In the process of developing signature parsing facilities for System.Reflection.Metadata, I came across some discrepancies in the CLI specification vs. various signature parsing implementations.
One such discrepancy is that the specification states that the encoded token following CMOD_OPT/CMOD_REQ is a TypeDef or TypeRef, but it can be TypeSpec in practice.
This opens up a loophole to cycles as TypeSpecs can contain modifiers, and modifiers can contain TypeSpecs. I put together some quick code to create such bad TypeSpecs here in https://github.com/nguerrera/signature-repros and experimented with ilasm, peverify, and running the resulting programs.
mangod9
commented
4 years ago
In the process of developing signature parsing facilities for System.Reflection.Metadata, I came across some discrepancies in the CLI specification vs. various signature parsing implementations.
My notes on that are here: https://github.com/dotnet/corefx/pull/5435
One such discrepancy is that the specification states that the encoded token following CMOD_OPT/CMOD_REQ is a TypeDef or TypeRef, but it can be TypeSpec in practice.
This opens up a loophole to cycles as TypeSpecs can contain modifiers, and modifiers can contain TypeSpecs. I put together some quick code to create such bad TypeSpecs here in https://github.com/nguerrera/signature-repros and experimented with ilasm, peverify, and running the resulting programs.
Repro steps
Expected results
For all 3 programs:
If the particular program causes the runtime to have to inspect the bad modifiers contents rather than just skip the bad typespec token:
Actual results