17-11 Security Update #4226
Merged
17-11 Security Update #4226
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…:VEval function - Individual do not use eval map if we are eval-ing PropertyString
…f a javascript null scope object. - Internal
…turn the return instruction - Google, Inc.
…o RCE - Zero Day Initiative Fix *::TransferPass0 overflowing the returning integer, the allocation part is the only point that using the returning value.
…ontrolled allocation size and write - Individual When parsing a string template literal, we temporarily suspend updating some of the offset counters. If an attacker crafts a string template that contains multibyte characters, it is possible to overflow the minLine counter. The attacker can directly control the size of the overflow, which is then used in an allocation and offset calculation when handling a parse error. Further control can be gained by triggering a scanner capture and restore to propagate this bad counter value. Unfortunately this would have been caught by existing bounds checks, but they are asserts only. There are other instances of these around the codebase, but I did not see any exploits for those. To fix this, we manually update the minLine counter at the point where it would normally have been updated outside of a string template. I also changed the subtraction overflow asserts to be failfasts and added an assert for detecting overflow with multibyte characters. In the non-assert case, we will return 0. Other similar checks in IchMinTok and IchLimTok have also been converted.
MSLaguana
approved these changes
Nov 14, 2017
MikeHolman
approved these changes
Nov 14, 2017
|
fixed "BackEnd.h" with "Backend.h" |
meg-gupta
approved these changes
Nov 14, 2017
MSLaguana
reviewed
Nov 14, 2017
| @@ -4772,64 +4772,45 @@ namespace Js | |||
| return returnValue; | |||
| } | |||
|
|
|||
| template<typename T, typename T(*func)(Var, ScriptContext*)> bool MemsetConversion(Var value, ScriptContext* scriptContext, T* result) | |||
There was a problem hiding this comment.
clang is complaining about this line, it doesn't seem to like the typename T(*func)(Var, ScriptContext*)
�[1m/mnt/j/w/Microsoft_ChakraCore/release_1.7/shared_ubuntu_linux_debug_prtest/lib/Runtime/Language/JavascriptOperators.cpp:4775:35: �[0m�[0;1;31merror: �[0m�[1mexpected a qualified name after 'typename' [-Werror]�[0m
12:35:58 template<typename T, typename T(*func)(Var, ScriptContext*)> bool MemsetConversion(Var value, ScriptContext* scriptContext, T* result)
agarwal-sandeep
approved these changes
Nov 14, 2017
|
@dotnet-bot test OSX static_osx_osx_debug please |
…P_Memset: Type Confusion - Google, Inc.
…String's buffer could cause UAF.
…er IsLoopPrePass properly - Google, Inc.
…llocation - Google, Inc.
…lead to RCE - Individual
… check in Lowerer::LowerBoundCheck - Google, Inc. Math on IntConstType should be bounded by IRType of the Opnd. In case of Lowerer::LowerBoundCheck, it ended up that the IntConstOpnd is a TyInt32 and the overflow leads to bad bound check being emitted. For this I added a new IntConstMath class which takes an IRType as a parameter and validates that the result can be represented by that IRType.
… Qihoo 360 OOM in the Array.Shift method have left the array in the bad state and later it got overlapped and exploited. Fixed that by making the any exception as failfast in that region
…vidual Export was not taking care of destructuring nodes, leading to type confusion. Fixed that by adding support for walking those nodes.
…en for function objects with inline cache When trying to get inlineCaches for a ScriptFunctionWithInlineCache if the function got redefered and didn't got reparsed function body won’t be there (hence no inlineCache on function body). Check that and reset the inlineCache of ScriptFunctionWithInlineCache for such case.
|
fix build break in clang: |
|
@dotnet-bot test OSX static_osx_osx_debug please |
|
@dotnet-bot test Ubuntu shared_ubuntu_linux_debug please |
|
Looks like the test timeout failure isn't just OSX, it's also happening on linux debug builds: |
… eval on property will be slower, especially in debug build. here empty string or single char string is backed by property string (an optimazation for using inline buffer), and these two tests keep eval on empty string until stack overflow, which causes timeout on debug build. changing to eval on two spaces instead of empty string to avoid the issue
chakrabot
pushed a commit
that referenced
this pull request
Nov 16, 2017
Merge pull request #4226 from leirocks:1711-1 17-11 Security Update that addresses the following issues in ChakraCore CVE-2017-11791 CVE-2017-11836 CVE-2017-11837 CVE-2017-11838 CVE-2017-11840 CVE-2017-11841 CVE-2017-11843 CVE-2017-11846 CVE-2017-11858 CVE-2017-11861 CVE-2017-11862 CVE-2017-11870 CVE-2017-11871 CVE-2017-11873 CVE-2017-11874 CVE-2017-11866 CVE-2017-11859
chakrabot
pushed a commit
that referenced
this pull request
Nov 18, 2017
Merge pull request #4226 from leirocks:1711-1 17-11 Security Update that addresses the following issues in ChakraCore CVE-2017-11791 CVE-2017-11836 CVE-2017-11837 CVE-2017-11838 CVE-2017-11840 CVE-2017-11841 CVE-2017-11843 CVE-2017-11846 CVE-2017-11858 CVE-2017-11861 CVE-2017-11862 CVE-2017-11870 CVE-2017-11871 CVE-2017-11873 CVE-2017-11874 CVE-2017-11866 CVE-2017-11859
chakrabot
pushed a commit
that referenced
this pull request
Nov 18, 2017
Merge pull request #4226 from leirocks:1711-1 17-11 Security Update that addresses the following issues in ChakraCore CVE-2017-11791 CVE-2017-11836 CVE-2017-11837 CVE-2017-11838 CVE-2017-11840 CVE-2017-11841 CVE-2017-11843 CVE-2017-11846 CVE-2017-11858 CVE-2017-11861 CVE-2017-11862 CVE-2017-11870 CVE-2017-11871 CVE-2017-11873 CVE-2017-11874 CVE-2017-11866 CVE-2017-11859
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
17-11 Security Update that addresses the following issues in ChakraCore
CVE-2017-11791
CVE-2017-11836
CVE-2017-11837
CVE-2017-11838
CVE-2017-11840
CVE-2017-11841
CVE-2017-11843
CVE-2017-11846
CVE-2017-11858
CVE-2017-11861
CVE-2017-11862
CVE-2017-11870
CVE-2017-11871
CVE-2017-11873
CVE-2017-11874
CVE-2017-11866