Uploaded image for project: 'Spring.NET'
  1. Spring.NET
  2. SPRNET-1368

CacheResultAdvice may return incompatible objects

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Complete
    • Affects Version/s: 1.2.0, 1.3.0, 1.3.1
    • Fix Version/s: 1.3.1
    • Component/s: Spring-NET-AOP
    • Labels:
      None

      Description

      CacheResultAdvice does not validate an object returned by the underlying ICache implementation before allowing it to be returned. If a rogue object happens to be inserted into the cache, the aspect could return that object when it isn't compatible with the return type on the method signature. If the object returned is smaller than the expected type, access to fields on the expected type will exceed the bounds of the actual instance leading to access violations or unitialized memory being accessed by managed code. This can cause the .NET Runtime to crash with access violations or result in other unexpected errors.

      Since this bug can trigger the .NET runtime to crash with an access violation, it should be treated as severe.

      There are two primary ways this bug can be triggered.

      First, this can happen when there is a cache collision (i.e., two methods use the same cache key to store values of different types).

      Second, CacheResultAdvice caches null values by comparing a cached value with a static field on CacheResultAdvice (NullValue). If the ICache implementation uses serialization (for example a SQL cache, or memcached, etc.), it will return a different instance of System.Object. This will cause CacheResultAdvice to return that instance of System.Object instead of detecting that a null value was stored in the cache.

      The supplied patch against [email protected] includes unit tests to illustrate both problems and provides a fix.

        Activity

        lordtrumpet Chris Eldredge created issue -
        sbohlen Steve Bohlen made changes -
        Field Original Value New Value
        Assignee Mark Pollack [ mark.pollack ] Steve Bohlen [ sbohlen ]
        sbohlen Steve Bohlen made changes -
        Fix Version/s 1.3.1 [ 11377 ]
        sbohlen Steve Bohlen made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        sbohlen Steve Bohlen made changes -
        Priority Major [ 3 ] Blocker [ 1 ]
        sbohlen Steve Bohlen made changes -
        Status In Progress [ 3 ] Resolved [ 5 ]
        Resolution Complete [ 8 ]
        sbohlen Steve Bohlen made changes -
        Description CacheResultAdvice does not validate an object returned by the underlying ICache implementation before allowing it to be returned. If a rogue object happens to be inserted into the cache, the aspect could return that object when it isn't compatible with the return type on the method signature. If the object returned is smaller than the expected type, access to fields on the expected type will exceed the bounds of the actual instance leading to access violations or unitialized memory being accessed by managed code. This can cause the .NET Runtime to crash with access violations or result in other unexpected errors.

        Since this bug can trigger the .NET runtime to crash with an access violation, it should be treated as severe.

        There are two primary ways this bug can be triggered.

        First, this can happen when there is a cache collision (i.e., two methods use the same cache key to store values of different types).

        Second, CacheResultAdvice caches null values by comparing a cached value with a static field on CacheResultAdvice (NullValue). If the ICache implementation uses serialization (for example a SQL cache, or memcached, etc.), it will return a different instance of System.Object. This will cause CacheResultAdvice to return that instance of System.Object instead of detecting that a null value was stored in the cache.

        The supplied patch against [email protected] includes unit tests to illustrate both problems and provides a fix.

        CacheResultAdvice does not validate an object returned by the underlying ICache implementation before allowing it to be returned. If a rogue object happens to be inserted into the cache, the aspect could return that object when it isn't compatible with the return type on the method signature. If the object returned is smaller than the expected type, access to fields on the expected type will exceed the bounds of the actual instance leading to access violations or unitialized memory being accessed by managed code. This can cause the .NET Runtime to crash with access violations or result in other unexpected errors.


        Since this bug can trigger the .NET runtime to crash with an access violation, it should be treated as severe.


        There are two primary ways this bug can be triggered.


        First, this can happen when there is a cache collision (i.e., two methods use the same cache key to store values of different types).


        Second, CacheResultAdvice caches null values by comparing a cached value with a static field on CacheResultAdvice (NullValue). If the ICache implementation uses serialization (for example a SQL cache, or memcached, etc.), it will return a different instance of System.Object. This will cause CacheResultAdvice to return that instance of System.Object instead of detecting that a null value was stored in the cache.


        The supplied patch against [email protected] includes unit tests to illustrate both problems and provides a fix.

          People

          • Assignee:
            sbohlen Steve Bohlen
            Reporter:
            lordtrumpet Chris Eldredge
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: