[MERGE #6447 @rajeshpeter] ChakraCore Servicing Update for 2020.05B

rajeshpeter · rajeshpeter · commit 5ed29856cf88 · 2020-05-12T14:39:27.000-07:00
Merge pull request #6447 from rajeshpeter:servicing/2005 **Changes to address the following issues:** **[CVE-2020-1037]** Ensure JIT bails out when there is an object marked as temporary during an implicit call, to prevent objects stored on the stack to be used outside of the function. This is done by preventing removal of the Bailout instruction for that case during the DeadStore pass of GlobOpt. **[CVE-2020-1065]** A previous MSRC fix removes the body scope of an enclosing function when a nested function is declared in the param scope of that enclosing function. This an result in us calculating incorrect envIndex for any symbols captured from enclosing scopes if this skipped body scope appears in the frameDisplay being passed to the nested function. This fix addresses the issue by marking the parameter scope also as mustInstantiate = true so we end up computing the correct envIndex. This problem and the fix only triggers when the enclosing function's param and body scopes are merged so the param and body scopes will never appear together in the scope stack and as such will not mess up the envIndex.
diff --git a/Build/NuGet/.pack-version b/Build/NuGet/.pack-version
@@ -1 +1 @@
-1.11.18
+1.11.19
diff --git a/lib/Backend/GlobOptBailOut.cpp b/lib/Backend/GlobOptBailOut.cpp
@@ -1204,7 +1204,8 @@ GlobOpt::IsImplicitCallBailOutCurrentlyNeeded(IR::Instr * instr, Value const * s
             NeedBailOnImplicitCallForLiveValues(block, isForwardPass) ||
             NeedBailOnImplicitCallForCSE(block, isForwardPass) ||
             NeedBailOnImplicitCallWithFieldOpts(block->loop, hasLiveFields) ||
-            NeedBailOnImplicitCallForArrayCheckHoist(block, isForwardPass)
+            NeedBailOnImplicitCallForArrayCheckHoist(block, isForwardPass) || 
+            (instr->HasBailOutInfo() && (instr->GetBailOutKind() & IR::BailOutMarkTempObject) != 0)
         ) &&
         (!instr->HasTypeCheckBailOut() && MayNeedBailOnImplicitCall(instr, src1Val, src2Val)))
     {
diff --git a/lib/Common/ChakraCoreVersion.h b/lib/Common/ChakraCoreVersion.h
@@ -17,7 +17,7 @@
 // ChakraCore version number definitions (used in ChakraCore binary metadata)
 #define CHAKRA_CORE_MAJOR_VERSION 1
 #define CHAKRA_CORE_MINOR_VERSION 11
-#define CHAKRA_CORE_PATCH_VERSION 18
+#define CHAKRA_CORE_PATCH_VERSION 19
 #define CHAKRA_CORE_VERSION_RELEASE_QFE 0 // Redundant with PATCH_VERSION. Keep this value set to 0.
 
 // -------------
diff --git a/lib/Runtime/ByteCode/ScopeInfo.cpp b/lib/Runtime/ByteCode/ScopeInfo.cpp
@@ -194,6 +194,23 @@ namespace Js
         ScopeInfo * scopeInfo = ScopeInfo::SaveScopeInfo(byteCodeGenerator, currentScope, byteCodeGenerator->GetScriptContext());
         if (scopeInfo != nullptr)
         {
+            if (funcInfo->root->IsDeclaredInParamScope())
+            {
+                FuncInfo* func = byteCodeGenerator->GetEnclosingFuncInfo();
+                Assert(func);
+
+                if (func->IsBodyAndParamScopeMerged())
+                {
+                    Assert(currentScope == func->GetParamScope() && currentScope->GetScopeType() == ScopeType_Parameter);
+                    Assert(scopeInfo->GetScopeType() == ScopeType_Parameter);
+                    Assert(func->GetBodyScope());
+
+                    // If the current function is nested in the param scope of it's enclosing function we may have
+                    // skipped the body scope and in may not be the scope stack but the body scope might still be
+                    // in the frame display and we will need to account for it. See ByteCodeGenerateor::FindScopeForSym.
+                    scopeInfo->mustInstantiate = func->GetBodyScope()->GetMustInstantiate();
+                }
+            }
             funcInfo->byteCodeFunction->SetScopeInfo(scopeInfo);
         }
     }
