Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ChakraCore 2018-05 security updates #5116

Merged
merged 14 commits into from
May 8, 2018
Merged

ChakraCore 2018-05 security updates #5116

merged 14 commits into from
May 8, 2018

Conversation

MSLaguana
Copy link
Contributor

No description provided.

@MSLaguana
Copy link
Contributor Author

MSLaguana commented May 8, 2018
edited
Loading

cc @meg-gupta @sigatrev @pleath @sethbrenith @Penguinwizzard @rajatd @akroshg @agarwal-sandeep @MikeHolman

@akroshg
Copy link
Contributor

akroshg commented May 8, 2018

LGTM

@sigatrev
Copy link
Contributor

sigatrev commented May 8, 2018

:shipit:

Meghana Gupta and others added 14 commits May 8, 2018 11:17
@MSLaguana
[CVE-2018-0945] Chakra - Crashing on a null deref - Individual
87f3367
@MSLaguana
[CVE-2018-8139] Edge - Chakra type confusion in boundfunction handlin…
ee5dfab 
…g - Internal
@sigatrev @MSLaguana
[CVE-2018-8137] Edge - chakra JIT array out of bound read/write vulne…
6e362fe 
…rability lead to Remote Code Execution
@pleath @MSLaguana
[CVE-2018-8178] Edge - Incorrect entry point expiration can cause RCE…
c8f723d 
… - Internal

Move the stack walk that detects active functions in support of entry point expiration from PreCollectionCallBack to PreRescanMarkCallback. Fixes some cases where active functions are not marked as such, and their jitted code is freed while they're on the call stack.
@pleath @MSLaguana
[CVE-2018-8128] Edge - UAF of borrowed inline caches after redeferral
23848b1 
Do not allow ScriptFunctionWithInlineCache to borrow its InlineCache* from the FunctionBody, because in certain cases of redeferral this will cause jitted code to access stale pointers. Instead of borrowing the caches from the FunctionBody, create a base ScriptFunction and let the runtime access the current FunctionBody inline caches when the function is executed.
@sethbrenith @MSLaguana
[CVE-2018-8177] Edge - Speculative type confusion on PropertyString
eb4b00b 
Re-order PropertyString poisoning code
@Penguinwizzard @MSLaguana
Add masking of stores for protection against Spectre.
e664e18
@MikeHolman @MSLaguana
[CVE-2018-8130] [CVE-2018-0946] move allocators to ServerScriptContex…
bee1e24 
…t, add missing marshalling code
@rajatd @MSLaguana
[CVE-2018-0953] Edge Chakra - JIT: Magic value can cause type confusi…
71d7b38 
…on - Google, Inc.
@rajatd @MSLaguana
[CVE-2018-0943]: Chakra Bug 15964039 - Unrestored bytecode register a…
32ee5de 
…fter bailout
@akroshg @MSLaguana
[CVE-2018-8133] Edge - Chakra: Type confusion with EntrySimpleObjectS…
1b56f9f 
…lotGetter
@akroshg @MSLaguana
[CVE-2018-1022] Inline segment is passed to another array - Internal
28928cb
@agarwal-sandeep @MSLaguana
[CVE-2018-0954] Report a stack variable uaf bug to Edge Bug Bounty - …
51c4637 
…360Vulcan - Edge RCE Web Plat beta bounty on WIP
@MSLaguana
Bumping version prior to release
ec2922b
@sethbrenith
Copy link
Contributor

LGTM

pleath
pleath reviewed May 8, 2018
View reviewed changes
lib/Runtime/Library/ScriptFunction.cpp
ScriptFunction* pfuncScript = scriptContext->GetLibrary()->CreateScriptFunction(functionProxy);
pfuncScript->SetEnvironment(environment);
pfuncScript = scriptContext->GetLibrary()->CreateScriptFunction(functionProxy);
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the part of the change that requires additional logic for release/1.9 . We can synch up to manage that.

@chakrabot chakrabot merged commit ec2922b into chakra-core:release/1.8 May 8, 2018
chakrabot pushed a commit that referenced this pull request May 8, 2018
@MSLaguana
[MERGE #5116 @MSLaguana] ChakraCore 2018-05 security updates
d554d0c 
Merge pull request #5116 from MSLaguana:servicing/1805
@MSLaguana MSLaguana deleted the servicing/1805 branch May 8, 2018 20:12
@rajatd rajatd self-requested a review May 8, 2018 20:13
chakrabot pushed a commit that referenced this pull request May 8, 2018
@MSLaguana
[1.8>1.9] [MERGE #5116 @MSLaguana] ChakraCore 2018-05 security updates
865f63b 
Merge pull request #5116 from MSLaguana:servicing/1805
chakrabot pushed a commit that referenced this pull request May 8, 2018
@MSLaguana
[1.9>master] [1.8>1.9] [MERGE #5116 @MSLaguana] ChakraCore 2018-05 se…
c1086a2 
…curity updates

Merge pull request #5116 from MSLaguana:servicing/1805
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@meg-gupta meg-gupta meg-gupta approved these changes

@pleath pleath pleath approved these changes

@rajatd rajatd Awaiting requested review from rajatd

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.