Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Latent type confusion bugs in .NET8/9 Mono #112395

Open
kg opened this issue Feb 11, 2025 · 0 comments
Open

Latent type confusion bugs in .NET8/9 Mono #112395

kg opened this issue Feb 11, 2025 · 0 comments
Labels
area-VM-meta-mono
Milestone
10.0.0

Comments

@kg
Copy link
Member

kg commented Feb 11, 2025
edited
Loading

During the development of #111645 I found various type confusion issues in our existing Mono source code. Backporting the fixes for these issues is not necessarily worth it since the resulting behavior change could expose new bugs or change application behavior, but it's worth tracking all of the latent issues here in case we need to fix them later to address customer-facing issues.

There are probably more errors of this type that I didn't find.

runtime/src/mono/mono/metadata/metadata.c

Line 7028 in 109c946

if ((m_class_get_element_class (type->data.klass) == mono_defaults.char_class) && !unicode)

type is either ARRAY or SZARRAY; the two types have different internal representations so the access to klass here is incorrect.

runtime/src/mono/mono/metadata/marshal.c

Line 6447 in 109c946

mono_unichar2 *utf16_array = g_utf8_to_utf16 ((const char *)ptr, arr->max_length, NULL, NULL, NULL);

utf16_array can be NULL and that scenario is not handled. The current implementation could potentially erroneously mess with the heap in the zero page on WASM; on other targets it should fail-fast.

runtime/src/mono/mono/mini/mini.c

Line 1068 in 109c946

/* Fall through */

runtime/src/mono/mono/mini/mini.c

Line 1379 in 109c946

/* Fall through */

runtime/src/mono/mono/mini/mini-amd64.c

Line 312 in 109c946

/* fall through */

The fallthrough from GENERICINST to VALUETYPE results in various accesses to klass being incorrect. Note that there are many functions with the same error.

runtime/src/mono/mono/mini/aot-runtime-wasm.c

Line 75 in 109c946

if (m_class_is_valuetype (t->data.klass)) {

The use of klass on a GENERICINST is incorrect.

runtime/src/mono/mono/mini/mini-generic-sharing.c

Line 3621 in 109c946

(sig->ret->type == MONO_TYPE_CLASS && !strcmp (m_class_get_name (sig->ret->data.generic_class->container_class), "Task")) ||

This copy-paste error treats as CLASS as a GENERICINST and as a result the comparison against Task will probably never succeed and could crash instead.

runtime/src/mono/mono/metadata/icall.c

Line 6596 in 109c946

MonoType blob_type;

runtime/src/mono/mono/metadata/reflection.c

Line 1033 in 109c946

MonoType blob_type;

These stack-allocated MonoTypes are not fully initialized which means the additional data in the type is random garbage from the stack.

runtime/src/mono/mono/metadata/reflection.c

Line 1045 in 109c946

blob_type.data.klass = mono_class_from_mono_type_internal (&blob_type);

This call to mono_class_from_mono_type_internal is being passed &blob_type which does not match the pattern from icall.c or from its neighboring calls, so it's possibly (but not certainly) an error.

runtime/src/mono/mono/eventpipe/ep-rt-mono-runtime-provider.c

Line 1557 in 109c946

case MONO_TYPE_ARRAY:

Fallthrough for ARRAY and SZARRAY is incorrect since they have different internal representations.
@kg kg added this to the 10.0.0 milestone Feb 11, 2025
kg added a commit that referenced this issue Feb 11, 2025
@kg
Guard members of MonoType union & fix related bugs (#111645)
6649e7f 
* Guard members of MonoType union behind type check helpers
* Add _unchecked to call sites that are obviously guarded correctly
* Fix type confusion in bulk_type_log_single_type
* Fix genericinst fallthrough treating a MonoGenericClass ptr as a MonoClass ptr
* Fix type confusion in amd64 mini
* Fix type confusion in aot-runtime-wasm
* Prune a dead goto to make unchecked safe
* Fix two cases where we were partially initializing a stack-allocated MonoType instead of fully initializing it
* See #112395 for detailed list of bugs fixed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-VM-meta-mono
Projects
None yet
Milestone
10.0.0
Development

No branches or pull requests
1 participant
@kg