[CVE-2017-0252] CopyNativeIntArrayElementsToVar overflow

Suwei Chen · rajatd · commit f95aa762f89a · 2017-05-10T09:33:33.000-07:00
Array length mutation introduced by copy-from-prototype
reentrancy can cause heap overflow in concat fast paths.
Fix by excluding copy-from-prototype cases from fast paths.
Adjust unit tests to avoid excessively long run time.
diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
@@ -3066,7 +3066,7 @@ namespace Js
             }
 
             if (pDestArray && JavascriptArray::IsDirectAccessArray(aItem) && JavascriptArray::IsDirectAccessArray(pDestArray)
-                && BigIndex(idxDest + JavascriptArray::FromVar(aItem)->length).IsSmallIndex()) // Fast path
+                && BigIndex(idxDest + JavascriptArray::FromVar(aItem)->length).IsSmallIndex() && !JavascriptArray::FromVar(aItem)->IsFillFromPrototypes()) // Fast path
             {
                 if (JavascriptNativeIntArray::Is(aItem))
                 {
@@ -3200,10 +3200,11 @@ namespace Js
         for (uint idxArg = 0; idxArg < args.Info.Count; idxArg++)
         {
             Var aItem = args[idxArg];
+            BOOL isConcatSpreadable = false;
 
             if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled())
             {
-                JS_REENTRANT(jsReentLock, BOOL isConcatSpreadable = JavascriptOperators::IsConcatSpreadable(aItem));
+                JS_REENTRANT(jsReentLock, isConcatSpreadable = JavascriptOperators::IsConcatSpreadable(aItem));
                 if (!JavascriptNativeIntArray::Is(pDestArray))
                 {
                     ConcatArgs<uint>(pDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest);
@@ -3222,7 +3223,7 @@ namespace Js
                 }
             }
 
-            if (JavascriptNativeIntArray::Is(aItem)) // Fast path
+            if (JavascriptNativeIntArray::Is(aItem) && !JavascriptNativeIntArray::FromVar(aItem)->IsFillFromPrototypes()) // Fast path
             {
                 JavascriptNativeIntArray* pItemArray = JavascriptNativeIntArray::FromVar(aItem);
                 
@@ -3258,7 +3259,9 @@ namespace Js
             else
             {
                 JavascriptArray *pVarDestArray = JavascriptNativeIntArray::ConvertToVarArray(pDestArray);
-                JS_REENTRANT(jsReentLock, ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest));
+                BigIndex length;
+                JS_REENTRANT(jsReentLock, length = OP_GetLength(aItem, scriptContext),
+                    ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest, isConcatSpreadable, length));
                 return pVarDestArray;
             }
         }
@@ -3276,10 +3279,11 @@ namespace Js
         for (uint idxArg = 0; idxArg < args.Info.Count; idxArg++)
         {
             Var aItem = args[idxArg];
+            BOOL isConcatSpreadable = false;
 
             if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled())
             {
-                JS_REENTRANT(jsReentLock, BOOL isConcatSpreadable = JavascriptOperators::IsConcatSpreadable(aItem));
+                JS_REENTRANT(jsReentLock, isConcatSpreadable = JavascriptOperators::IsConcatSpreadable(aItem));
                 if (!JavascriptNativeFloatArray::Is(pDestArray))
                 {
                     ConcatArgs<uint>(pDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest);
@@ -3299,18 +3303,18 @@ namespace Js
                 }
             }
 
-            bool converted;
+            bool converted = false;
             if (JavascriptArray::IsAnyArray(aItem) || remoteTypeIds[idxArg] == TypeIds_Array)
             {
-                if (JavascriptNativeIntArray::Is(aItem)) // Fast path
+                if (JavascriptNativeIntArray::Is(aItem) && !JavascriptArray::FromVar(aItem)->IsFillFromPrototypes()) // Fast path
                 {
                     JavascriptNativeIntArray *pIntArray = JavascriptNativeIntArray::FromVar(aItem);
                     
