17-05 ChakraCore servicing release #2959
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…Step method invocation issue While invoking then and catch functions on the promise returned by async function we were directly invoking those without checking. Overriding those methods with tagged int can cause wrong method execution.
…icit call if BailOutOnArrayAccessHelperCall is set, as that bailout kind indicates that downstream code will assume no side-effects.
Array length mutation introduced by copy-from-prototype reentrancy can cause heap overflow in concat fast paths. Fix by excluding copy-from-prototype cases from fast paths. Adjust unit tests to avoid excessively long run time.
…nt state Array segment allocation induces OOM that leaves length > size that can be exploited. Move code that updates segment size to after allocation; Replace "length <= size" Assert with AssertOrFailFast in JavascriptArray and SparseSegment; Add length vs. size check and FailFast throughout JavascriptArray and SparseSegment where segment length or size are being updated.
Segments were getting reversed in the ReverseHelper call. This made the head segment, which is an inlined segment, to be as a next segment. If that segment becomes part of another array (say due to splice) and the original array goes away then the inlined segment will also go away and we potentially holdind the freed memory.
Fixed that by detecting the inlined segment and convert to normal segment in the in EntryReverse API.
Fix instances of non-blinded possibly large constants in the jit
Don't eliminate bounds checks on virtual typed arrays if we can't guarantee that the accesses will be within 4Gb
Change the vtable of virtual typed arrays to regular typed arrays upon array buffer detach to prevent writes to detached buffer in the jitted code.
…assignment expression We don't calculate correct right paren location when a lambda contains an assignment expression where the assignment rhs is wrapped in parens. Due to the incorrect offset, we overwrite the buffer allocated in ScriptFunction::EnsureSourceString when we try to toString the lambda.
…uctor parse node If there is a multi-byte character in the source before a class decl, the constructor function created for that class will have incorrect byte offset values. This leads us to truncate the source string buffer when we try to do toString on that class constructor function and accidentally print garbage. Fix is to calculate the byte offsets correctly.
|
|
|
LGTM in terms of 37688 and 37814. |
suwc
approved these changes
May 11, 2017
dilijev
reviewed
May 11, 2017
test/utf8/rlexe.xml
Outdated
| <test> | ||
| <default> | ||
| <files>bugGH2656.js</files> | ||
| <compile-flags>-args summary</compile-flags> |
There was a problem hiding this comment.
yep. this test is actually failing the CI.
/cc @boingoing
|
Re: fix for CVE-2017-0230 |
|
Various CI problems in Jenkins and VSO. |
|
@dotnet-bot test windows arm_release windows x64_release windows x86_release |
|
@dotnet-bot test Windows arm_release |
|
@dotnet-bot test Windows x64_release |
|
@dotnet-bot test Windows x86_release |
|
@rajatd There's a prefast warning there. |
|
@rajatd Note: you can re-run multiple builds from a single comment. Just added a section to the Wiki to explain: https://github.com/Microsoft/ChakraCore/wiki/Jenkins-Build-Triggers#re-run-multiple-individual-builds |
|
LGTM |
boingoing
approved these changes
May 12, 2017
chakrabot
pushed a commit
that referenced
this pull request
May 12, 2017
Merge pull request #2959 from rajatd:release/1705 Fixes the following CVEs impacting ChakraCore: CVE-2017-0229 CVE-2017-0223 CVE-2017-0224 CVE-2017-0252 CVE-2017-0230 CVE-2017-0234 CVE-2017-0235 CVE-2017-0236 CVE-2017-0228 CVE-2017-0238 CVE-2017-0266
chakrabot
pushed a commit
that referenced
this pull request
May 15, 2017
Merge pull request #2959 from rajatd:release/1705 Fixes the following CVEs impacting ChakraCore: CVE-2017-0229 CVE-2017-0223 CVE-2017-0224 CVE-2017-0252 CVE-2017-0230 CVE-2017-0234 CVE-2017-0235 CVE-2017-0236 CVE-2017-0228 CVE-2017-0238 CVE-2017-0266
chakrabot
pushed a commit
that referenced
this pull request
May 15, 2017
…ng release Merge pull request #2959 from rajatd:release/1705 Fixes the following CVEs impacting ChakraCore: CVE-2017-0229 CVE-2017-0223 CVE-2017-0224 CVE-2017-0252 CVE-2017-0230 CVE-2017-0234 CVE-2017-0235 CVE-2017-0236 CVE-2017-0228 CVE-2017-0238 CVE-2017-0266
suwc
pushed a commit
to suwc/ChakraCore
that referenced
this pull request
May 31, 2017
This bug was introduced chakra-core#2959 (CVE-2017-0238) Revert the move of 'left' field update and add try..catch
chakrabot
pushed a commit
that referenced
this pull request
Jun 1, 2017
…ent's 'left' field Merge pull request #3074 from suwc:build/suwc/bugfix This bug was introduced #2959 (CVE-2017-0238) Revert the move of 'left' field update and add try..catch
chakrabot
pushed a commit
that referenced
this pull request
Jun 1, 2017
…f sparse segment's 'left' field Merge pull request #3074 from suwc:build/suwc/bugfix This bug was introduced #2959 (CVE-2017-0238) Revert the move of 'left' field update and add try..catch
chakrabot
added a commit
to nodejs/node-chakracore
that referenced
this pull request
Jun 1, 2017
…suwc] Fix problems caused by late update of sparse segment's 'left' field Merge pull request #3074 from suwc:build/suwc/bugfix This bug was introduced chakra-core/ChakraCore#2959 (CVE-2017-0238) Revert the move of 'left' field update and add try..catch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes the following CVEs impacting ChakraCore:
CVE-2017-0229
CVE-2017-0223
CVE-2017-0224
CVE-2017-0252
CVE-2017-0230
CVE-2017-0234
CVE-2017-0235
CVE-2017-0236
CVE-2017-0228
CVE-2017-0238
CVE-2017-0266