DotNetTools: Fix unaligned ETW crash #2369

Author: dmex

plugins/DotNetTools/asmpage.c

@@ -1085,11 +1085,10 @@ static ULONG StartDotNetTrace(
     bufferSize = sizeof(EVENT_TRACE_PROPERTIES) + DotNetLoggerName.Length + sizeof(UNICODE_NULL);
     properties = PhAllocateZero(bufferSize);
     properties->Wnode.BufferSize = bufferSize;
-    properties->Wnode.ClientContext = 1;
+    properties->Wnode.ClientContext = EVENT_TRACE_CLOCK_RAW;
     properties->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
     properties->LogFileMode = EVENT_TRACE_REAL_TIME_MODE | EVENT_TRACE_USE_PAGED_MEMORY;
     properties->EnableFlags = EVENT_TRACE_FLAG_NO_SYSCONFIG;
-    properties->LogFileNameOffset = 0;
     properties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
 
     result = StartTrace(&sessionHandle, DotNetLoggerName.Buffer, properties);
@@ -1133,8 +1132,38 @@ static ULONG NTAPI DotNetBufferCallback(
     return TRUE;
 }
 
-static VOID NTAPI DotNetEventCallback(
-    _In_ PEVENT_RECORD EventRecord
+PPH_STRING DnCreateStringSafe(
+    _In_ UNALIGNED PWSTR UnalignedString
+    )
+{
+    if (IS_ALIGNED(UnalignedString, MAX_NATURAL_ALIGNMENT))
+    {
+        // Address is aligned, access directly
+
+        return PhCreateString(UnalignedString);
+    }
+    else // if (((ULONG_PTR)UnalignedString % sizeof(PWSTR)) != 0)
+    {
+        SIZE_T alignedLength = 0;
+        WCHAR alignedBuffer[0x400];
+
+        // Address is not aligned, use memcpy to access the string.
+
+        while (UnalignedString[alignedLength] != UNICODE_NULL && alignedLength < RTL_NUMBER_OF(alignedBuffer) - sizeof(UNICODE_NULL))
+        {
+            alignedLength++;
+        }
+
+        memcpy(alignedBuffer, UnalignedString, alignedLength * sizeof(WCHAR));
+        alignedBuffer[alignedLength] = UNICODE_NULL;
+
+        return PhCreateString(alignedBuffer);
+    }
+}
+
+static VOID DotNetUserDataCallback(
+    _In_ PEVENT_RECORD EventRecord,
+    _In_ PVOID UserData
     )
 {
     PASMPAGE_QUERY_CONTEXT context = EventRecord->UserContext;
@@ -1149,7 +1178,7 @@ static VOID NTAPI DotNetEventCallback(
         {
         case RuntimeInformationDCStart:
             {
-                PRuntimeInformationRundown data = EventRecord->UserData;
+                PRuntimeInformationRundown data = UserData;
                 PDNA_NODE node;
                 PPH_STRING startupFlagsString;
                 PPH_STRING startupModeString;
@@ -1186,24 +1215,28 @@ static VOID NTAPI DotNetEventCallback(
                     PhDereferenceObject(startupFlagsString);
                 }
 
-                if (data->CommandLine[0])
-                    node->PathText = PhCreateString(data->CommandLine);
-
+                node->PathText = DnCreateStringSafe(PTR_ADD_OFFSET(UserData, RTL_SIZEOF_THROUGH_FIELD(RuntimeInformationRundown, StartupMode)));
                 node->RootNode = TRUE;
                 node->Node.Expanded = TRUE;
                 PhAddItemList(context->NodeRootList, node);
             }
             break;
         case AppDomainDCStart_V1:
             {
-                PAppDomainLoadUnloadRundown_V1 data = EventRecord->UserData;
-                SIZE_T appDomainNameLength;
+                static CONST PH_STRINGREF appDomainString = PH_STRINGREF_INIT(L"AppDomain: ");
+                PAppDomainLoadUnloadRundown_V1 data = UserData;
+                UNALIGNED PVOID offset;
+                PPH_STRING appDomainNameString;
+                PPH_STRING displayNameString;
                 USHORT clrInstanceID;
                 PDNA_NODE parentNode;
                 PDNA_NODE node;
 