                     JS_REENTRANT(jsReentLock, converted = CopyNativeIntArrayElementsToFloat(pDestArray, idxDest, pIntArray));
 
                     idxDest = idxDest + pIntArray->length;
                 }
-                else if (JavascriptNativeFloatArray::Is(aItem))
+                else if (JavascriptNativeFloatArray::Is(aItem) && !JavascriptArray::FromVar(aItem)->IsFillFromPrototypes())
                 {
                     JavascriptNativeFloatArray* pItemArray = JavascriptNativeFloatArray::FromVar(aItem);
 
@@ -3322,7 +3326,9 @@ namespace Js
                 {
                     JavascriptArray *pVarDestArray = JavascriptNativeFloatArray::ConvertToVarArray(pDestArray);
 
-                    JS_REENTRANT(jsReentLock, ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest));
+                    BigIndex length;
+                    JS_REENTRANT(jsReentLock, length = OP_GetLength(aItem, scriptContext),
+                        ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest, isConcatSpreadable, length));
 
                     return pVarDestArray;
                 }
diff --git a/test/Array/concat2.baseline b/test/Array/concat2.baseline
@@ -1,26 +1,26 @@
 -------concat Small-------------
 - concat 101, 102, 103, 104, 105
-length: 2147483647
-  2147483641: 100
-  2147483642: 101
-  2147483643: 102
-  2147483644: 103
-  2147483645: 104
-  2147483646: 105
+length: 505
+  499: 100
+  500: 101
+  501: 102
+  502: 103
+  503: 104
+  504: 105
 - arr.concat(arr)
-length: 4294967294
-  2147483641: 100
-  2147483642: 101
-  2147483643: 102
-  2147483644: 103
-  2147483645: 104
-  2147483646: 105
-  4294967288: 100
-  4294967289: 101
-  4294967290: 102
-  4294967291: 103
-  4294967292: 104
-  4294967293: 105
+length: 1010
+  499: 100
+  500: 101
+  501: 102
+  502: 103
+  503: 104
+  504: 105
+  1004: 100
+  1005: 101
+  1006: 102
+  1007: 103
+  1008: 104
+  1009: 105
 -------test prototype lookup-------------
 a: 200,101,202,203,204,105,106,207
 r: 200,101,202,203,204,105,106,207,300,301,302,303,304
diff --git a/test/Array/concat2.js b/test/Array/concat2.js
@@ -38,7 +38,7 @@ function test_concat(size) {
 }
 
 echo("-------concat Small-------------");
-test_concat(2147483642);
+test_concat(500);
 
 // Fix for MSRC 33319 changes concat to skip a fast path if the index we're copying into is a BigIndex.
 // Disable the large portion of this test since this change makes such a test run for hours.
diff --git a/test/es6/es6toLength.js b/test/es6/es6toLength.js
@@ -12,12 +12,12 @@ var tests = [
        {
             var c = [];
             c[0] = 1;
-            c[4294967293] = 2;
+            c[100] = 2;
             var oNeg = { length : -1, 0 : 3, 1: 4, [Symbol.isConcatSpreadable] : true};
             c = c.concat(oNeg);
             assert.areEqual(1, c[0], "confirm indices of array concated to did not change")
-            assert.areEqual(2, c[4294967293], "confirm indices of array concated to did not change");
-            assert.areEqual(undefined, c[4294967294], "Length of oNeg is coerced to 0 nothing is concated here");
+            assert.areEqual(2, c[100], "confirm indices of array concated to did not change");
+            assert.areEqual(undefined, c[101], "Length of oNeg is coerced to 0 nothing is concated here");
        }
    },
    {

