[CVE-2017-0224, CVE-2017-0235] Chakra - JavascriptPromise::AsyncSpawnStep method invocation issue

aneeshdk · rajatd · commit f022afb8246a · 2017-05-10T09:31:12.000-07:00
While invoking then and catch functions on the promise returned by
async function we were directly invoking those without checking.
Overriding those methods with tagged int can cause wrong method execution.
diff --git a/lib/Runtime/Library/JavascriptLibrary.cpp b/lib/Runtime/Library/JavascriptLibrary.cpp
@@ -6184,7 +6184,7 @@ namespace Js
         return function;
     }
 
-    JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction* JavascriptLibrary::CreatePromiseAsyncSpawnStepArgumentExecutorFunction(JavascriptMethod entryPoint, JavascriptGenerator* generator, Var argument, JavascriptFunction* resolve, JavascriptFunction* reject, bool isReject)
+    JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction* JavascriptLibrary::CreatePromiseAsyncSpawnStepArgumentExecutorFunction(JavascriptMethod entryPoint, JavascriptGenerator* generator, Var argument, Var resolve, Var reject, bool isReject)
     {
         FunctionInfo* functionInfo = RecyclerNew(this->GetRecycler(), FunctionInfo, entryPoint);
         DynamicType* type = CreateDeferredPrototypeFunctionType(this->inDispatchProfileMode ? ProfileEntryThunk : entryPoint);
diff --git a/lib/Runtime/Library/JavascriptLibrary.h b/lib/Runtime/Library/JavascriptLibrary.h
@@ -984,7 +984,7 @@ namespace Js
         JavascriptExternalFunction* CreateStdCallExternalFunction(StdCallJavascriptMethod entryPointer, PropertyId nameId, void *callbackState);
         JavascriptExternalFunction* CreateStdCallExternalFunction(StdCallJavascriptMethod entryPointer, Var nameId, void *callbackState);
         JavascriptPromiseAsyncSpawnExecutorFunction* CreatePromiseAsyncSpawnExecutorFunction(JavascriptMethod entryPoint, JavascriptGenerator* generator, Var target);
-        JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction* CreatePromiseAsyncSpawnStepArgumentExecutorFunction(JavascriptMethod entryPoint, JavascriptGenerator* generator, Var argument, JavascriptFunction* resolve = NULL, JavascriptFunction* reject = NULL, bool isReject = false);
+        JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction* CreatePromiseAsyncSpawnStepArgumentExecutorFunction(JavascriptMethod entryPoint, JavascriptGenerator* generator, Var argument, Var resolve = nullptr, Var reject = nullptr, bool isReject = false);
         JavascriptPromiseCapabilitiesExecutorFunction* CreatePromiseCapabilitiesExecutorFunction(JavascriptMethod entryPoint, JavascriptPromiseCapability* capability);
         JavascriptPromiseResolveOrRejectFunction* CreatePromiseResolveOrRejectFunction(JavascriptMethod entryPoint, JavascriptPromise* promise, bool isReject, JavascriptPromiseResolveOrRejectFunctionAlreadyResolvedWrapper* alreadyResolvedRecord);
         JavascriptPromiseReactionTaskFunction* CreatePromiseReactionTaskFunction(JavascriptMethod entryPoint, JavascriptPromiseReaction* reaction, Var argument);
diff --git a/lib/Runtime/Library/JavascriptPromise.cpp b/lib/Runtime/Library/JavascriptPromise.cpp
@@ -1009,8 +1009,8 @@ namespace Js
         JavascriptGenerator* gen = asyncSpawnExecutorFunction->GetGenerator();
         JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction* nextFunction = library->CreatePromiseAsyncSpawnStepArgumentExecutorFunction(EntryJavascriptPromiseAsyncSpawnStepNextExecutorFunction, gen, varCallArgs);
 
-        Assert(JavascriptFunction::Is(resolve) && JavascriptFunction::Is(reject));
-        AsyncSpawnStep(nextFunction, gen, JavascriptFunction::FromVar(resolve), JavascriptFunction::FromVar(reject));
+        Assert(JavascriptConversion::IsCallable(resolve) && JavascriptConversion::IsCallable(reject));
+        AsyncSpawnStep(nextFunction, gen, resolve, reject);
 
         return undefinedVar;
     }
@@ -1054,8 +1054,8 @@ namespace Js
         JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction* asyncSpawnStepExecutorFunction = JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction::FromVar(function);
         JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction* functionArg;
         JavascriptGenerator* gen = asyncSpawnStepExecutorFunction->GetGenerator();
-        JavascriptFunction* reject = asyncSpawnStepExecutorFunction->GetReject();
-        JavascriptFunction* resolve = asyncSpawnStepExecutorFunction->GetResolve();
+        Var reject = asyncSpawnStepExecutorFunction->GetReject();
+        Var resolve = asyncSpawnStepExecutorFunction->GetResolve();
 
         if (asyncSpawnStepExecutorFunction->GetIsReject())
         {
@@ -1071,9 +1071,9 @@ namespace Js
         return undefinedVar;
     }
 