-                appDomainNameLength = PhCountStringZ(data->AppDomainName) * sizeof(WCHAR);
-                clrInstanceID = *(PUSHORT)PTR_ADD_OFFSET(data, FIELD_OFFSET(AppDomainLoadUnloadRundown_V1, AppDomainName) + appDomainNameLength + sizeof(UNICODE_NULL) + sizeof(ULONG));
+                offset = PTR_ADD_OFFSET(UserData, RTL_SIZEOF_THROUGH_FIELD(AppDomainLoadUnloadRundown_V1, AppDomainFlags));
+                appDomainNameString = DnCreateStringSafe(offset);
+                displayNameString = PhConcatStringRef2(&appDomainString, &appDomainNameString->sr);
+                offset = PTR_ADD_OFFSET(offset, appDomainNameString->Length + sizeof(UNICODE_NULL) + sizeof(ULONG));
+                clrInstanceID = *(UNALIGNED PUSHORT)offset;
 
                 // Find the CLR node to add the AppDomain node to.
                 parentNode = FindClrNode(context, clrInstanceID);
@@ -1212,94 +1245,124 @@ static VOID NTAPI DotNetEventCallback(
                 {
                     // Check for duplicates.
                     if (FindAppDomainNode(parentNode, data->AppDomainID))
+                    {
+                        PhDereferenceObject(displayNameString);
+                        PhDereferenceObject(appDomainNameString);
                         break;
+                    }
 
                     node = AddNode(context);
                     node->Type = DNA_TYPE_APPDOMAIN;
                     node->u.AppDomain.AppDomainID = data->AppDomainID;
                     node->u.AppDomain.AppDomainFlags = data->AppDomainFlags;
-                    node->u.AppDomain.DisplayName = PhConcatStrings2(L"AppDomain: ", data->AppDomainName);
+                    node->u.AppDomain.DisplayName = displayNameString;
                     node->StructureText = node->u.AppDomain.DisplayName->sr;
                     node->IdText = FormatToHexString(data->AppDomainID);
                     node->FlagsText = FlagsToString(data->AppDomainFlags, AppDomainFlagsMap, sizeof(AppDomainFlagsMap));
 
                     node->RootNode = TRUE; // HACK
                     node->Node.Expanded = TRUE;
                     PhAddItemList(parentNode->Children, node);
+
+                    PhDereferenceObject(appDomainNameString);
+                }
+                else
+                {
+                    PhDereferenceObject(displayNameString);
+                    PhDereferenceObject(appDomainNameString);
                 }
             }
             break;
         case AssemblyDCStart_V1:
             {
-                PAssemblyLoadUnloadRundown_V1 data = EventRecord->UserData;
-                SIZE_T fullyQualifiedAssemblyNameLength;
+                PAssemblyLoadUnloadRundown_V1 data = UserData;
+                UNALIGNED PVOID offset;
+                PPH_STRING assemblyNameString;
                 USHORT clrInstanceID;
                 PDNA_NODE parentNode;
                 PDNA_NODE node;
                 PH_STRINGREF remainingPart;
 
-                fullyQualifiedAssemblyNameLength = PhCountStringZ(data->FullyQualifiedAssemblyName) * sizeof(WCHAR);
-                clrInstanceID = *(PUSHORT)PTR_ADD_OFFSET(data, FIELD_OFFSET(AssemblyLoadUnloadRundown_V1, FullyQualifiedAssemblyName) + fullyQualifiedAssemblyNameLength + sizeof(UNICODE_NULL));
+                offset = PTR_ADD_OFFSET(UserData, RTL_SIZEOF_THROUGH_FIELD(AssemblyLoadUnloadRundown_V1, AssemblyFlags));
+                assemblyNameString = DnCreateStringSafe(offset);
+                offset = PTR_ADD_OFFSET(offset, assemblyNameString->Length + sizeof(UNICODE_NULL));
+                clrInstanceID = *(UNALIGNED PUSHORT)offset;
 
