[CVE-2018-8315] Add guards for speculation on non-jit operations

Penguinwizzard · MikeHolman · commit e03b3e30160a · 2018-09-11T09:47:03.000-07:00
diff --git a/lib/Runtime/Language/JavascriptOperators.cpp b/lib/Runtime/Language/JavascriptOperators.cpp
@@ -3809,6 +3809,7 @@ using namespace Js;
 
     Var JavascriptOperators::OP_GetElementI(Var instance, Var index, ScriptContext* scriptContext)
     {
+        instance = BreakSpeculation(instance);
         if (TaggedInt::Is(index))
         {
             return GetElementIIntIndex(instance, index, scriptContext);
diff --git a/lib/Runtime/Library/JavascriptFunction.cpp b/lib/Runtime/Library/JavascriptFunction.cpp
@@ -1155,6 +1155,18 @@ using namespace Js;
     template Var JavascriptFunction::CallFunction<false>(RecyclableObject* function, JavascriptMethod entryPoint, Arguments args, bool useLargeArgCount);
 
 #if _M_IX86
+    extern "C" Var BreakSpeculation(Var passthrough)
+    {
+        Var result = nullptr;
+        __asm
+        {
+            mov ecx, passthrough;
+            cmp ecx, ecx;
+            cmove eax, ecx;
+            mov result, eax;
+        }
+        return result;
+    }
 #ifdef ASMJS_PLAT
     template <> int JavascriptFunction::CallAsmJsFunction<int>(RecyclableObject * function, JavascriptMethod entryPoint, Var * argv, uint argsSize, byte* reg)
     {
@@ -1350,6 +1362,11 @@ void __cdecl _alloca_probe_16()
         extern Var arm_CallFunction(JavascriptFunction* function, CallInfo info, uint argCount, Var* values, JavascriptMethod entryPoint);
     }
 
+    extern "C" Var BreakSpeculation(Var passthrough)
+    {
+        return passthrough;
+    }
+
     template <bool doStackProbe>
     Var JavascriptFunction::CallFunction(RecyclableObject* function, JavascriptMethod entryPoint, Arguments args, bool useLargeArgCount)
     {
diff --git a/lib/Runtime/Library/JavascriptFunction.h b/lib/Runtime/Library/JavascriptFunction.h
@@ -34,6 +34,8 @@ namespace Js
    extern "C" Var amd64_CallFunction(RecyclableObject *function, JavascriptMethod entryPoint, CallInfo callInfo, uint argc, Var *argv);
 #endif
 
+    extern "C" Var BreakSpeculation(Var passthroughObject);
+
     class JavascriptFunction : public DynamicObject
     {
     private:
diff --git a/lib/Runtime/Library/JavascriptString.cpp b/lib/Runtime/Library/JavascriptString.cpp
@@ -747,6 +747,7 @@ namespace Js
         Var value;
         if (pThis->GetItemAt(idxPosition, &value))
         {
+            value = BreakSpeculation(value);
             return value;
         }
         else
@@ -795,7 +796,7 @@ namespace Js
             return scriptContext->GetLibrary()->GetNaN();
         }
 
-        return TaggedInt::ToVarUnchecked(pThis->GetItem(idxPosition));
+        return BreakSpeculation(TaggedInt::ToVarUnchecked(pThis->GetItem(idxPosition)));
     }
 
     Var JavascriptString::EntryCodePointAt(RecyclableObject* function, CallInfo callInfo, ...)
@@ -1849,6 +1850,9 @@ namespace Js
         {
             idxEnd = idxStart;
         }
+
+        pThis = (JavascriptString*)BreakSpeculation(pThis);
+
         return SubstringCore(pThis, idxStart, idxEnd - idxStart, scriptContext);
     }
 
@@ -1968,6 +1972,8 @@ namespace Js
             return pThis;
         }
 
+        pThis = (JavascriptString*)BreakSpeculation(pThis);
+
         return SubstringCore(pThis, idxStart, idxEnd - idxStart, scriptContext);
     }
 
@@ -2024,6 +2030,8 @@ namespace Js
             return pThis;
         }
 
+        pThis = (JavascriptString*)BreakSpeculation(pThis);
+
         Assert(0 <= idxStart && idxStart <= idxEnd && idxEnd <= len);
         return SubstringCore(pThis, idxStart, idxEnd - idxStart, scriptContext);
     }
diff --git a/lib/Runtime/Library/amd64/JavascriptFunctionA.S b/lib/Runtime/Library/amd64/JavascriptFunctionA.S
@@ -235,3 +235,10 @@ NESTED_ENTRY _ZN2Js18JavascriptFunction24DeferredDeserializeThunkEPNS_16Recyclab
         jmp rax
 