-    void JavascriptPromise::AsyncSpawnStep(JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction* nextFunction, JavascriptGenerator* gen, JavascriptFunction* resolve, JavascriptFunction* reject)
+    void JavascriptPromise::AsyncSpawnStep(JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction* nextFunction, JavascriptGenerator* gen, Var resolve, Var reject)
     {
-        ScriptContext* scriptContext = resolve->GetScriptContext();
+        ScriptContext* scriptContext = gen->GetScriptContext();
         JavascriptLibrary* library = scriptContext->GetLibrary();
         Var undefinedVar = library->GetUndefined();
 
@@ -1105,7 +1105,12 @@ namespace Js
         {
             // finished with success, resolve the promise
             value = JavascriptOperators::GetProperty(next, PropertyIds::value, scriptContext);
-            CALL_FUNCTION(scriptContext->GetThreadContext(), resolve, CallInfo(CallFlags_Value, 2), undefinedVar, value);
+            if (!JavascriptConversion::IsCallable(resolve))
+            {
+                JavascriptError::ThrowTypeError(scriptContext, JSERR_NeedFunction);
+            }
+            CALL_FUNCTION(scriptContext->GetThreadContext(), RecyclableObject::FromVar(resolve), CallInfo(CallFlags_Value, 2), undefinedVar, value);
+
             return;
         }
 
@@ -1118,11 +1123,19 @@ namespace Js
         Var promiseVar = CALL_FUNCTION(scriptContext->GetThreadContext(), promiseResolve, CallInfo(CallFlags_Value, 2), library->GetPromiseConstructor(), value);
         JavascriptPromise* promise = FromVar(promiseVar);
 
-        JavascriptFunction* promiseThen = JavascriptFunction::FromVar(JavascriptOperators::GetProperty(promise, PropertyIds::then, scriptContext));
-        CALL_FUNCTION(scriptContext->GetThreadContext(), promiseThen, CallInfo(CallFlags_Value, 2), promise, successFunction);
+        Var promiseThen = JavascriptOperators::GetProperty(promise, PropertyIds::then, scriptContext);
+        if (!JavascriptConversion::IsCallable(promiseThen))
+        {
+            JavascriptError::ThrowTypeError(scriptContext, JSERR_NeedFunction);
+        }
+        CALL_FUNCTION(scriptContext->GetThreadContext(), RecyclableObject::FromVar(promiseThen), CallInfo(CallFlags_Value, 2), promise, successFunction);
 
-        JavascriptFunction* promiseCatch = JavascriptFunction::FromVar(JavascriptOperators::GetProperty(promise, PropertyIds::catch_, scriptContext));
-        CALL_FUNCTION(scriptContext->GetThreadContext(), promiseCatch, CallInfo(CallFlags_Value, 2), promise, failFunction);
+        Var promiseCatch = JavascriptOperators::GetProperty(promise, PropertyIds::catch_, scriptContext);
+        if (!JavascriptConversion::IsCallable(promiseCatch))
+        {
+            JavascriptError::ThrowTypeError(scriptContext, JSERR_NeedFunction);
+        }
+        CALL_FUNCTION(scriptContext->GetThreadContext(), RecyclableObject::FromVar(promiseCatch), CallInfo(CallFlags_Value, 2), promise, failFunction);
     }
 
 #if ENABLE_TTD
@@ -1435,7 +1448,7 @@ namespace Js
     }
 #endif
 
-    JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction::JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction(DynamicType* type, FunctionInfo* functionInfo, JavascriptGenerator* generator, Var argument, JavascriptFunction* resolve, JavascriptFunction* reject, bool isReject)
+    JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction::JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction(DynamicType* type, FunctionInfo* functionInfo, JavascriptGenerator* generator, Var argument, Var resolve, Var reject, bool isReject)
         : RuntimeFunction(type, functionInfo), generator(generator), argument(argument), resolve(resolve), reject(reject), isReject(isReject)
     { }
 
