Skip to content

Commit

Permalink
[MERGE #6531 @MikeHolman] December 2020 Security Update
Browse files Browse the repository at this point in the history 
Merge pull request #6531 from MikeHolman:servicing/2012

December 2020 Security Update that addresses the following issue in ChakraCore:

CVE-2020-17131
  • Loading branch information
@MikeHolman
MikeHolman committed Dec 8, 2020
2 parents 008e43e + c8b56ec commit a75335b
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 18 deletions.
2 changes: 1 addition & 1 deletion Build/NuGet/.pack-version
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.11.23
1.11.24
55 changes: 39 additions & 16 deletions lib/Backend/BackwardPass.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3856,7 +3856,7 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev)
IR::Instr * instr = this->currentInstr;
Func * currFunc = instr->m_func;

if (this->tag == Js::DeadStorePhase && instr->m_func->IsStackArgsEnabled() && !IsPrePass())
if (this->tag == Js::DeadStorePhase && instr->m_func->IsStackArgsEnabled())
{
switch (instr->m_opcode)
{
Expand All @@ -3875,28 +3875,37 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev)
if (IsFormalParamSym(currFunc, sym))
{
AssertMsg(!currFunc->GetJITFunctionBody()->HasImplicitArgIns(), "We don't have mappings between named formals and arguments object here");

instr->m_opcode = Js::OpCode::Ld_A;

PropertySym * propSym = sym->AsPropertySym();
Js::ArgSlot value = (Js::ArgSlot)propSym->m_propertyId;

Assert(currFunc->HasStackSymForFormal(value));
StackSym * paramStackSym = currFunc->GetStackSymForFormal(value);
IR::RegOpnd * srcOpnd = IR::RegOpnd::New(paramStackSym, TyVar, currFunc);
instr->ReplaceSrc1(srcOpnd);
this->ProcessSymUse(paramStackSym, true, true);

if (PHASE_VERBOSE_TRACE1(Js::StackArgFormalsOptPhase))
if (!IsPrePass())
{
Output::Print(_u("StackArgFormals : %s (%d) :Replacing LdSlot with Ld_A in Deadstore pass. \n"), instr->m_func->GetJITFunctionBody()->GetDisplayName(), instr->m_func->GetFunctionNumber());
Output::Flush();
IR::RegOpnd * srcOpnd = IR::RegOpnd::New(paramStackSym, TyVar, currFunc);
instr->ReplaceSrc1(srcOpnd);
instr->m_opcode = Js::OpCode::Ld_A;

if (PHASE_VERBOSE_TRACE1(Js::StackArgFormalsOptPhase))
{
Output::Print(_u("StackArgFormals : %s (%d) :Replacing LdSlot with Ld_A in Deadstore pass. \n"), instr->m_func->GetJITFunctionBody()->GetDisplayName(), instr->m_func->GetFunctionNumber());
Output::Flush();
}
}

this->ProcessSymUse(paramStackSym, true, true);
}
}
break;
}
case Js::OpCode::CommitScope:
{
if (IsPrePass())
{
break;
}
if (instr->GetSrc1()->IsScopeObjOpnd(currFunc))
{
instr->Remove();
Expand All @@ -3907,6 +3916,10 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev)
case Js::OpCode::BrFncCachedScopeEq:
case Js::OpCode::BrFncCachedScopeNeq:
{
if (IsPrePass())
{
break;
}
if (instr->GetSrc2()->IsScopeObjOpnd(currFunc))
{
instr->Remove();
Expand All @@ -3916,6 +3929,10 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev)
}
case Js::OpCode::CallHelper:
{
if (IsPrePass())
{
break;
}
//Remove the CALL and all its Argout instrs.
if (instr->GetSrc1()->AsHelperCallOpnd()->m_fnHelper == IR::JnHelperMethod::HelperOP_InitCachedFuncs)
{
Expand Down Expand Up @@ -3954,15 +3971,21 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev)

if (instr->GetSrc1()->IsScopeObjOpnd(currFunc))
{
instr->m_opcode = Js::OpCode::NewScFunc;
IR::Opnd * intConstOpnd = instr->UnlinkSrc2();
Assert(intConstOpnd->IsIntConstOpnd());
StackSym * frameDisplaySym = currFunc->GetLocalFrameDisplaySym();
if (!IsPrePass())
{
instr->m_opcode = Js::OpCode::NewScFunc;
IR::Opnd * intConstOpnd = instr->UnlinkSrc2();
Assert(intConstOpnd->IsIntConstOpnd());

uint nestedFuncIndex = instr->m_func->GetJITFunctionBody()->GetNestedFuncIndexForSlotIdInCachedScope(intConstOpnd->AsIntConstOpnd()->AsUint32());
intConstOpnd->Free(instr->m_func);
uint nestedFuncIndex = instr->m_func->GetJITFunctionBody()->GetNestedFuncIndexForSlotIdInCachedScope(intConstOpnd->AsIntConstOpnd()->AsUint32());
intConstOpnd->Free(instr->m_func);

instr->ReplaceSrc1(IR::IntConstOpnd::New(nestedFuncIndex, TyUint32, instr->m_func));
instr->SetSrc2(IR::RegOpnd::New(frameDisplaySym, IRType::TyVar, currFunc));
}

instr->ReplaceSrc1(IR::IntConstOpnd::New(nestedFuncIndex, TyUint32, instr->m_func));
instr->SetSrc2(IR::RegOpnd::New(currFunc->GetLocalFrameDisplaySym(), IRType::TyVar, currFunc));
this->ProcessSymUse(frameDisplaySym, true, true);
}
break;
}
Expand Down
2 changes: 1 addition & 1 deletion lib/Common/ChakraCoreVersion.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
// ChakraCore version number definitions (used in ChakraCore binary metadata)
#define CHAKRA_CORE_MAJOR_VERSION 1
#define CHAKRA_CORE_MINOR_VERSION 11
#define CHAKRA_CORE_PATCH_VERSION 23
#define CHAKRA_CORE_PATCH_VERSION 24
#define CHAKRA_CORE_VERSION_RELEASE_QFE 0 // Redundant with PATCH_VERSION. Keep this value set to 0.

// -------------
Expand Down

0 comments on commit a75335b

Please sign in to comment.