                 // Find the AppDomain node to add the Assembly node to.
 
                 parentNode = FindClrNode(context, clrInstanceID);
 
                 if (parentNode)
+                {
                     parentNode = FindAppDomainNode(parentNode, data->AppDomainID);
+                }
 
                 if (parentNode)
                 {
                     // Check for duplicates.
                     if (FindAssemblyNode(parentNode, data->AssemblyID))
+                    {
+                        PhDereferenceObject(assemblyNameString);
                         break;
+                    }
 
                     node = AddNode(context);
                     node->Type = DNA_TYPE_ASSEMBLY;
                     node->u.Assembly.AssemblyID = data->AssemblyID;
                     node->u.Assembly.AssemblyFlags = data->AssemblyFlags;
-                    node->u.Assembly.FullyQualifiedAssemblyName = PhCreateStringEx(data->FullyQualifiedAssemblyName, fullyQualifiedAssemblyNameLength);
+                    node->u.Assembly.FullyQualifiedAssemblyName = assemblyNameString;
 
                     // Display only the assembly name, not the whole fully qualified name.
                     if (!PhSplitStringRefAtChar(&node->u.Assembly.FullyQualifiedAssemblyName->sr, L',', &node->StructureText, &remainingPart))
+                    {
                         node->StructureText = node->u.Assembly.FullyQualifiedAssemblyName->sr;
+                    }
 
                     node->IdText = FormatToHexString(data->AssemblyID);
                     node->FlagsText = FlagsToString(data->AssemblyFlags, AssemblyFlagsMap, sizeof(AssemblyFlagsMap));
 
                     PhAddItemList(parentNode->Children, node);
                 }
+                else
+                {
+                    PhDereferenceObject(assemblyNameString);
+                }
             }
             break;
         case ModuleDCStart_V1:
             {
-                PModuleLoadUnloadRundown_V1 data = EventRecord->UserData;
-                PCWSTR moduleILPath;
-                SIZE_T moduleILPathLength;
-                PCWSTR moduleNativePath;
-                SIZE_T moduleNativePathLength;
+                PModuleLoadUnloadRundown_V1 data = UserData;
+                UNALIGNED PVOID offset;
+                PPH_STRING moduleILPathString;
+                PPH_STRING moduleNativeString;
                 USHORT clrInstanceID;
                 PDNA_NODE node;
 
-                moduleILPath = data->ModuleILPath;
-                moduleILPathLength = PhCountStringZ(moduleILPath) * sizeof(WCHAR);
-                moduleNativePath = PTR_ADD_OFFSET(moduleILPath, moduleILPathLength + sizeof(UNICODE_NULL));
-                moduleNativePathLength = PhCountStringZ(moduleNativePath) * sizeof(WCHAR);
-                clrInstanceID = *(PUSHORT)PTR_ADD_OFFSET(moduleNativePath, moduleNativePathLength + sizeof(UNICODE_NULL));
+                offset = PTR_ADD_OFFSET(UserData, RTL_SIZEOF_THROUGH_FIELD(ModuleLoadUnloadRundown_V1, Reserved1));
+                moduleILPathString = DnCreateStringSafe(offset);
+                offset = PTR_ADD_OFFSET(offset, moduleILPathString->Length + sizeof(UNICODE_NULL));
+                moduleNativeString = DnCreateStringSafe(offset);
+                offset = PTR_ADD_OFFSET(offset, moduleNativeString->Length + sizeof(UNICODE_NULL));
+                clrInstanceID = *(UNALIGNED PUSHORT)offset;
 
                 // Find the Assembly node to set the path on.
 
