Skip to content

Commit d8ef97d

Browse files
rajatdrajatd
committed
[CVE-2017-0229] Non-blinded constants remaining in jit
Fix instances of non-blinded possibly large constants in the jit
1 parent 0cdbf2f commit d8ef97d

5 files changed

Lines changed: 38 additions & 18 deletions

File tree

lib/Backend/GlobOpt.cpp

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -16014,7 +16014,7 @@ GlobOpt::AttachBoundsCheckData(IR::Instr* instr, IR::Opnd* lowerBound, IR::Opnd*
1601416014
instr->SetSrc2(upperBound);
1601516015
if (offset != 0)
1601616016
{
16017-
instr->SetDst(IR::IntConstOpnd::New(offset, TyInt32, instr->m_func, true));
16017+
instr->SetDst(IR::IntConstOpnd::New(offset, TyInt32, instr->m_func));
1601816018
}
1601916019
return instr;
1602016020
}
@@ -17307,8 +17307,7 @@ GlobOpt::OptArraySrc(IR::Instr * *const instrRef)
1730717307
: IR::IntConstOpnd::New(
1730817308
hoistInfo.IndexConstantBounds().LowerBound(),
1730917309
TyInt32,
17310-
instr->m_func,
17311-
true);
17310+
instr->m_func);
1731217311
lowerBound->SetIsJITOptimizedReg(true);
1731317312
IR::Opnd* upperBound = IR::RegOpnd::New(headSegmentLengthSym, headSegmentLengthSym->GetType(), instr->m_func);
1731417313
upperBound->SetIsJITOptimizedReg(true);
@@ -17456,7 +17455,7 @@ GlobOpt::OptArraySrc(IR::Instr * *const instrRef)
1745617455
{
1745717456
IR::Opnd* lowerBound = baseOwnerIndir->GetIndexOpnd()
1745817457
? static_cast<IR::Opnd *>(baseOwnerIndir->GetIndexOpnd())
17459-
: IR::IntConstOpnd::New(baseOwnerIndir->GetOffset(), TyInt32, instr->m_func, true);
17458+
: IR::IntConstOpnd::New(baseOwnerIndir->GetOffset(), TyInt32, instr->m_func);
1746017459
lowerBound->SetIsJITOptimizedReg(true);
1746117460
IR::Opnd* upperBound = IR::RegOpnd::New(headSegmentLengthSym, headSegmentLengthSym->GetType(), instr->m_func);
1746217461
upperBound->SetIsJITOptimizedReg(true);
@@ -21406,7 +21405,7 @@ GlobOpt::GenerateInductionVariableChangeForMemOp(Loop *loop, byte unroll, IR::In
2140621405
{
2140721406
sizeOpnd = IR::RegOpnd::New(TyUint32, this->func);
2140821407

21409-
IR::Opnd *unrollOpnd = IR::IntConstOpnd::New(unroll, type, localFunc, true);
21408+
IR::Opnd *unrollOpnd = IR::IntConstOpnd::New(unroll, type, localFunc);
2141021409

2141121410
InsertInstr(IR::Instr::New(Js::OpCode::Mul_I4,
2141221411
sizeOpnd,
@@ -21419,7 +21418,7 @@ GlobOpt::GenerateInductionVariableChangeForMemOp(Loop *loop, byte unroll, IR::In
2141921418
else
2142021419
{
2142121420
uint size = (loopCount->LoopCountMinusOneConstantValue() + 1) * unroll;
21422-
sizeOpnd = IR::IntConstOpnd::New(size, IRType::TyUint32, localFunc, true);
21421+
sizeOpnd = IR::IntConstOpnd::New(size, IRType::TyUint32, localFunc);
2142321422
}
2142421423
loop->memOpInfo->inductionVariableOpndPerUnrollMap->Add(unroll, sizeOpnd);
2142521424
return sizeOpnd;

lib/Backend/IRBuilder.cpp

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4879,14 +4879,14 @@ IRBuilder::BuildAuxiliary(Js::OpCode newOpcode, uint32 offset)
48794879
// The property ID array needs to be both relocatable and available (so we can
48804880
// get the slot capacity), so we need to just pass the offset to lower and let
48814881
// lower take it from there...
4882-
srcOpnd = IR::IntConstOpnd::New(auxInsn->Offset, TyUint32, m_func, true);
4882+
srcOpnd = IR::IntConstOpnd::New(auxInsn->Offset, TyUint32, m_func);
48834883
dstOpnd = this->BuildDstOpnd(dstRegSlot);
48844884
dstOpnd->SetValueType(ValueType::GetObject(ObjectType::UninitializedObject));
48854885
instr = IR::Instr::New(newOpcode, dstOpnd, srcOpnd, m_func);
48864886

