated), and the Array's content is also corrupted. Fixed by removing setting orig[i] to missing_item in prep. Do that after sort completion. (It is required to maintain segment length...end to contain only missing_item value.)
chakrabot
pushed a commit
that referenced
this pull request
Jul 19, 2016
Merge pull request #1291 from jianchun:pr1.2 This change combined fixes for CVE-2016-3259, CVE-2016-3260, CVE-2016-3265, CVE-2016-3269, CVE-2016-3271 and MS16-085. MSFT:7558512: [MSRC 33480] Mitigation Bypass Submission - InterpreterThunkEmitter Bypass CFG Issue. InterpreterStackFrame class has a member called interpreterThunk which stores the address of our interpreter function's address (regular or the asmjs one). The hacker took advantage of this address being stored in the heap memory and corrupted the same to reference a vulnerable shell code. We do not emit a CFG check for this address before calling, because this is a direct call and not an indirect call. Fix. This field is replaced with a boolean - to decide between regular/asmjs interpreter thunk. The address of the interpreter function is obtained in the function which is emitting the code, directly. This code has been present since the beginning - But this has to serviced only for chakra.dll (till th1), as we don't have CFG support before that. Tests. MSFT:7424216: [MSRC 33319] Chakra Type Confusion JavascriptArray::InternalCopyNativeFloatArrayElements - Individual [MSRC] Type confusion bug in ChakraCore JavascriptArray::InternalCopyNativeFloatArrayElements. MSFT:7527933: [MSRC 33383] Chakra JavascriptArray::ForEachOwnMissingArrayIndexOfObject - Individual [MSRC] Uninitialized stack variable in ChakraCore JavascriptArray::ForEachOwnMissingArrayIndexOfObject Component. Fix by ensuring stack variable was assigned before using. MSFT:7572196: [MSRC 33354] Edge Chakra ArrayBuffer.transfer - Zero Day Initiative Fix malloc/realloc usage in ES6 experimental feature ArrayBuffer.transfer. Should zero extra memory in either malloc or realloc case. MSFT:7387125 7387131 7387136 7387145 7387150 7424221 7424227: [MSRC 33299] Chakra Type Confusion in JavascriptArray::EntryFrom - Individual [MSRC] Type Confusion in Array built-ins DirectSetItemAt() is used in numerous Array built-ins without type-checking, where new objects may be created through a user-defined constructor. Fix by adding type-checking for type-specialized helper functions, and replacing DirectSetItemAt() calls with calls to virtual SetItem() functions where applicable. MSFT:7424474: [MSRC 33332] Edge ReadAV in chakra!Js::JavascriptOperators::StrictEqual+0x18 - Individual During sort prep we set orig[i] to missing_item. If an exception occurs in the middle (e.g. in "toString"), orig[i] will remain value missing_item, the Array's has_missing_item state could be wrong (wasn't updated), and the Array's content is also corrupted. Fixed by removing setting orig[i] to missing_item in prep. Do that after sort completion. (It is required to maintain segment length...end to contain only missing_item value.)
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change combined fixes for
CVE-2016-3259, CVE-2016-3260, CVE-2016-3265, CVE-2016-3269, CVE-2016-3271
and MS16-085.
MSFT:7558512: [MSRC 33480] Mitigation Bypass Submission - InterpreterThunkEmitter Bypass CFG
Issue.
InterpreterStackFrame class has a member called interpreterThunk which stores the address of our interpreter function's address (regular or the asmjs one). The hacker took advantage of this address being stored in the heap memory and corrupted the same to reference a vulnerable shell code.
We do not emit a CFG check for this address before calling, because this is a direct call and not an indirect call.
Fix.
This field is replaced with a boolean - to decide between regular/asmjs interpreter thunk. The address of the interpreter function is obtained in the function which is emitting the code, directly.
This code has been present since the beginning - But this has to serviced only for chakra.dll (till th1), as we don't have CFG support before that.
Tests.
MSFT:7424216: [MSRC 33319] Chakra Type Confusion JavascriptArray::InternalCopyNativeFloatArrayElements - Individual
[MSRC] Type confusion bug in ChakraCore JavascriptArray::InternalCopyNativeFloatArrayElements.
MSFT:7527933: [MSRC 33383] Chakra JavascriptArray::ForEachOwnMissingArrayIndexOfObject - Individual
[MSRC] Uninitialized stack variable in ChakraCore JavascriptArray::ForEachOwnMissingArrayIndexOfObject Component. Fix by ensuring stack variable was assigned before using.
MSFT:7572196: [MSRC 33354] Edge Chakra ArrayBuffer.transfer - Zero Day Initiative
Fix malloc/realloc usage in ES6 experimental feature ArrayBuffer.transfer. Should zero extra memory in either malloc or realloc case.
MSFT:7387125 7387131 7387136 7387145 7387150 7424221 7424227: [MSRC 33299] Chakra Type Confusion in JavascriptArray::EntryFrom - Individual
[MSRC] Type Confusion in Array built-ins
DirectSetItemAt() is used in numerous Array built-ins without type-checking, where
new objects may be created through a user-defined constructor.
Fix by adding type-checking for type-specialized helper functions, and replacing
DirectSetItemAt() calls with calls to virtual SetItem() functions where applicable.
MSFT:7424474: [MSRC 33332] Edge ReadAV in chakra!Js::JavascriptOperators::StrictEqual+0x18 - Individual
During sort prep we set orig[i] to missing_item. If an exception occurs in the middle (e.g. in "toString"), orig[i] will remain value missing_item, the Array's has_missing_item state could be wrong (wasn't updated), and the Array's content is also corrupted.
Fixed by removing setting orig[i] to missing_item in prep. Do that after sort completion. (It is required to maintain segment length...end to contain only missing_item value.)