@@ -1464,12 +1477,12 @@ namespace Js
         return this->generator;
     }
 
-    JavascriptFunction* JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction::GetResolve()
+    Var JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction::GetResolve()
     {
         return this->resolve;
     }
 
-    JavascriptFunction* JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction::GetReject()
+    Var JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction::GetReject()
     {
         return this->reject;
     }
diff --git a/lib/Runtime/Library/JavascriptPromise.h b/lib/Runtime/Library/JavascriptPromise.h
@@ -78,21 +78,21 @@ namespace Js
         DEFINE_MARSHAL_OBJECT_TO_SCRIPT_CONTEXT(JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction);
 
     public:
-        JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction(DynamicType* type, FunctionInfo* functionInfo, JavascriptGenerator* generator, Var argument, JavascriptFunction* resolve = NULL, JavascriptFunction* reject = NULL, bool isReject = false);
+        JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction(DynamicType* type, FunctionInfo* functionInfo, JavascriptGenerator* generator, Var argument, Var resolve = nullptr, Var reject = nullptr, bool isReject = false);
 
         inline static bool Is(Var var);
         inline static JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction* FromVar(Var var);
 
         JavascriptGenerator* GetGenerator();
-        JavascriptFunction* GetReject();
-        JavascriptFunction* GetResolve();
+        Var GetReject();
+        Var GetResolve();
         bool GetIsReject();
         Var GetArgument();
 
     private:
         JavascriptGenerator* generator;
-        JavascriptFunction* reject;
-        JavascriptFunction* resolve;
+        Var reject;
+        Var resolve;
         bool isReject;
         Var argument;
 
@@ -466,7 +466,7 @@ namespace Js
         JavascriptPromiseReactionList* rejectReactions;
 
     private :
-        static void AsyncSpawnStep(JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction* nextFunction, JavascriptGenerator* gen, JavascriptFunction* resolve, JavascriptFunction* reject);
+        static void AsyncSpawnStep(JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction* nextFunction, JavascriptGenerator* gen, Var resolve, Var reject);
 
 #if ENABLE_TTD
     public:
diff --git a/test/Bugs/bug11026788.js b/test/Bugs/bug11026788.js
@@ -0,0 +1,38 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+async function foo( ) {
+    var p1 = new Promise(
+        timeout1 => {
+            setTimeout( () => {
+                timeout1( 1 );
+            }, 500 );
+        }
+    );
+
+    var p2 = new Promise(
+        timeout2 => {
+            setTimeout( () => {
+                timeout2( 2 );
+            }, 500 );
+        }
+    );
+
+    return await p1 + await p2;
+}
+
+promise = foo();
+promise.__proto__.then = (0x41414141 - 8) >> 0;
+
+try {
+    promise.then( function( value ){} );
+    WScript.Echo("FAILED");
+} catch (e) {
+    if (e instanceof TypeError) {
+        WScript.Echo("PASSED");
+    } else {
+        WScript.Echo("FAILED");
+    }
+}
diff --git a/test/Bugs/rlexe.xml b/test/Bugs/rlexe.xml
@@ -392,4 +392,9 @@
       <compile-flags>-mic:1 -off:simplejit -oopjit- -bgjit-</compile-flags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>bug11026788.js</files>
+    </default>
+  </test>
 </regress-exe>

Original file line number	Diff line number	Diff line change
`@@ -6184,7 +6184,7 @@ namespace Js`
`6184`	`6184`	`return function;`
`6185`	`6185`	`}`
`6186`	`6186`
`6187`		`- JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction* JavascriptLibrary::CreatePromiseAsyncSpawnStepArgumentExecutorFunction(JavascriptMethod entryPoint, JavascriptGenerator* generator, Var argument, JavascriptFunction* resolve, JavascriptFunction* reject, bool isReject)`
	`6187`	`+ JavascriptPromiseAsyncSpawnStepArgumentExecutorFunction* JavascriptLibrary::CreatePromiseAsyncSpawnStepArgumentExecutorFunction(JavascriptMethod entryPoint, JavascriptGenerator* generator, Var argument, Var resolve, Var reject, bool isReject)`
`6188`	`6188`	`{`
`6189`	`6189`	`FunctionInfo* functionInfo = RecyclerNew(this->GetRecycler(), FunctionInfo, entryPoint);`
`6190`	`6190`	`DynamicType* type = CreateDeferredPrototypeFunctionType(this->inDispatchProfileMode ? ProfileEntryThunk : entryPoint);`