RESOLVED FIXED129768
CVE-2014-1362 llint_slow_path_check_has_instance() should not adjust PC before accessing operands 
https://bugs.webkit.org/show_bug.cgi?id=129768
Summary llint_slow_path_check_has_instance() should not adjust PC before accessing op...
Mark Lam
Reported 2014-03-05 18:06:36 PST
When evaluating "a instanceof b" where b is an object that ImplementsHasInstance and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow path llint_slow_path_check_has_instance(), and execute a code path that does the following: 1. Adjusts the byte code PC to the jump target PC. 2. For the purpose of storing the result, get the result registerIndex from the 1st operand using the PC as if the PC is still pointing to op_check_has_instance bytecode. The result is that whatever value resides after where the jump target PC is will be used as a result register value. Depending on what that value is, the result can be: 1. the code coincidently works correctly 2. memory corruption 3. crashes The fix is to only adjust the byte code PC after we have stored the result. ref: <rdar://problem/15394423>
Attachments
the patch. (5.75 KB, patch)
2014-03-05 18:27 PST, Mark Lam 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2014-03-05 18:27:49 PST
Created attachment 225934 [details] the patch.
Mark Hahnenberg
Comment 2 2014-03-05 18:27:59 PST
You should audit the other uses of LLINT_RETURN to make sure we're not doing this in any other places.
Mark Lam
Comment 3 2014-03-05 18:30:02 PST
(In reply to comment #2) > You should audit the other uses of LLINT_RETURN to make sure we're not doing this in any other places. Already did. I audited adjustments made to the pc and made sure that they did not precede a LLINT_RETURN().
WebKit Commit Bot
Comment 4 2014-03-05 18:30:09 PST
Attachment 225934 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:125: __r_returnValue is incorrectly named. Don't use underscores in your identifier names. [readability/naming/underscores] [4] Total errors found: 1 in 5 files If any of these errors are false positives, please file a bug against check-webkit-style.
Mark Hahnenberg
Comment 5 2014-03-05 18:30:28 PST
(In reply to comment #3) > (In reply to comment #2) > > You should audit the other uses of LLINT_RETURN to make sure we're not doing this in any other places. > > Already did. I audited adjustments made to the pc and made sure that they did not precede a LLINT_RETURN(). Cool :-)
Mark Hahnenberg
Comment 6 2014-03-05 18:32:43 PST
Comment on attachment 225934 [details] the patch. r=me
WebKit Commit Bot
Comment 7 2014-03-05 19:11:45 PST
Comment on attachment 225934 [details] the patch. Clearing flags on attachment: 225934 Committed r165162: <http://trac.webkit.org/changeset/165162>
WebKit Commit Bot
Comment 8 2014-03-05 19:11:48 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.