[ASM] ensure struct is on the stack before passing to native code (#5882)

robertpi · web-flow · commit 05da9f965d54 · 2024-08-13T14:09:46.000+02:00
## Summary of changes

Some crashes where reported where the stack trace showed the error
occurred in the WAF, with the call starting in
`Waf.UpdateWafAndDispose`. A review of this method spotted that a
pointer to a struct stored in a object field was being passed to the
WAF. This meant the GC might move the object, which could potentially
lead to a crash.
diff --git a/tracer/src/Datadog.Trace/AppSec/Waf/Waf.cs b/tracer/src/Datadog.Trace/AppSec/Waf/Waf.cs
@@ -136,7 +136,8 @@ private unsafe UpdateResult UpdateWafAndDispose(IEncodeResult updateData)
             var diagnosticsValue = new DdwafObjectStruct { Type = DDWAF_OBJ_TYPE.DDWAF_OBJ_MAP };
             try
             {
-                var newHandle = _wafLibraryInvoker.Update(_wafHandle, ref updateData.ResultDdwafObject, ref diagnosticsValue);
+                var updateObject = updateData.ResultDdwafObject;
+                var newHandle = _wafLibraryInvoker.Update(_wafHandle, ref updateObject, ref diagnosticsValue);
                 if (newHandle != IntPtr.Zero)
                 {
                     var oldHandle = _wafHandle;
diff --git a/tracer/src/Datadog.Trace/AppSec/WafEncoding/Encoder.cs b/tracer/src/Datadog.Trace/AppSec/WafEncoding/Encoder.cs
@@ -690,7 +690,7 @@ internal EncodeResult(List<IntPtr> pointers, UnmanagedMemoryPool pool, ref Ddwaf
                 _result = result;
             }
 
-            public ref DdwafObjectStruct ResultDdwafObject => ref _result;
+            public DdwafObjectStruct ResultDdwafObject => _result;
 
             public void Dispose()
             {
diff --git a/tracer/src/Datadog.Trace/AppSec/WafEncoding/EncoderLegacy.cs b/tracer/src/Datadog.Trace/AppSec/WafEncoding/EncoderLegacy.cs
@@ -334,7 +334,7 @@ internal EncodeResult(DdwafObjectStruct obj, WafLibraryInvoker wafLibraryInvoker
             _wafLibraryInvoker = wafLibraryInvoker;
         }
 
-        public ref DdwafObjectStruct ResultDdwafObject => ref _resultDdwafObject;
+        public DdwafObjectStruct ResultDdwafObject => _resultDdwafObject;
 
         public void Dispose() => _wafLibraryInvoker.ObjectFree(ref _resultDdwafObject);
     }
diff --git a/tracer/src/Datadog.Trace/AppSec/WafEncoding/IEncodeResult.cs b/tracer/src/Datadog.Trace/AppSec/WafEncoding/IEncodeResult.cs
@@ -10,5 +10,5 @@ namespace Datadog.Trace.AppSec.WafEncoding;
 
 internal interface IEncodeResult : IDisposable
 {
-    public ref DdwafObjectStruct ResultDdwafObject { get; }
+    public DdwafObjectStruct ResultDdwafObject { get; }
 }

Original file line number	Diff line number	Diff line change
`@@ -136,7 +136,8 @@ private unsafe UpdateResult UpdateWafAndDispose(IEncodeResult updateData)`
`136`	`136`	`var diagnosticsValue = new DdwafObjectStruct { Type = DDWAF_OBJ_TYPE.DDWAF_OBJ_MAP };`
`137`	`137`	`try`
`138`	`138`	`{`
`139`		`- var newHandle = _wafLibraryInvoker.Update(_wafHandle, ref updateData.ResultDdwafObject, ref diagnosticsValue);`
	`139`	`+ var updateObject = updateData.ResultDdwafObject;`
	`140`	`+ var newHandle = _wafLibraryInvoker.Update(_wafHandle, ref updateObject, ref diagnosticsValue);`
`140`	`141`	`if (newHandle != IntPtr.Zero)`
`141`	`142`	`{`
`142`	`143`	`var oldHandle = _wafHandle;`
Original file line number	Diff line number	Diff line change
`@@ -690,7 +690,7 @@ internal EncodeResult(List<IntPtr> pointers, UnmanagedMemoryPool pool, ref Ddwaf`
`690`	`690`	`_result = result;`
`691`	`691`	`}`
`692`	`692`
`693`		`- public ref DdwafObjectStruct ResultDdwafObject => ref _result;`
	`693`	`+ public DdwafObjectStruct ResultDdwafObject => _result;`
`694`	`694`
`695`	`695`	`public void Dispose()`
`696`	`696`	`{`
Original file line number	Diff line number	Diff line change
`@@ -334,7 +334,7 @@ internal EncodeResult(DdwafObjectStruct obj, WafLibraryInvoker wafLibraryInvoker`
`334`	`334`	`_wafLibraryInvoker = wafLibraryInvoker;`
`335`	`335`	`}`
`336`	`336`
`337`		`- public ref DdwafObjectStruct ResultDdwafObject => ref _resultDdwafObject;`
	`337`	`+ public DdwafObjectStruct ResultDdwafObject => _resultDdwafObject;`
`338`	`338`
`339`	`339`	`public void Dispose() => _wafLibraryInvoker.ObjectFree(ref _resultDdwafObject);`
`340`	`340`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,5 +10,5 @@ namespace Datadog.Trace.AppSec.WafEncoding;`
`10`	`10`
`11`	`11`	`internal interface IEncodeResult : IDisposable`
`12`	`12`	`{`
`13`		`- public ref DdwafObjectStruct ResultDdwafObject { get; }`
	`13`	`+ public DdwafObjectStruct ResultDdwafObject { get; }`
`14`	`14`	`}`