Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JULY 2018 Security Update #5444

Merged
merged 13 commits into from
Jul 10, 2018
Merged

JULY 2018 Security Update #5444

merged 13 commits into from
Jul 10, 2018

Conversation

atulkatti
Copy link
Contributor

JULY 2018 Security Update that addresses the following issues in ChakraCore.dll:
[CVE-2018-8275], [CVE-2018-8276], [CVE-2018-8279], [CVE-2018-8280], [CVE-2018-8283], [CVE-2018-8286], [CVE-2018-8287], [CVE-2018-8288], [CVE-2018-8290], [CVE-2018-8291], [CVE-2018-8294], [CVE-2018-8298]

MSLaguana and others added 13 commits July 10, 2018 10:03
…ed buffer allows for semi arbitrary memory read write.
…script9.dll after closing WebBrowserControl - Internal.
… - Individual

If attacker can force ServerAddDOMFastPathHelper to be called with bad arguments (e.g. using a separate OOB write vuln on the content process), then we will have an OOB read in JIT process, which leads us to lower a direct call to that OOB value.
We have cleared the segment map before ArraySpecies. The ArraySpecies is re-entrant and once we have come back from you user code we may have constructed the segment map. This segment map is not
valid anymore as we are doing splicing. Fixed this by Clearing the segment map.
… first before marshalling the last parameter to a FrameDisplay - Internal
@akroshg
Copy link
Contributor

akroshg commented Jul 10, 2018

LGTM #Resolved

#if ENABLE_FIXED_FIELDS
this->IsInitialized = descriptor.IsInitialized;
this->IsOnlyOneAccessorInitialized = descriptor.IsOnlyOneAccessorInitialized;
Copy link
Contributor Author

@atulkatti atulkatti Jul 10, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CVE-2018-8291] LGTM #Resolved

{
// Setter without a getter; this is a stale entry, so ignore it
continue;
}
Copy link
Contributor Author

@atulkatti atulkatti Jul 10, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CVE-2018-8283]: LGTM #Resolved

{
JavascriptError::ThrowTypeError(scriptContext, JSERR_DetachedTypedArray);
}

//10. Let O be OrdinaryCreateFromConstructor(NewTarget, "%DataViewPrototype%", [[DataView]], [[ViewedArrayBuffer]], [[ByteLength]], [[ByteOffset]]).
Copy link
Contributor Author

@atulkatti atulkatti Jul 10, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CVE-2018-8280] LGTM #Resolved

// is kept alive until this callback completes. Any pending timer is killed in the thread service destructor so we should not get
// any new callbacks after the thread service is destroyed.
AutoAddRefReleaseThreadService autoThreadServiceKeepAlive(this);

Copy link
Contributor Author

@atulkatti atulkatti Jul 10, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CVE-2018-8287] LGTM #Resolved

Copy link
Contributor

@aneeshdk aneeshdk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

Copy link
Contributor

@rajatd rajatd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@@ -1543,7 +1536,7 @@ DEFINE_ISXLOCALEAVAILABLE(PR, uloc)
}

state->SetInternalProperty(
InternalPropertyIds::HiddenObject,
InternalPropertyIds::CachedUNumberFormat,
Copy link
Contributor Author

@atulkatti atulkatti Jul 10, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CachedUNumberFormat [](start = 33, length = 19)

[CVE-2018-8298] LGTM #Resolved

@@ -283,6 +283,7 @@ DECLSPEC_GUARDIGNORE _NOINLINE intptr_t GetNonTableMethodAddress(ThreadContextI
///----------------------------------------------------------------------------
intptr_t GetMethodOriginalAddress(ThreadContextInfo * context, JnHelperMethod helperMethod)
{
AssertOrFailFast(helperMethod >= 0 && helperMethod < IR::JnHelperMethodCount);
Copy link
Contributor Author

@atulkatti atulkatti Jul 10, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AssertOrFailFast [](start = 4, length = 16)

[CVE-2018-8276] LGTM #Resolved

Copy link
Contributor

@dilijev dilijev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Intl change LGTM /cc @jackhorton

@chakrabot chakrabot merged commit 17f8fe3 into chakra-core:release/1.10 Jul 10, 2018
chakrabot pushed a commit that referenced this pull request Jul 10, 2018
Merge pull request #5444 from atulkatti:servicing/1807_1.10

JULY 2018 Security Update that addresses the following issues in ChakraCore.dll:
[CVE-2018-8275], [CVE-2018-8276], [CVE-2018-8279], [CVE-2018-8280], [CVE-2018-8283], [CVE-2018-8286], [CVE-2018-8287], [CVE-2018-8288], [CVE-2018-8290], [CVE-2018-8291], [CVE-2018-8294], [CVE-2018-8298]
chakrabot pushed a commit that referenced this pull request Jul 10, 2018
Merge pull request #5444 from atulkatti:servicing/1807_1.10

JULY 2018 Security Update that addresses the following issues in ChakraCore.dll:
[CVE-2018-8275], [CVE-2018-8276], [CVE-2018-8279], [CVE-2018-8280], [CVE-2018-8283], [CVE-2018-8286], [CVE-2018-8287], [CVE-2018-8288], [CVE-2018-8290], [CVE-2018-8291], [CVE-2018-8294], [CVE-2018-8298]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.