Original file line number	Diff line number	Diff line change
`@@ -3066,7 +3066,7 @@ namespace Js`
`3066`	`3066`	`}`
`3067`	`3067`
`3068`	`3068`	`if (pDestArray && JavascriptArray::IsDirectAccessArray(aItem) && JavascriptArray::IsDirectAccessArray(pDestArray)`
`3069`		`- && BigIndex(idxDest + JavascriptArray::FromVar(aItem)->length).IsSmallIndex()) // Fast path`
	`3069`	`+ && BigIndex(idxDest + JavascriptArray::FromVar(aItem)->length).IsSmallIndex() && !JavascriptArray::FromVar(aItem)->IsFillFromPrototypes()) // Fast path`
`3070`	`3070`	`{`
`3071`	`3071`	`if (JavascriptNativeIntArray::Is(aItem))`
`3072`	`3072`	`{`
`@@ -3200,10 +3200,11 @@ namespace Js`
`3200`	`3200`	`for (uint idxArg = 0; idxArg < args.Info.Count; idxArg++)`
`3201`	`3201`	`{`
`3202`	`3202`	`Var aItem = args[idxArg];`
	`3203`	`+ BOOL isConcatSpreadable = false;`
`3203`	`3204`
`3204`	`3205`	`if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled())`
`3205`	`3206`	`{`
`3206`		`- JS_REENTRANT(jsReentLock, BOOL isConcatSpreadable = JavascriptOperators::IsConcatSpreadable(aItem));`
	`3207`	`+ JS_REENTRANT(jsReentLock, isConcatSpreadable = JavascriptOperators::IsConcatSpreadable(aItem));`
`3207`	`3208`	`if (!JavascriptNativeIntArray::Is(pDestArray))`
`3208`	`3209`	`{`
`3209`	`3210`	`ConcatArgs<uint>(pDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest);`
`@@ -3222,7 +3223,7 @@ namespace Js`
`3222`	`3223`	`}`
`3223`	`3224`	`}`
`3224`	`3225`
`3225`		`- if (JavascriptNativeIntArray::Is(aItem)) // Fast path`
	`3226`	`+ if (JavascriptNativeIntArray::Is(aItem) && !JavascriptNativeIntArray::FromVar(aItem)->IsFillFromPrototypes()) // Fast path`
`3226`	`3227`	`{`
`3227`	`3228`	`JavascriptNativeIntArray* pItemArray = JavascriptNativeIntArray::FromVar(aItem);`
`3228`	`3229`
`@@ -3258,7 +3259,9 @@ namespace Js`
`3258`	`3259`	`else`
`3259`	`3260`	`{`
`3260`	`3261`	`JavascriptArray *pVarDestArray = JavascriptNativeIntArray::ConvertToVarArray(pDestArray);`
`3261`		`- JS_REENTRANT(jsReentLock, ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest));`
	`3262`	`+ BigIndex length;`
	`3263`	`+ JS_REENTRANT(jsReentLock, length = OP_GetLength(aItem, scriptContext),`
	`3264`	`+ ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest, isConcatSpreadable, length));`
`3262`	`3265`	`return pVarDestArray;`
`3263`	`3266`	`}`
`3264`	`3267`	`}`
`@@ -3276,10 +3279,11 @@ namespace Js`
`3276`	`3279`	`for (uint idxArg = 0; idxArg < args.Info.Count; idxArg++)`
`3277`	`3280`	`{`
`3278`	`3281`	`Var aItem = args[idxArg];`
	`3282`	`+ BOOL isConcatSpreadable = false;`
`3279`	`3283`
`3280`	`3284`	`if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled())`
`3281`	`3285`	`{`
`3282`		`- JS_REENTRANT(jsReentLock, BOOL isConcatSpreadable = JavascriptOperators::IsConcatSpreadable(aItem));`
	`3286`	`+ JS_REENTRANT(jsReentLock, isConcatSpreadable = JavascriptOperators::IsConcatSpreadable(aItem));`
`3283`	`3287`	`if (!JavascriptNativeFloatArray::Is(pDestArray))`
`3284`	`3288`	`{`
`3285`	`3289`	`ConcatArgs<uint>(pDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest);`
