Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CounterSet.CreateCounterSetInstance can stack overflow with excessive counters #110843

Open
vcsjones opened this issue Dec 19, 2024 · 1 comment · May be fixed by #110864
Open

CounterSet.CreateCounterSetInstance can stack overflow with excessive counters #110843

vcsjones opened this issue Dec 19, 2024 · 1 comment · May be fixed by #110864
Labels
area-System.Diagnostics.PerformanceCounter in-pr There is an active PR which will close this issue when it is merged untriaged New issue has not been triaged by the area owner

Comments

@vcsjones
Copy link
Member

This stackalloc can stack overflow as the size of it is unbound, and depends on the number of counters in the CounterSet:

byte* CounterSetBuffer = stackalloc byte[(int)CounterSetInfoSize];

Despite the variable name being capitalized, it is not const and its final value depends on _idToCounter.Count.

Can be reproduced with:

using System;
using System.Diagnostics.PerformanceData;

#pragma warning disable // Whatever

CounterSet counterSet = new(Guid.NewGuid(), Guid.NewGuid(), CounterSetInstanceType.Single);   

for (int i = 0; i < 0x10000; i++)
{
    counterSet.AddCounter(i, CounterType.ElapsedTime);
}

counterSet.CreateCounterSetInstance("potato");

After a quick check with @GrabYourPitchforks, we do not think this is a DoS vulnerability since it is unlikely that the number of times AddCounter is called is driven by untrusted user input.

Nevertheless, the runtime stack overflowing from public APIs is probably not desirable.

@dotnet-policy-service dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label Dec 19, 2024
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-diagnostics-performancecounter
See info in area-owners.md if you want to be subscribed.

@vcsjones vcsjones assigned vcsjones and unassigned vcsjones Dec 19, 2024
@EgorBo EgorBo linked a pull request Dec 20, 2024 that will close this issue
@dotnet-policy-service dotnet-policy-service bot added the in-pr There is an active PR which will close this issue when it is merged label Dec 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area-System.Diagnostics.PerformanceCounter in-pr There is an active PR which will close this issue when it is merged untriaged New issue has not been triaged by the area owner
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant