Skip to content

Fix buffer overflow in mono #123168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
BrzVlad merged 2 commits into from
Jan 14, 2026
Merged

Fix buffer overflow in mono #123168

BrzVlad merged 2 commits into from
Jan 14, 2026

Conversation

@tpa95
Copy link
Contributor

@tpa95 tpa95 commented Jan 14, 2026

If under certain conditions op can take the value OP_LAST, an overflow will occur because the opidx array contains OP_LAST - OP_LOAD elements.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
Reporter: Pavel Tikhomirov ([email protected]).
Organization: Gazinformservice ([email protected]).

@tpa95
Fix buffer overflow in mono
5fcb9dc 
If under certain conditions op can take the value OP_LAST, an overflow will occur because the opidx array contains OP_LAST - OP_LOAD elements.
@dotnet-policy-service dotnet-policy-service bot added the community-contribution Indicates that the PR has been added by a community member label Jan 14, 2026
@github-actions github-actions bot added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label Jan 14, 2026
vitek-karas
vitek-karas approved these changes Jan 14, 2026
View reviewed changes
Copy link
Member

@vitek-karas vitek-karas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot - looks good to me.

@vitek-karas vitek-karas requested a review from BrzVlad January 14, 2026 08:24
@BrzVlad
Copy link
Member

BrzVlad commented Jan 14, 2026

@tpa95 Did this ever happen in practice somewhere ? It would be asserting now, so that would need to be fixed as well.

@tpa95
Copy link
Contributor Author

tpa95 commented Jan 14, 2026
edited
Loading

@BrzVlad No, I didn’t observe it in practice; it was reported by static analysis (Svace) as a buffer overflow issue. OP_LAST is a sentinel and not a valid opcode to be passed to mono_inst_name(). Now, if op == OP_LAST we can index opidx out of bounds (op - OP_LOAD), which is UB. Changing the condition to op < OP_LAST avoids the buffer overflow.

@jkotas jkotas added area-Codegen-JIT-mono and removed needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners labels Jan 14, 2026
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Jan 14, 2026

Tagging subscribers to this area: @steveisok, @vitek-karas
See info in area-owners.md if you want to be subscribed.

@BrzVlad BrzVlad merged commit ccd2679 into dotnet:main Jan 14, 2026
74 checks passed
@tpa95 tpa95 deleted the fix/mono-overflow-fix branch January 14, 2026 15:29
@dotnet-maestro dotnet-maestro bot mentioned this pull request Jan 15, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vitek-karas vitek-karas vitek-karas approved these changes

@steveisok steveisok Awaiting requested review from steveisok steveisok is a code owner

@BrzVlad BrzVlad Awaiting requested review from BrzVlad

Assignees

No one assigned

Labels

area-Codegen-JIT-mono community-contribution Indicates that the PR has been added by a community member

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tpa95 @BrzVlad @vitek-karas @jkotas