                 node = FindClrNode(context, clrInstanceID);
 
                 if (node)
+                {
                     node = FindAssemblyNode2(node, data->AssemblyID);
+                }
 
                 if (node)
                 {
-                    PhMoveReference(&node->PathText, PhCreateStringEx(moduleILPath, moduleILPathLength));
-
-                    if (moduleNativePathLength != 0)
-                        PhMoveReference(&node->NativePathText, PhCreateStringEx(moduleNativePath, moduleNativePathLength));
+                    PhMoveReference(&node->PathText, moduleILPathString);
+                    PhMoveReference(&node->NativePathText, moduleNativeString);
+                }
+                else
+                {
+                    PhDereferenceObject(moduleNativeString);
+                    PhDereferenceObject(moduleILPathString);
                 }
             }
             break;
@@ -1321,29 +1384,26 @@ static VOID NTAPI DotNetEventCallback(
             {
             case CLR_MODULEDCSTART_OPCODE:
                 {
-                    PModuleLoadUnloadRundown_V1 data = EventRecord->UserData;
-                    PWSTR moduleILPath;
-                    SIZE_T moduleILPathLength;
-                    PWSTR moduleNativePath;
-                    SIZE_T moduleNativePathLength;
+                    PModuleLoadUnloadRundown_V1 data = UserData;
+                    UNALIGNED PVOID offset;
+                    PPH_STRING moduleILPathString;
+                    PPH_STRING moduleNativeString;
                     PDNA_NODE node;
                     ULONG_PTR indexOfBackslash;
                     ULONG_PTR indexOfLastDot;
 
-                    moduleILPath = data->ModuleILPath;
-                    moduleILPathLength = PhCountStringZ(moduleILPath) * sizeof(WCHAR);
-                    moduleNativePath = PTR_ADD_OFFSET(moduleILPath, moduleILPathLength + sizeof(UNICODE_NULL));
-                    moduleNativePathLength = PhCountStringZ(moduleNativePath) * sizeof(WCHAR);
+                    offset = PTR_ADD_OFFSET(UserData, RTL_SIZEOF_THROUGH_FIELD(ModuleLoadUnloadRundown_V1, Reserved1));
+                    moduleILPathString = DnCreateStringSafe(offset);
+                    offset = PTR_ADD_OFFSET(offset, moduleILPathString->Length + sizeof(UNICODE_NULL));
+                    moduleNativeString = DnCreateStringSafe(offset);
 
-                    if (context->ClrV2Node && (moduleILPathLength != 0 || moduleNativePathLength != 0))
+                    if (context->ClrV2Node && (moduleILPathString->Length != 0 || moduleNativeString->Length != 0))
                     {
                         node = AddNode(context);
                         node->Type = DNA_TYPE_ASSEMBLY;
                         node->FlagsText = FlagsToString(data->ModuleFlags, ModuleFlagsMap, sizeof(ModuleFlagsMap));
-                        node->PathText = PhCreateStringEx(moduleILPath, moduleILPathLength);
-
-                        if (moduleNativePathLength != 0)
-                            node->NativePathText = PhCreateStringEx(moduleNativePath, moduleNativePathLength);
+                        node->PathText = moduleILPathString;
+                        node->NativePathText = moduleNativeString;
 
                         // Use the name between the last backslash and the last dot for the structure column text.
                         // (E.g. C:\...\AcmeSoft.BigLib.dll -> AcmeSoft.BigLib)
@@ -1371,6 +1431,11 @@ static VOID NTAPI DotNetEventCallback(
 
                         PhAddItemList(context->ClrV2Node->Children, node);
                     }
+                    else
+                    {
+                        PhDereferenceObject(moduleNativeString);
+                        PhDereferenceObject(moduleILPathString);
+                    }
                 }
                 break;
             case CLR_METHODDC_DCSTARTCOMPLETE_OPCODE:
@@ -1386,6 +1451,41 @@ static VOID NTAPI DotNetEventCallback(
     }
 }
 
