Skip to content

Malformed EventPipe request can crash the runtime #101764

New issue
New issue
Open
Open
Malformed EventPipe request can crash the runtime#101764
Labels
EventPipearea-Tracing-coreclr
Milestone
 
Future
@cshung

Description

@cshung
cshung
opened on May 1, 2024

Description

If I had a malformed event pipe request, it could crash the runtime.

Reproduction Steps

Apply this patch to the dotnet/diagnostics repo to intentionally make a malformed eventpipe request

diff --git a/src/Microsoft.Diagnostics.NETCore.Client/DiagnosticsClient/EventPipeSession.cs b/src/Microsoft.Diagnostics.NETCore.Client/DiagnosticsClient/EventPipeSession.cs
index 805298cf..c14ae293 100644
--- a/src/Microsoft.Diagnostics.NETCore.Client/DiagnosticsClient/EventPipeSession.cs
+++ b/src/Microsoft.Diagnostics.NETCore.Client/DiagnosticsClient/EventPipeSession.cs
@@ -111,7 +111,7 @@ private static IpcMessage CreateStartMessage(EventPipeSessionConfiguration confi
             }
             else
             {
-                command = EventPipeCommandId.CollectTracing2;
+                command = EventPipeCommandId.CollectTracing3;
                 payload = config.SerializeV2();
             }

And then take a trace using dotnet-trace.

Expected behavior

The runtime should report a bad request error.

Actual behavior

The runtime crashed with this stack:

0:004> k
# Child-SP          RetAddr               Call Site
00 000000ca`4497fc40 00007ff8`912bd2c0     coreclr!ds_eventpipe_collect_tracing_command_payload_free+0x5f [D:\Dev\runtime\src\native\eventpipe\ds-eventpipe-protocol.c @ 296]
01 000000ca`4497fcc0 00007ff8`912b74a6     coreclr!eventpipe_collect_tracing3_command_try_parse_payload+0x1a0 [D:\Dev\runtime\src\native\eventpipe\ds-eventpipe-protocol.c @ 406]
02 000000ca`4497fd40 00007ff8`912b6834     coreclr!ds_ipc_message_try_parse_payload+0x96 [D:\Dev\runtime\src\native\eventpipe\ds-protocol.c @ 562]
03 000000ca`4497fd80 00007ff8`912c205d     coreclr!ds_eventpipe_protocol_helper_handle_ipc_message+0xf4 [D:\Dev\runtime\src\native\eventpipe\ds-eventpipe-protocol.c @ 615]
04 000000ca`4497fdd0 00007ff9`3458257d     coreclr!server_thread+0x2ed [D:\Dev\runtime\src\native\eventpipe\ds-server.c @ 158]
...

Regression?

No

Known Workarounds

There is no need for a workaround.

Configuration

windows, x64, debug.

But don't see why it cannot repro on other platforms.

Other information

We confirmed that this is not a security bug - a malformed request can be issued only by authenticated user.

Metadata

Metadata

Assignees

No one assigned

    Labels

    EventPipearea-Tracing-coreclr

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions