Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

17-12 Security Update #4411

Merged
merged 16 commits into from
Dec 12, 2017
Merged

17-12 Security Update #4411

merged 16 commits into from
Dec 12, 2017

Conversation

MikeHolman
Copy link
Contributor

MikeHolman and others added 15 commits December 6, 2017 18:59
… insert branches / make break control flow - Google, Inc.
A large numeric or spread array literal can lead to an overflow in ByteCodeGenerator that enables an OOB write. Fix is to use Int32Math to detect overflow and follow the overflow policy.

Also preventatively added a bunch of UInt32Math operations around sizeof size calculations.
…ly call user defined JavaScript functions - Google, Inc.
…a call param

The destructuring element in the call argslist was not correctly determined as we were not restoring the previous state.
    Fixed that
…oses scriptFunction - Google, Inc.

While trying to get the length property pass the generator function as this not the inner script function.
…o 360

In ConstructName the finalName is copied over from propertyName which can contain null character in between. In that case part of finalName will remain uninitialized as we use RecyclerNewArrayLeaf to allocate finalName with the length of propertyName.
This change addresses a UAF that occurs when jitted code tries to index
into a detached ArrayBuffer.
The POC involves the convergence of JITing
- a virtual type buffer (a certain performant type buffer that meets
certain criteria)
- A proxy object whose setter can cause the type buffer to be detached
With this, it's possible to JIT code that indexes into the buffer
without any checks. Thus, it's possible to index into the freed memory
that backed the ArrayBuffer.

The fix is to make sure that any call before a virtual ArrayBuffer
access has a bailout to detect and protect against this assertion.
Avoid integer overflow in implementation of `String.prototype.replace`:

- Failfast in Chakra regex parser if a regex contains more than 2^15 capturing groups, thus avoiding overflow when passing the matching string's to `replace`'s second argument.

- Add comments to `RegexHelper::ReplaceFormatString` explaining why the capture index cannot overflow; add asserts to guard against it.
@chakrabot chakrabot merged commit 6e6301c into chakra-core:release/1.7 Dec 12, 2017
chakrabot pushed a commit that referenced this pull request Dec 12, 2017
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants