search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
14.98k stars 4.66k forks source link

Value (List<string>)value, which can have null value due to comparison with null, is dereferenced inside function _servicePrincipalNames.Load(). #94753

Open achufistov opened 10 months ago

achufistov commented 10 months ago

Description

Dotnet 6.0

File: /src/libraries/System.DirectoryServices.AccountManagement/src/System/DirectoryServices/AccountManagement/Computer.cs:120

Problem: Value (List)value, which can have null value due to comparison with null, is dereferenced inside function _servicePrincipalNames.Load().

Reproduction Steps

Trace: 1) Role: detected detected [Computer.cs:[120:0]]

2) Role: compared with null Comparison value == null of value (List)value with null implies that (List)value can have null value [Computer.cs:[115:128]]

3) Role: dereference 3.1 Value (List)value is dereferenced inside invocation _servicePrincipalNames.Load((List)value) [Computer.cs:[120:21]] 3.2 Value values is dereferenced at values.Count [ValueCollection.cs:[377:102]]

4) Role: execution path 4.1 Step 1: Condition value == null taking true branch [Computer.cs:[115:128]] 4.2 Step 2: Condition propertyName == PropertyNames.ComputerServicePrincipalNames taking true branch [Computer.cs:[119:23]]

Expected behavior

null pointer dereference

Actual behavior

same

Regression?

No response

Known Workarounds

No response

Configuration

No response

Other information

Found by Linux Verification Center (linuxtesting.org) with SVACE.

ghost commented 10 months ago

Tagging subscribers to this area: @dotnet/area-system-directoryservices, @jay98014 See info in area-owners.md if you want to be subscribed.

Issue Details
### Description Dotnet 6.0 File: /src/libraries/System.DirectoryServices.AccountManagement/src/System/DirectoryServices/AccountManagement/Computer.cs:120 Problem: Value (List)value, which can have null value due to comparison with null, is dereferenced inside function _servicePrincipalNames.Load(). ### Reproduction Steps Trace: 1) Role: detected detected [Computer.cs:[120:0]] 2) Role: compared with null Comparison value == null of value (List)value with null implies that (List)value can have null value [Computer.cs:[115:128]] 3) Role: dereference 3.1 Value (List)value is dereferenced inside invocation _servicePrincipalNames.Load((List)value) [Computer.cs:[120:21]] 3.2 Value values is dereferenced at values.Count [ValueCollection.cs:[377:102]] 4) Role: execution path 4.1 Step 1: Condition value == null taking true branch [Computer.cs:[115:128]] 4.2 Step 2: Condition propertyName == PropertyNames.ComputerServicePrincipalNames taking true branch [Computer.cs:[119:23]] ### Expected behavior null pointer dereference ### Actual behavior same ### Regression? _No response_ ### Known Workarounds _No response_ ### Configuration _No response_ ### Other information Found by Linux Verification Center (linuxtesting.org) with SVACE.
Author: achufistov
Assignees: -
Labels: `area-System.DirectoryServices`, `untriaged`
Milestone: -
buyaa-n commented 10 months ago

This method has several overrides and the virtual method on parent type looks safe null value. There is 2 cases where it is called with null explicitly: https://github.com/dotnet/runtime/blob/52b4c824710b6bcf2377ebd986fdd01195b8cb1f/src/libraries/System.DirectoryServices.AccountManagement/src/System/DirectoryServices/AccountManagement/AD/ADStoreCtx_LoadStore.cs#L838

In general, to determine if the method has nullability issue or not should be determined during nullability annotation for the project, which is tracked by https://github.com/dotnet/runtime/issues/41720. I think we should close this issue as dup of #41720, what you think @achufistov?