Skip to content

Commit a75335b

Browse files
MikeHolmanMikeHolman
committed
[MERGE #6531 @MikeHolman] December 2020 Security Update
Merge pull request #6531 from MikeHolman:servicing/2012 December 2020 Security Update that addresses the following issue in ChakraCore: CVE-2020-17131
2 parents 008e43e + c8b56ec commit a75335b

File tree

3 files changed

+41
-18
lines changed

3 files changed

+41
-18
lines changed

Build/NuGet/.pack-version

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
1.11.23
1+
1.11.24

lib/Backend/BackwardPass.cpp

Lines changed: 39 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -3856,7 +3856,7 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev)
38563856
IR::Instr * instr = this->currentInstr;
38573857
Func * currFunc = instr->m_func;
38583858

3859-
if (this->tag == Js::DeadStorePhase && instr->m_func->IsStackArgsEnabled() && !IsPrePass())
3859+
if (this->tag == Js::DeadStorePhase && instr->m_func->IsStackArgsEnabled())
38603860
{
38613861
switch (instr->m_opcode)
38623862
{
@@ -3875,28 +3875,37 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev)
38753875
if (IsFormalParamSym(currFunc, sym))
38763876
{
38773877
AssertMsg(!currFunc->GetJITFunctionBody()->HasImplicitArgIns(), "We don't have mappings between named formals and arguments object here");
3878-
3879-
instr->m_opcode = Js::OpCode::Ld_A;
3878+
38803879
PropertySym * propSym = sym->AsPropertySym();
38813880
Js::ArgSlot value = (Js::ArgSlot)propSym->m_propertyId;
38823881

38833882
Assert(currFunc->HasStackSymForFormal(value));
38843883
StackSym * paramStackSym = currFunc->GetStackSymForFormal(value);
3885-
IR::RegOpnd * srcOpnd = IR::RegOpnd::New(paramStackSym, TyVar, currFunc);
3886-
instr->ReplaceSrc1(srcOpnd);
3887-
this->ProcessSymUse(paramStackSym, true, true);
38883884

3889-
if (PHASE_VERBOSE_TRACE1(Js::StackArgFormalsOptPhase))
3885+
if (!IsPrePass())
38903886
{
3891-
Output::Print(_u("StackArgFormals : %s (%d) :Replacing LdSlot with Ld_A in Deadstore pass. \n"), instr->m_func->GetJITFunctionBody()->GetDisplayName(), instr->m_func->GetFunctionNumber());
3892-
Output::Flush();
3887+
IR::RegOpnd * srcOpnd = IR::RegOpnd::New(paramStackSym, TyVar, currFunc);
3888+
instr->ReplaceSrc1(srcOpnd);
3889+
instr->m_opcode = Js::OpCode::Ld_A;
3890+
3891+
if (PHASE_VERBOSE_TRACE1(Js::StackArgFormalsOptPhase))
3892+
{
3893+
Output::Print(_u("StackArgFormals : %s (%d) :Replacing LdSlot with Ld_A in Deadstore pass. \n"), instr->m_func->GetJITFunctionBody()->GetDisplayName(), instr->m_func->GetFunctionNumber());
3894+
Output::Flush();
3895+
}
38933896
}
3897+
3898+
this->ProcessSymUse(paramStackSym, true, true);
38943899
}
38953900
}
38963901
break;
38973902
}
38983903
case Js::OpCode::CommitScope:
38993904
{
3905+
if (IsPrePass())
3906+
{
3907+
break;
3908+
}
39003909
if (instr->GetSrc1()->IsScopeObjOpnd(currFunc))
39013910
{
39023911
instr->Remove();
@@ -3907,6 +3916,10 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev)
39073916
case Js::OpCode::BrFncCachedScopeEq:
39083917
case Js::OpCode::BrFncCachedScopeNeq:
39093918
{
3919+
if (IsPrePass())
3920+
{
3921+
break;
3922+
}
39103923
if (instr->GetSrc2()->IsScopeObjOpnd(currFunc))
39113924
{
39123925
instr->Remove();
@@ -3916,6 +3929,10 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev)
39163929
}
39173930
case Js::OpCode::CallHelper:
39183931
{
3932+
if (IsPrePass())
3933+
{
3934+
break;
3935+
}
39193936
//Remove the CALL and all its Argout instrs.
39203937
if (instr->GetSrc1()->AsHelperCallOpnd()->m_fnHelper == IR::JnHelperMethod::HelperOP_InitCachedFuncs)
39213938
{
@@ -3954,15 +3971,21 @@ BackwardPass::DeadStoreOrChangeInstrForScopeObjRemoval(IR::Instr ** pInstrPrev)
39543971

39553972
if (instr->GetSrc1()->IsScopeObjOpnd(currFunc))
39563973
{
3957-
instr->m_opcode = Js::OpCode::NewScFunc;
3958-
IR::Opnd * intConstOpnd = instr->UnlinkSrc2();
3959-
Assert(intConstOpnd->IsIntConstOpnd());
3974+
StackSym * frameDisplaySym = currFunc->GetLocalFrameDisplaySym();
3975+
if (!IsPrePass())
3976+
{
3977+
instr->m_opcode = Js::OpCode::NewScFunc;
3978+
IR::Opnd * intConstOpnd = instr->UnlinkSrc2();
3979+
Assert(intConstOpnd->IsIntConstOpnd());
39603980

3961-
uint nestedFuncIndex = instr->m_func->GetJITFunctionBody()->GetNestedFuncIndexForSlotIdInCachedScope(intConstOpnd->AsIntConstOpnd()->AsUint32());
3962-
intConstOpnd->Free(instr->m_func);
3981+
uint nestedFuncIndex = instr->m_func->GetJITFunctionBody()->GetNestedFuncIndexForSlotIdInCachedScope(intConstOpnd->AsIntConstOpnd()->AsUint32());
3982+
intConstOpnd->Free(instr->m_func);
3983+
3984+
instr->ReplaceSrc1(IR::IntConstOpnd::New(nestedFuncIndex, TyUint32, instr->m_func));
3985+
instr->SetSrc2(IR::RegOpnd::New(frameDisplaySym, IRType::TyVar, currFunc));
3986+
}
39633987

3964-
instr->ReplaceSrc1(IR::IntConstOpnd::New(nestedFuncIndex, TyUint32, instr->m_func));
3965-
instr->SetSrc2(IR::RegOpnd::New(currFunc->GetLocalFrameDisplaySym(), IRType::TyVar, currFunc));
3988+
this->ProcessSymUse(frameDisplaySym, true, true);
39663989
}
39673990
break;
39683991
}

lib/Common/ChakraCoreVersion.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@
1717
// ChakraCore version number definitions (used in ChakraCore binary metadata)
1818
#define CHAKRA_CORE_MAJOR_VERSION 1
1919
#define CHAKRA_CORE_MINOR_VERSION 11
20-
#define CHAKRA_CORE_PATCH_VERSION 23
20+
#define CHAKRA_CORE_PATCH_VERSION 24
2121
#define CHAKRA_CORE_VERSION_RELEASE_QFE 0 // Redundant with PATCH_VERSION. Keep this value set to 0.
2222

2323
// -------------

0 commit comments

Comments
 (0)