From 53d001770145179475b4994842065542bd473263 Mon Sep 17 00:00:00 2001 From: Marek Habersack Date: Tue, 26 May 2020 13:25:33 +0000 Subject: [PATCH] [reflection] Check whether a pointer is valid before dereferencing (#19839) `Xamarin.Android` native runtime calls `mono_reflection_type_from_name` and passes `NULL` as the `image` parameter. The parameter is then propagated all the way to `_mono_reflection_get_type_from_info` where, in case the assembly isn't loaded yet, it is used to obtain base directory of the assembly. However, since the `image` parameter is `NULL` in our case, attempt to dereference it causes a segfault: libc : Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x4c0 in tid 11029 (ompanyname.app3), pid 11029 (ompanyname.app3) crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstone /system/bin/tombstoned: received crash request for pid 11029 crash_dump64: performing dump of process 11029 (target tid = 11029) DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** DEBUG : Build fingerprint: 'google/sdk_gphone_x86_64/generic_x86_64:10/QSR1.190920.001/5891938:user/release-keys' DEBUG : Revision: '0' DEBUG : ABI: 'x86_64' DEBUG : Timestamp: 2020-05-25 14:45:29+0200 DEBUG : pid: 11029, tid: 11029, name: ompanyname.app3 >>> com.companyname.app3 <<< DEBUG : uid: 10134 DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x4c0 DEBUG : Cause: null pointer dereference DEBUG : rax 000000000000002f rbx 0000000000000001 rcx 0000000000000000 rdx 0000000000000030 DEBUG : r8 0000000000000003 r9 000000000013e2e2 r10 0173eed800000000 r11 0000000000000206 DEBUG : r12 0000000000000000 r13 00007478530343c0 r14 00007478075eda33 r15 000074780763efb0 DEBUG : rdi 0000000000000000 rsi 00007478e2cb14d0 DEBUG : rbp 00007ffef3a35680 rsp 00007ffef3a355d0 rip 0000747807a4066a DEBUG : DEBUG : backtrace: DEBUG : #00 pc 00000000003ba66a /data/app/com.companyname.app3-aQUF6Ge6_v-WaLb5i8Q7vw==/lib/x86_64/libmonosgen-2.0.so (_mono_reflection_get_type_from_info+474) DEBUG : #01 pc 00000000003ba3d1 /data/app/com.companyname.app3-aQUF6Ge6_v-WaLb5i8Q7vw==/lib/x86_64/libmonosgen-2.0.so (mono_reflection_type_from_name_checked+321) DEBUG : #02 pc 00000000003ba26d /data/app/com.companyname.app3-aQUF6Ge6_v-WaLb5i8Q7vw==/lib/x86_64/libmonosgen-2.0.so (mono_reflection_type_from_name+125) DEBUG : #03 pc 000000000000ddb5 /data/app/com.companyname.app3-aQUF6Ge6_v-WaLb5i8Q7vw==/lib/x86_64/libmonodroid.so (xamarin::android::internal::EmbeddedAssemblies::typemap_java_to_managed(char const*)+389) (BuildId: 9952f1cfe0d910ae631abc73479f88eef34fd71d) DEBUG : #04 pc 000000000000def3 /data/app/com.companyname.app3-aQUF6Ge6_v-WaLb5i8Q7vw==/lib/x86_64/libmonodroid.so (xamarin::android::internal::EmbeddedAssemblies::typemap_java_to_managed(_MonoString*)+99) (BuildId: 9952f1cfe0d910ae631abc73479f88eef34fd71d) DEBUG : #05 pc 0000000000069532 Even though this happens in `Xamarin.Android`, the error may occur for any embedding application which passes `NULL` for the `image` parameter in situation when the assembly isn't in memory yet. --- mono/metadata/reflection.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mono/metadata/reflection.c b/mono/metadata/reflection.c index c6f2d7fd3340..c28ce829a499 100644 --- a/mono/metadata/reflection.c +++ b/mono/metadata/reflection.c @@ -1958,7 +1958,7 @@ _mono_reflection_get_type_from_info (MonoAssemblyLoadContext *alc, MonoTypeNameP MonoAssemblyByNameRequest req; mono_assembly_request_prepare_byname (&req, MONO_ASMCTX_DEFAULT, alc); req.requesting_assembly = NULL; - req.basedir = image->assembly->basedir; + req.basedir = image ? image->assembly->basedir : NULL; assembly = mono_assembly_request_byname (&info->assembly, &req, NULL); if (!assembly) return NULL;