Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ChakraCore 2018-05 security updates #5116

Merged
merged 14 commits into from
May 8, 2018
Merged

ChakraCore 2018-05 security updates #5116

Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift click to select a range
87f3367
[CVE-2018-0945] Chakra - Crashing on a null deref - Individual
Apr 11, 2018
ee5dfab
[CVE-2018-8139] Edge - Chakra type confusion in boundfunction handlin…
MSLaguana Apr 11, 2018
6e362fe
[CVE-2018-8137] Edge - chakra JIT array out of bound read/write vulne…
sigatrev Apr 18, 2018
c8f723d
[CVE-2018-8178] Edge - Incorrect entry point expiration can cause RCE…
pleath Apr 18, 2018
23848b1
[CVE-2018-8128] Edge - UAF of borrowed inline caches after redeferral
pleath Apr 18, 2018
eb4b00b
[CVE-2018-8177] Edge - Speculative type confusion on PropertyString
sethbrenith Apr 23, 2018
e664e18
Add masking of stores for protection against Spectre.
Penguinwizzard Apr 19, 2018
bee1e24
[CVE-2018-8130] [CVE-2018-0946] move allocators to ServerScriptContex…
MikeHolman Mar 20, 2018
71d7b38
[CVE-2018-0953] Edge Chakra - JIT: Magic value can cause type confusi…
rajatd Apr 26, 2018
32ee5de
[CVE-2018-0943]: Chakra Bug 15964039 - Unrestored bytecode register a…
rajatd Apr 26, 2018
1b56f9f
[CVE-2018-8133] Edge - Chakra: Type confusion with EntrySimpleObjectS…
akroshg May 1, 2018
28928cb
[CVE-2018-1022] Inline segment is passed to another array - Internal
akroshg May 1, 2018
51c4637
[CVE-2018-0954] Report a stack variable uaf bug to Edge Bug Bounty - …
agarwal-sandeep May 2, 2018
ec2922b
Bumping version prior to release
MSLaguana May 8, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
[CVE-2018-1022] Inline segment is passed to another array - Internal
  • Loading branch information
@akroshg @MSLaguana
akroshg authored and MSLaguana committed May 8, 2018
commit 28928cba24968ed11022608f466c4ccc3470e64d
13 changes: 11 additions & 2 deletions lib/Runtime/Library/JavascriptArray.inl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 155,7 @@ namespace Js
DetermineInlineHeadSegmentPointer<T, InlinePropertySlots, false>(array);
if(wasZeroAllocated)
{
AssertOrFailFast(size <= SparseArraySegmentBase::INLINE_CHUNK_SIZE);
if(length != 0)
{
head->length = length;
Expand Down Expand Up @@ -238,6 239,14 @@ namespace Js
DetermineAllocationSize<className, inlineSlots>(length, &allocationPlusSize, &alignedInlineElementSlots);
}

// alignedInlineElementSlots is actually the 'size' of the segment. The size of the segment should not be greater than InlineHead segment limit, otherwise the inline
// segment may not be interpreted as inline segment if the length extends to the size.
// the size could increase because of allignment.
// Update the size so that it does not exceed SparseArraySegmentBase::INLINE_CHUNK_SIZE.

uint inlineChunkSize = SparseArraySegmentBase::INLINE_CHUNK_SIZE;
uint size = min(alignedInlineElementSlots, inlineChunkSize);

array = RecyclerNewPlusZ(recycler, allocationPlusSize, className, length, arrayType);

// An new array's head segment length is initialized to zero despite the array length being nonzero because the segment
Expand All @@ -250,9 259,9 @@ namespace Js
// a variable until it is fully initialized, there is no way for script code to use the array while it still has missing
// values.
SparseArraySegment<unitType> *head =
InitArrayAndHeadSegment<className, inlineSlots>(array, length, alignedInlineElementSlots, true);
InitArrayAndHeadSegment<className, inlineSlots>(array, length, size, true);

head->FillSegmentBuffer(length, alignedInlineElementSlots);
head->FillSegmentBuffer(length, size);

Assert(array->HasNoMissingValues());
return array;
Expand Down