[MERGE #6531 @MikeHolman] December 2020 Security Update
Merge pull request #6531 from MikeHolman:servicing/2012
December 2020 Security Update that addresses the following issue in ChakraCore:
CVE-2020-17131
diff --git a/Build/NuGet/.pack-version b/Build/NuGet/.pack-version
index 33fb4ac..f2a994e 100644
--- a/Build/NuGet/.pack-version
+++ b/Build/NuGet/.pack-version
@@ -1 +1 @@
-1.11.23
+1.11.24
diff --git a/lib/Backend/BackwardPass.cpp b/lib/Backend/BackwardPass.cpp
index 2cdeac4..0403f18 100644
--- a/lib/Backend/BackwardPass.cpp
+++ b/lib/Backend/BackwardPass.cpp
@@ -3856,7 +3856,7 @@
IR::Instr * instr = this->currentInstr;
Func * currFunc = instr->m_func;
- if (this->tag == Js::DeadStorePhase && instr->m_func->IsStackArgsEnabled() && !IsPrePass())
+ if (this->tag == Js::DeadStorePhase && instr->m_func->IsStackArgsEnabled())
{
switch (instr->m_opcode)
{
@@ -3875,28 +3875,37 @@
if (IsFormalParamSym(currFunc, sym))
{
AssertMsg(!currFunc->GetJITFunctionBody()->HasImplicitArgIns(), "We don't have mappings between named formals and arguments object here");
-
- instr->m_opcode = Js::OpCode::Ld_A;
+
PropertySym * propSym = sym->AsPropertySym();
Js::ArgSlot value = (Js::ArgSlot)propSym->m_propertyId;
Assert(currFunc->HasStackSymForFormal(value));
StackSym * paramStackSym = currFunc->GetStackSymForFormal(value);
- IR::RegOpnd * srcOpnd = IR::RegOpnd::New(paramStackSym, TyVar, currFunc);
- instr->ReplaceSrc1(srcOpnd);
- this->ProcessSymUse(paramStackSym, true, true);
- if (PHASE_VERBOSE_TRACE1(Js::StackArgFormalsOptPhase))
+ if (!IsPrePass())
{
- Output::Print(_u("StackArgFormals : %s (%d) :Replacing LdSlot with Ld_A in Deadstore pass. \n"), instr->m_func->GetJITFunctionBody()->GetDisplayName(), instr->m_func->GetFunctionNumber());
- Output::Flush();
+ IR::RegOpnd * srcOpnd = IR::RegOpnd::New(paramStackSym, TyVar, currFunc);
+ instr->ReplaceSrc1(srcOpnd);
+ instr->m_opcode = Js::OpCode::Ld_A;
+
+ if (PHASE_VERBOSE_TRACE1(Js::StackArgFormalsOptPhase))
+ {
+ Output::Print(_u("StackArgFormals : %s (%d) :Replacing LdSlot with Ld_A in Deadstore pass. \n"), instr->m_func->GetJITFunctionBody()->GetDisplayName(), instr->m_func->GetFunctionNumber());
+ Output::Flush();
+ }
}
+
+ this->ProcessSymUse(paramStackSym, true, true);
}
}
break;
}
case Js::OpCode::CommitScope:
{
+ if (IsPrePass())
+ {
+ break;
+ }
if (instr->GetSrc1()->IsScopeObjOpnd(currFunc))
{
instr->Remove();
@@ -3907,6 +3916,10 @@
case Js::OpCode::BrFncCachedScopeEq:
case Js::OpCode::BrFncCachedScopeNeq:
{
+ if (IsPrePass())
+ {
+ break;
+ }
if (instr->GetSrc2()->IsScopeObjOpnd(currFunc))
{
instr->Remove();
@@ -3916,6 +3929,10 @@
}
case Js::OpCode::CallHelper:
{
+ if (IsPrePass())
+ {
+ break;
+ }
//Remove the CALL and all its Argout instrs.
if (instr->GetSrc1()->AsHelperCallOpnd()->m_fnHelper == IR::JnHelperMethod::HelperOP_InitCachedFuncs)
{
@@ -3954,15 +3971,21 @@
if (instr->GetSrc1()->IsScopeObjOpnd(currFunc))
{
- instr->m_opcode = Js::OpCode::NewScFunc;
- IR::Opnd * intConstOpnd = instr->UnlinkSrc2();
- Assert(intConstOpnd->IsIntConstOpnd());
+ StackSym * frameDisplaySym = currFunc->GetLocalFrameDisplaySym();
+ if (!IsPrePass())
+ {
+ instr->m_opcode = Js::OpCode::NewScFunc;
+ IR::Opnd * intConstOpnd = instr->UnlinkSrc2();
+ Assert(intConstOpnd->IsIntConstOpnd());
- uint nestedFuncIndex = instr->m_func->GetJITFunctionBody()->GetNestedFuncIndexForSlotIdInCachedScope(intConstOpnd->AsIntConstOpnd()->AsUint32());
- intConstOpnd->Free(instr->m_func);
+ uint nestedFuncIndex = instr->m_func->GetJITFunctionBody()->GetNestedFuncIndexForSlotIdInCachedScope(intConstOpnd->AsIntConstOpnd()->AsUint32());
+ intConstOpnd->Free(instr->m_func);
- instr->ReplaceSrc1(IR::IntConstOpnd::New(nestedFuncIndex, TyUint32, instr->m_func));
- instr->SetSrc2(IR::RegOpnd::New(currFunc->GetLocalFrameDisplaySym(), IRType::TyVar, currFunc));
+ instr->ReplaceSrc1(IR::IntConstOpnd::New(nestedFuncIndex, TyUint32, instr->m_func));
+ instr->SetSrc2(IR::RegOpnd::New(frameDisplaySym, IRType::TyVar, currFunc));
+ }
+
+ this->ProcessSymUse(frameDisplaySym, true, true);
}
break;
}
diff --git a/lib/Common/ChakraCoreVersion.h b/lib/Common/ChakraCoreVersion.h
index d6d376a..0ed2efd 100644
--- a/lib/Common/ChakraCoreVersion.h
+++ b/lib/Common/ChakraCoreVersion.h
@@ -17,7 +17,7 @@
// ChakraCore version number definitions (used in ChakraCore binary metadata)
#define CHAKRA_CORE_MAJOR_VERSION 1
#define CHAKRA_CORE_MINOR_VERSION 11
-#define CHAKRA_CORE_PATCH_VERSION 23
+#define CHAKRA_CORE_PATCH_VERSION 24
#define CHAKRA_CORE_VERSION_RELEASE_QFE 0 // Redundant with PATCH_VERSION. Keep this value set to 0.
// -------------
