Bug 25679

Summary: Memory leak and buffer overflow in get_gsharedvt_type()
Product: iOS Reporter: Maks <maksqwe1>
Component: XI runtimeAssignee: Zoltan Varga <vargaz>
Status: RESOLVED FIXED    
Severity: normal CC: mono-bugs+monotouch, sebastien
Priority: ---    
Version: master   
Target Milestone: Untriaged   
Hardware: PC   
OS: Windows   
Tags: Is this bug a regression?: ---
Last known good build:

Description Maks 2015-01-01 19:11:55 UTC
static MonoType*
get_gsharedvt_type (MonoType *t)
{
1:	MonoGenericParam *par = t->data.generic_param;
1:	MonoGenericParam *copy;
	MonoType *res;
	...
	if (par->owner) {
		...

2:		copy = mono_image_alloc0 (image, sizeof (MonoGenericParamFull));
3:		memcpy (copy, par, sizeof (MonoGenericParamFull));
	} else {
2:		copy = g_memdup (par, sizeof (MonoGenericParamFull));
	}
	...
}
--------------------------------------------------
1. t->data.generic_param, par, copy - are "MonoGenericParam" not "MonoGenericParamFull"
struct _MonoGenericParam {
	MonoGenericContainer *owner;
	guint16 num;
	guint16 serial;
	MonoImage *image;
};
sizeof(MonoGenericParam) = 12bytes (32bit build)

typedef struct {
	MonoGenericParam param;
	MonoGenericParamInfo info;
} MonoGenericParamFull;
sizeof(MonoGenericParamFull) = 32bytes (32bit build)

2. when mono_image_alloc0() or g_memdup() is called it allocates memory equal to "sizeof(MonoGenericParamFull) = 32bytes".
During the release resources of "MonoType *res" memory will be freed only by the number of bytes equal to sizeof(MonoGenericParam) = 12bytes. Memleak.
https://bugzilla.xamarin.com/show_bug.cgi?id=16787

3. Buffer overflow. memcpy will copy the bytes beyond(32-12=20bytes) "MonoGenericParam *par" to "MonoGenericParam *copy"(20bytes overflow)
Comment 1 Maks 2015-01-02 05:14:51 UTC
PR: https://github.com/mono/mono/pull/1487
Comment 2 Zoltan Varga 2015-01-02 18:01:09 UTC
Fixed in 102f316ae2db2cb242183d8ffb7b8b2793bbda98. generic_param is a MooGenericParamFull structure in most cases.