48874887
// Because we're going to be making decisions based off the value, we have to defer
48884888
// this until we get to lowering.
4889-
instr->SetSrc2(IR::IntConstOpnd::New(literalObjectId, TyUint32, m_func, true));
4889+
instr->SetSrc2(IR::IntConstOpnd::New(literalObjectId, TyUint32, m_func));
48904890

48914891
if (dstOpnd->m_sym->m_isSingleDef)
48924892
{

lib/Backend/Lower.cpp

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12858,7 +12858,7 @@ void Lowerer::LowerBoundCheck(IR::Instr *const instr)
1285812858
true,
1285912859
addResultOpnd,
1286012860
rightOpnd,
12861-
offsetOpnd ? offsetOpnd->UseWithNewType(TyInt32, func) : IR::IntConstOpnd::New(offset, TyInt32, func, true),
12861+
offsetOpnd ? offsetOpnd->UseWithNewType(TyInt32, func) : IR::IntConstOpnd::New(offset, TyInt32, func),
1286212862
insertBeforeInstr);
1286312863
InsertBranch(LowererMD::MDOverflowBranchOpcode, bailOutLabel, insertBeforeInstr);
1286412864

@@ -12870,7 +12870,7 @@ void Lowerer::LowerBoundCheck(IR::Instr *const instr)
1287012870
// $bailOut:
1287112871
if(!rightOpnd)
1287212872
{
12873-
rightOpnd = IR::IntConstOpnd::New(offset, TyInt32, func, true);
12873+
rightOpnd = IR::IntConstOpnd::New(offset, TyInt32, func);
1287412874
}
1287512875
InsertCompareBranch(leftOpnd, rightOpnd, compareOpCode, doUnsignedCompare, skipBailOutLabel, insertBeforeInstr);
1287612876
}
@@ -20571,7 +20571,7 @@ bool Lowerer::GenerateFastEqBoolInt(IR::Instr * instr, bool *pNeedHelper)
2057120571
// If it's not zero, then it's either 1, in which case it's true, or it's something else, in which
2057220572
// case the two will compare as inequal
2057320573
InsertCompareBranch(
20574-
IR::IntConstOpnd::New((((IntConstType)1) << Js::VarTag_Shift) + Js::AtomTag, IRType::TyVar, this->m_func),
20574+
IR::IntConstOpnd::New((((IntConstType)1) << Js::VarTag_Shift) + Js::AtomTag, IRType::TyVar, this->m_func, true),
2057520575
srcInt->AsRegOpnd(),
2057620576
Js::OpCode::BrNeq_A,
2057720577
isBranchNotCompare ? inequalResultTarget : forceInequal, // in the case of branching, we can go straight to the inequal target; for compares, we need to load the value
@@ -23891,7 +23891,7 @@ void Lowerer::GenerateSingleCharStrJumpTableLookup(IR::Instr * instr)
2389123891

2389223892
// CMP charOpnd, lastCaseIndex - baseCaseIndex
2389323893
// JA defaultLabel
23894-
InsertCompareBranch(charOpnd, IR::IntConstOpnd::New(multiBrInstr->m_lastCaseValue - multiBrInstr->m_baseCaseValue, TyUint32, func, true),
23894+
InsertCompareBranch(charOpnd, IR::IntConstOpnd::New(multiBrInstr->m_lastCaseValue - multiBrInstr->m_baseCaseValue, TyUint32, func),
2389523895
Js::OpCode::BrGt_A, true, defaultLabelInstr, instr);
2389623896

2389723897
instr->UnlinkSrc1();

lib/Backend/LowerMDShared.cpp

Lines changed: 26 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1257,7 +1257,7 @@ void LowererMD::ChangeToShift(IR::Instr *const instr, const bool needFlags)
12571257
}
12581258
}
12591259