 NESTED_END _ZN2Js18JavascriptFunction24DeferredDeserializeThunkEPNS_16RecyclableObjectENS_8CallInfoEz, _TEXT
+
+.balign 16
+NESTED_ENTRY BreakSpeculation, _TEXT, NoHandler
+        cmp rdi, rdi
+        cmove rax, rdi
+        ret
+NESTED_END BreakSpeculation, _TEXT
diff --git a/lib/Runtime/Library/amd64/JavascriptFunctionA.asm b/lib/Runtime/Library/amd64/JavascriptFunctionA.asm
@@ -411,5 +411,12 @@ endif
         rex_jmp_reg rax
 ?DeferredDeserializeThunk@JavascriptFunction@Js@@SAPEAXPEAVRecyclableObject@2@UCallInfo@2@ZZ ENDP
 
+align 16
+BreakSpeculation PROC
+        cmp rcx, rcx
+        cmove rax, rcx
+        ret
+BreakSpeculation ENDP
+
         _TEXT ENDS
         end
diff --git a/lib/Runtime/Library/arm64/arm64_CallFunction.asm b/lib/Runtime/Library/arm64/arm64_CallFunction.asm
@@ -96,4 +96,10 @@ CopyLoop
 
     NESTED_END
 
+    NESTED_ENTRY BreakSpeculation
+    cmp x0, x0
+    cseleq x0, x0, x0
+    ret
+    NESTED_END
+
     END

Original file line number	Diff line number	Diff line change
`@@ -3809,6 +3809,7 @@ using namespace Js;`
`3809`	`3809`
`3810`	`3810`	`Var JavascriptOperators::OP_GetElementI(Var instance, Var index, ScriptContext* scriptContext)`
`3811`	`3811`	`{`
	`3812`	`+ instance = BreakSpeculation(instance);`
`3812`	`3813`	`if (TaggedInt::Is(index))`
`3813`	`3814`	`{`
`3814`	`3815`	`return GetElementIIntIndex(instance, index, scriptContext);`
Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,8 @@ namespace Js`
`34`	`34`	`extern "C" Var amd64_CallFunction(RecyclableObject function, JavascriptMethod entryPoint, CallInfo callInfo, uint argc, Var argv);`
`35`	`35`	`#endif`
`36`	`36`
	`37`	`+ extern "C" Var BreakSpeculation(Var passthroughObject);`
	`38`	`+`
`37`	`39`	`class JavascriptFunction : public DynamicObject`
`38`	`40`	`{`
`39`	`41`	`private:`
Original file line number	Diff line number	Diff line change
`@@ -747,6 +747,7 @@ namespace Js`
`747`	`747`	`Var value;`
`748`	`748`	`if (pThis->GetItemAt(idxPosition, &value))`
`749`	`749`	`{`
	`750`	`+ value = BreakSpeculation(value);`
`750`	`751`	`return value;`
`751`	`752`	`}`
`752`	`753`	`else`
`@@ -795,7 +796,7 @@ namespace Js`
`795`	`796`	`return scriptContext->GetLibrary()->GetNaN();`
`796`	`797`	`}`
`797`	`798`
`798`		`- return TaggedInt::ToVarUnchecked(pThis->GetItem(idxPosition));`
	`799`	`+ return BreakSpeculation(TaggedInt::ToVarUnchecked(pThis->GetItem(idxPosition)));`
`799`	`800`	`}`
`800`	`801`
`801`	`802`	`Var JavascriptString::EntryCodePointAt(RecyclableObject* function, CallInfo callInfo, ...)`
`@@ -1849,6 +1850,9 @@ namespace Js`
`1849`	`1850`	`{`
`1850`	`1851`	`idxEnd = idxStart;`
`1851`	`1852`	`}`
	`1853`	`+`
	`1854`	`+ pThis = (JavascriptString*)BreakSpeculation(pThis);`
	`1855`	`+`
`1852`	`1856`	`return SubstringCore(pThis, idxStart, idxEnd - idxStart, scriptContext);`
`1853`	`1857`	`}`
`1854`	`1858`
`@@ -1968,6 +1972,8 @@ namespace Js`
`1968`	`1972`	`return pThis;`
`1969`	`1973`	`}`
`1970`	`1974`
	`1975`	`+ pThis = (JavascriptString*)BreakSpeculation(pThis);`
	`1976`	`+`
`1971`	`1977`	`return SubstringCore(pThis, idxStart, idxEnd - idxStart, scriptContext);`
`1972`	`1978`	`}`
`1973`	`1979`
`@@ -2024,6 +2030,8 @@ namespace Js`
`2024`	`2030`	`return pThis;`
`2025`	`2031`	`}`
`2026`	`2032`
	`2033`	`+ pThis = (JavascriptString*)BreakSpeculation(pThis);`
	`2034`	`+`
`2027`	`2035`	`Assert(0 <= idxStart && idxStart <= idxEnd && idxEnd <= len);`
`2028`	`2036`	`return SubstringCore(pThis, idxStart, idxEnd - idxStart, scriptContext);`
`2029`	`2037`	`}`