+static VOID NTAPI DotNetEventCallback(
+    _In_ PEVENT_RECORD EventRecord
+    )
+{
+    if (EventRecord->UserDataLength)
+    {
+        // Note: ETW does not force an alignment between event data values.
+
+        if (EventRecord->UserDataLength != ROUND_TO_SIZE(EventRecord->UserDataLength, MEMORY_ALLOCATION_ALIGNMENT))
+        {
+            PVOID alignedUserData;
+
+            alignedUserData = _aligned_malloc(EventRecord->UserDataLength, MEMORY_ALLOCATION_ALIGNMENT);
+
+            if (alignedUserData)
+            {
+                RtlSecureZeroMemory(alignedUserData, EventRecord->UserDataLength);
+                RtlCopyMemory(alignedUserData, EventRecord->UserData, EventRecord->UserDataLength);
+
+                DotNetUserDataCallback(EventRecord, alignedUserData);
+
+                _aligned_free(alignedUserData);
+            }
+        }
+        else
+        {
+            DotNetUserDataCallback(EventRecord, EventRecord->UserData);
+        }
+    }
+    else
+    {
+        DotNetUserDataCallback(EventRecord, EventRecord->UserData);
+    }
+}
+
 static ULONG ProcessDotNetTrace(
     _In_ PASMPAGE_QUERY_CONTEXT Context
     )

plugins/DotNetTools/clr/dbgappdomain.h

@@ -26,7 +26,7 @@
 typedef struct _AppDomainInfo
 {
     ULONG Id;             // unique identifier
-    INT NameLengthInBytes;
+    LONG NameLengthInBytes;
     PWSTR AppDomainName;
     PVOID AppDomains;
 } AppDomainInfo;
@@ -38,7 +38,7 @@ typedef struct _AppDomainInfo
 typedef struct _AppDomainInfo_Wow64
 {
     ULONG Id;             // unique identifier
-    INT NameLengthInBytes;
+    LONG NameLengthInBytes;
     ULONG AppDomainName;
     ULONG AppDomains;
 } AppDomainInfo_Wow64;
@@ -54,12 +54,12 @@ typedef struct _AppDomainEnumerationIPCBlock
 {
     HANDLE Mutex;                 // lock for serialization while manipulating AppDomain list.
 
-    INT TotalSlots;                  // Number of slots in AppDomainListElement array
-    INT NumOfUsedSlots;
-    INT LastFreedSlot;
-    INT SizeInBytes;                 // Size of AppDomainInfo in bytes
+    LONG TotalSlots;                  // Number of slots in AppDomainListElement array
+    LONG NumOfUsedSlots;
+    LONG LastFreedSlot;
+    LONG SizeInBytes;                 // Size of AppDomainInfo in bytes
 
-    INT ProcessNameLengthInBytes;    // We can use psapi!GetModuleFileNameEx to get the module name.
+    LONG ProcessNameLengthInBytes;    // We can use psapi!GetModuleFileNameEx to get the module name.
     PVOID ProcessName;               // This provides an alternative.
 
     PVOID ListOfAppDomains;
@@ -74,12 +74,12 @@ typedef struct _AppDomainEnumerationIPCBlock_Wow64
 {
     ULONG Mutex;                    // lock for serialization while manipulating AppDomain list.
 
-    INT TotalSlots;                 // Number of slots in AppDomainListElement array
-    INT NumOfUsedSlots;
-    INT LastFreedSlot;
-    INT SizeInBytes;                // Size of AppDomainInfo in bytes
+    LONG TotalSlots;                 // Number of slots in AppDomainListElement array
+    LONG NumOfUsedSlots;
+    LONG LastFreedSlot;
+    LONG SizeInBytes;                // Size of AppDomainInfo in bytes
 
-    INT ProcessNameLengthInBytes;   // We can use psapi!GetModuleFileNameEx to get the module name.
+    LONG ProcessNameLengthInBytes;   // We can use psapi!GetModuleFileNameEx to get the module name.
     ULONG ProcessName;              // This provides an alternative.
 
     ULONG ListOfAppDomains;