4837 Total CVEs
26 Years
GitHub
Home / 2016 / CVE-2016-7190
README.md
Rendering markdown...
POC / undo-cve-2016-7190.patch PATCH
⬇ Raw GitHub ✕ Close 
diff --git a/bin/ChakraCore/ChakraCore.def b/bin/ChakraCore/ChakraCore.def
index 9d711da..71a3110 100644
--- a/bin/ChakraCore/ChakraCore.def
+++ b/bin/ChakraCore/ChakraCore.def
@@ -58,3 +58,5 @@ JsReleaseSharedArrayBufferContentHandle
 
 JsLessThan
 JsLessThanOrEqual
+
+ConnectJITServer
\ No newline at end of file
diff --git a/bin/ChakraCore/TestHooks.cpp b/bin/ChakraCore/TestHooks.cpp
index 4f962a7..4cfc614 100644
--- a/bin/ChakraCore/TestHooks.cpp
+++ b/bin/ChakraCore/TestHooks.cpp
@@ -5,6 +5,12 @@
 #include "Runtime.h"
 #include "TestHooks.h"
 
+void __stdcall ConnectJITServer(HANDLE processHandle, void* serverSecurityDescriptor, UUID connectionId)
+{
+	JITManager::GetJITManager()->EnableOOPJIT();
+	ThreadContext::SetJITConnectionInfo(processHandle, serverSecurityDescriptor, connectionId);
+}
+
 #ifdef ENABLE_TEST_HOOKS
 
 HRESULT __stdcall SetConfigFlags(__in int argc, __in_ecount(argc) LPWSTR argv[], ICustomConfigFlags* customConfigFlags)
diff --git a/bin/ch/HostConfigFlagsList.h b/bin/ch/HostConfigFlagsList.h
index a2fa5bd..6f39314 100644
--- a/bin/ch/HostConfigFlagsList.h
+++ b/bin/ch/HostConfigFlagsList.h
@@ -9,7 +9,7 @@ FLAG(bool, DebugLaunch,                     "Create the test debugger and execut
 FLAG(BSTR, GenerateLibraryByteCodeHeader,   "Generate bytecode header file from library code", NULL)
 FLAG(int,  InspectMaxStringLength,          "Max string length to dump in locals inspection", 16)
 FLAG(BSTR, Serialized,                      "If source is UTF8, deserializes from bytecode file", NULL)
-FLAG(bool, OOPJIT,                          "Run JIT in a separate process", false)
+FLAG(bool, OOPJIT,                          "Run JIT in a separate process", true)
 FLAG(bool, EnsureCloseJITServer,            "JIT process will be force closed when ch is terminated", true)
 FLAG(bool, IgnoreScriptErrorCode,           "Don't return error code on script error", false)
 FLAG(bool, MuteHostErrorMsg,                "Mute host error output, e.g. module load failures", false)
diff --git a/bin/ch/ch.cpp b/bin/ch/ch.cpp
index 914e4e7..08067d6 100644
--- a/bin/ch/ch.cpp
+++ b/bin/ch/ch.cpp
@@ -944,6 +944,7 @@ int main(int argc, char** c_argv)
     }
 #else
 #define PAL_Shutdown()
+typedef void(__stdcall *FNConnectJITServer)(HANDLE, void*, UUID);
 int _cdecl wmain(int argc, __in_ecount(argc) LPWSTR argv[])
 {
 #endif
@@ -1109,7 +1110,8 @@ int _cdecl wmain(int argc, __in_ecount(argc) LPWSTR argv[])
         {
             // TODO: Error checking
             JITProcessManager::StartRpcServer(argc, argv);
-            ChakraRTInterface::ConnectJITServer(JITProcessManager::GetRpcProccessHandle(), nullptr, JITProcessManager::GetRpcConnectionId());
+			FNConnectJITServer cjs = (FNConnectJITServer)GetProcAddress(LoadLibrary(L"ChakraCore.dll"), "ConnectJITServer");
+			cjs(JITProcessManager::GetRpcProccessHandle(), nullptr, JITProcessManager::GetRpcConnectionId());
         }
 #endif
         HANDLE threadHandle;
diff --git a/bin/ch/ch.vcxproj b/bin/ch/ch.vcxproj
index e07267a..b362a4a 100644
--- a/bin/ch/ch.vcxproj
+++ b/bin/ch/ch.vcxproj
@@ -27,6 +27,7 @@
         $(IntDir);
         %(AdditionalIncludeDirectories);
       </AdditionalIncludeDirectories>
+      <ControlFlowGuard Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Guard</ControlFlowGuard>
     </ClCompile>
     <Link>
       <ModuleDefinitionFile>ch.def</ModuleDefinitionFile>
diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
index f0fa97c..2a1b3c8 100644
--- a/lib/Runtime/Library/JavascriptArray.cpp
+++ b/lib/Runtime/Library/JavascriptArray.cpp
@@ -9607,9 +9607,9 @@ namespace Js
                         JavascriptNumber::ToVar(k, scriptContext),
                         obj));
 
-                    if (newArr && isBuiltinArrayCtor)
+                    if (newArr)
                     {
-                        newArr->SetItem((uint32)k, mappedValue, PropertyOperation_None);
+						newArr->DirectSetItemAt((uint32)k, mappedValue); // CVE-2016-7190
                     }
                     else
                     {
diff --git a/lib/Runtime/Library/JavascriptArray.inl b/lib/Runtime/Library/JavascriptArray.inl
index 0311267..026fac5 100644
--- a/lib/Runtime/Library/JavascriptArray.inl
+++ b/lib/Runtime/Library/JavascriptArray.inl
@@ -440,7 +440,7 @@ namespace Js
     template <>
     inline void JavascriptArray::DirectSetItemAt<Var>(uint32 itemIndex, Var newValue)
     {
-        Assert_FailFast(this->GetTypeId() == TypeIds_Array || this->GetTypeId() == TypeIds_ES5Array);
+       // Assert_FailFast(this->GetTypeId() == TypeIds_Array || this->GetTypeId() == TypeIds_ES5Array);
 
         Assert(itemIndex < InvalidIndex); // Otherwise the code below could overflow and set length = 0