`@@ -3299,18 +3303,18 @@ namespace Js`
`3299`	`3303`	`}`
`3300`	`3304`	`}`
`3301`	`3305`
`3302`		`- bool converted;`
	`3306`	`+ bool converted = false;`
`3303`	`3307`	`if (JavascriptArray::IsAnyArray(aItem) \|\| remoteTypeIds[idxArg] == TypeIds_Array)`
`3304`	`3308`	`{`
`3305`		`- if (JavascriptNativeIntArray::Is(aItem)) // Fast path`
	`3309`	`+ if (JavascriptNativeIntArray::Is(aItem) && !JavascriptArray::FromVar(aItem)->IsFillFromPrototypes()) // Fast path`
`3306`	`3310`	`{`
`3307`	`3311`	`JavascriptNativeIntArray *pIntArray = JavascriptNativeIntArray::FromVar(aItem);`
`3308`	`3312`
`3309`	`3313`	`JS_REENTRANT(jsReentLock, converted = CopyNativeIntArrayElementsToFloat(pDestArray, idxDest, pIntArray));`
`3310`	`3314`
`3311`	`3315`	`idxDest = idxDest + pIntArray->length;`
`3312`	`3316`	`}`
`3313`		`- else if (JavascriptNativeFloatArray::Is(aItem))`
	`3317`	`+ else if (JavascriptNativeFloatArray::Is(aItem) && !JavascriptArray::FromVar(aItem)->IsFillFromPrototypes())`
`3314`	`3318`	`{`
`3315`	`3319`	`JavascriptNativeFloatArray* pItemArray = JavascriptNativeFloatArray::FromVar(aItem);`
`3316`	`3320`
`@@ -3322,7 +3326,9 @@ namespace Js`
`3322`	`3326`	`{`
`3323`	`3327`	`JavascriptArray *pVarDestArray = JavascriptNativeFloatArray::ConvertToVarArray(pDestArray);`
`3324`	`3328`
`3325`		`- JS_REENTRANT(jsReentLock, ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest));`
	`3329`	`+ BigIndex length;`
	`3330`	`+ JS_REENTRANT(jsReentLock, length = OP_GetLength(aItem, scriptContext),`
	`3331`	`+ ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest, isConcatSpreadable, length));`
`3326`	`3332`
`3327`	`3333`	`return pVarDestArray;`
`3328`	`3334`	`}`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ function test_concat(size) {`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`echo("-------concat Small-------------");`
`41`		`-test_concat(2147483642);`
	`41`	`+test_concat(500);`
`42`	`42`
`43`	`43`	`// Fix for MSRC 33319 changes concat to skip a fast path if the index we're copying into is a BigIndex.`
`44`	`44`	`// Disable the large portion of this test since this change makes such a test run for hours.`
Original file line number	Diff line number	Diff line change
`@@ -12,12 +12,12 @@ var tests = [`
`12`	`12`	`{`
`13`	`13`	`var c = [];`
`14`	`14`	`c[0] = 1;`
`15`		`- c[4294967293] = 2;`
	`15`	`+ c[100] = 2;`
`16`	`16`	`var oNeg = { length : -1, 0 : 3, 1: 4, [Symbol.isConcatSpreadable] : true};`
`17`	`17`	`c = c.concat(oNeg);`
`18`	`18`	`assert.areEqual(1, c[0], "confirm indices of array concated to did not change")`
`19`		`- assert.areEqual(2, c[4294967293], "confirm indices of array concated to did not change");`
`20`		`- assert.areEqual(undefined, c[4294967294], "Length of oNeg is coerced to 0 nothing is concated here");`
	`19`	`+ assert.areEqual(2, c[100], "confirm indices of array concated to did not change");`
	`20`	`+ assert.areEqual(undefined, c[101], "Length of oNeg is coerced to 0 nothing is concated here");`
`21`	`21`	`}`
`22`	`22`	`},`
`23`	`23`	`{`