1260-
void LowererMD::ChangeToMul(IR::Instr *const instr, bool hasOverflowCheck)
1260+
void LowererMD::ChangeToIMul(IR::Instr *const instr, bool hasOverflowCheck)
12611261
{
12621262
// If non-32 bit overflow check is needed, we have to use the IMUL form.
12631263
if (hasOverflowCheck && !instr->ShouldCheckFor32BitOverflow() && instr->ShouldCheckForNon32BitOverflow())
@@ -1272,8 +1272,29 @@ void LowererMD::ChangeToMul(IR::Instr *const instr, bool hasOverflowCheck)
12721272
{
12731273
// MOV reg, imm
12741274
temp2 = IR::RegOpnd::New(TyInt32, instr->m_func);
1275+
1276+
IR::Opnd * src2 = instr->GetSrc2();
1277+
bool dontEncode = false;
1278+
if (src2->IsHelperCallOpnd())
1279+
{
1280+
dontEncode = true;
1281+
}
1282+
else if (src2->IsIntConstOpnd() || src2->IsAddrOpnd())
1283+
{
1284+
dontEncode = src2->IsIntConstOpnd() ? src2->AsIntConstOpnd()->m_dontEncode : src2->AsAddrOpnd()->m_dontEncode;
1285+
}
1286+
else if (src2->IsInt64ConstOpnd())
1287+
{
1288+
dontEncode = false;
1289+
}
1290+
else
1291+
{
1292+
AssertMsg(false, "Unexpected immediate opnd");
1293+
throw Js::OperationAbortedException();
1294+
}
1295+
12751296
instr->InsertBefore(IR::Instr::New(Js::OpCode::MOV, temp2,
1276-
IR::IntConstOpnd::New((IntConstType)instr->GetSrc2()->GetImmediateValue(instr->m_func), TyInt32, instr->m_func, true),
1297+
IR::IntConstOpnd::New((IntConstType)instr->GetSrc2()->GetImmediateValue(instr->m_func), TyInt32, instr->m_func, dontEncode),
12771298
instr->m_func));
12781299
}
12791300
// eax = IMUL eax, reg
@@ -2061,7 +2082,7 @@ void LowererMD::LegalizeSrc(IR::Instr *const instr, IR::Opnd *src, const uint fo
20612082
if (!instr->isInlineeEntryInstr)
20622083
{
20632084
Assert(forms & L_Reg);
2064-
IR::IntConstOpnd * newIntOpnd = IR::IntConstOpnd::New(intOpnd->GetValue(), intOpnd->GetType(), instr->m_func, true);
2085+
IR::IntConstOpnd * newIntOpnd = intOpnd->Copy(instr->m_func)->AsIntConstOpnd();
20652086
IR::IndirOpnd * indirOpnd = instr->m_func->GetTopFunc()->GetConstantAddressIndirOpnd(intOpnd->GetValue(), newIntOpnd, IR::AddrOpndKindConstantAddress, TyMachPtr, Js::OpCode::MOV);
20662087
if (HoistLargeConstant(indirOpnd, src, instr))
20672088
{
@@ -2125,7 +2146,7 @@ void LowererMD::LegalizeSrc(IR::Instr *const instr, IR::Opnd *src, const uint fo
21252146
Assert(!instr->isInlineeEntryInstr);
21262147
Assert(forms & L_Reg);
21272148
// TODO: michhol, remove cast after making m_address intptr
2128-
IR::AddrOpnd * newAddrOpnd = IR::AddrOpnd::New(addrOpnd->m_address, addrOpnd->GetAddrOpndKind(), instr->m_func, true);
2149+
IR::AddrOpnd * newAddrOpnd = addrOpnd->Copy(instr->m_func)->AsAddrOpnd();
21292150
IR::IndirOpnd * indirOpnd = instr->m_func->GetTopFunc()->GetConstantAddressIndirOpnd((intptr_t)addrOpnd->m_address, newAddrOpnd, addrOpnd->GetAddrOpndKind(), TyMachPtr, Js::OpCode::MOV);
21302151
if (HoistLargeConstant(indirOpnd, src, instr))
21312152
{
@@ -7236,7 +7257,7 @@ LowererMD::LowerInt4MulWithBailOut(
72367257
// Lower the instruction
72377258
if (!simplifiedMul)
72387259
{
7239-
LowererMD::ChangeToMul(instr, needsOverflowCheck);
7260+
LowererMD::ChangeToIMul(instr, needsOverflowCheck);
72407261
}
72417262

72427263
const auto insertBeforeInstr = checkForNegativeZeroLabel ? checkForNegativeZeroLabel : bailOutLabel;

lib/Backend/LowerMDShared.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ class LowererMD
5050
static void ChangeToAdd(IR::Instr *const instr, const bool needFlags);
5151
static void ChangeToSub(IR::Instr *const instr, const bool needFlags);
5252
static void ChangeToShift(IR::Instr *const instr, const bool needFlags);
53-
static void ChangeToMul(IR::Instr *const instr, const bool hasOverflowCheck = false);
53+
static void ChangeToIMul(IR::Instr *const instr, const bool hasOverflowCheck = false);
5454
static const uint16 GetFormalParamOffset();
5555
static const Js::OpCode MDUncondBranchOpcode;
5656
static const Js::OpCode MDExtend32Opcode;

0 commit comments

Comments
 (0)