CVE-2018-8583 Edge - Chakra JIT OOB 9 13 leads to RCE

akroshg · akroshg · commit 8d21cde342a4 · 2018-12-10T10:52:18.000-08:00
In the loop range check we emit add instruction to add 1 to the range. That can overflow. We did't have overflow bailout over there.
Fixed that by adding bailout over there.
diff --git a/lib/Backend/GlobOptIntBounds.cpp b/lib/Backend/GlobOptIntBounds.cpp
@@ -1822,11 +1822,16 @@ void GlobOpt::GenerateLoopCountPlusOne(Loop *const loop, LoopCount *const loopCo
         IR::RegOpnd *loopCountOpnd = IR::RegOpnd::New(type, func);
         IR::RegOpnd *minusOneOpnd = IR::RegOpnd::New(loopCount->LoopCountMinusOneSym(), type, func);
         minusOneOpnd->SetIsJITOptimizedReg(true);
-        insertBeforeInstr->InsertBefore(IR::Instr::New(Js::OpCode::Add_I4,
-                                                       loopCountOpnd,
-                                                       minusOneOpnd,
-                                                       IR::IntConstOpnd::New(1, type, func, true),
-                                                       func));
+        IR::Instr* incrInstr = IR::Instr::New(Js::OpCode::Add_I4,
+            loopCountOpnd,
+            minusOneOpnd,
+            IR::IntConstOpnd::New(1, type, func, true),
+            func);
+
+        insertBeforeInstr->InsertBefore(incrInstr);
+
+        // Incrementing to 1 can overflow - add a bounds check bailout here
+        incrInstr->ConvertToBailOutInstr(bailOutInfo, IR::BailOutOnFailedHoistedLoopCountBasedBoundCheck);
         loopCount->SetLoopCountSym(loopCountOpnd->GetStackSym());
     }
 }
