Bypassing Serialization Binders with BinaryFormatter Mutation

Adam Sitnik · carlossanlop · commit 7ab201156d03 · 2024-06-11T16:37:25.000Z
diff --git a/src/libraries/System.Runtime.Serialization.Formatters/src/System/Runtime/Serialization/Formatters/Binary/BinaryObjectWriter.cs b/src/libraries/System.Runtime.Serialization.Formatters/src/System/Runtime/Serialization/Formatters/Binary/BinaryObjectWriter.cs
@@ -367,7 +367,7 @@ private void WriteMembers(NameInfo memberNameInfo,
                 return;
             }
 
-            if (!WriteKnownValueClass(memberNameInfo, memberTypeNameInfo, memberData!))
+            if (!WriteKnownValueClass(memberNameInfo, memberTypeNameInfo, memberData!, ref assignUniqueIdToValueType))
             {
                 if (outType == null)
                 {
@@ -616,10 +616,10 @@ private void WriteArrayMember(WriteObjectInfo objectInfo, NameInfo arrayElemType
                 actualTypeInfo._isArrayItem = true;
             }
 
-            if (!WriteKnownValueClass(arrayElemTypeNameInfo, actualTypeInfo, data!))
+            bool assignUniqueIdForValueTypes = false;
+            if (!WriteKnownValueClass(arrayElemTypeNameInfo, actualTypeInfo, data!, ref assignUniqueIdForValueTypes))
             {
                 object obj = data!;
-                bool assignUniqueIdForValueTypes = false;
                 if (ReferenceEquals(arrayElemTypeNameInfo._type, Converter.s_typeofObject))
                 {
                     assignUniqueIdForValueTypes = true;
@@ -799,11 +799,12 @@ private long Schedule(object obj, bool assignUniqueIdToValueType, Type? type, Wr
         }
 
         // Determines if a type is a primitive type, if it is it is written
-        private bool WriteKnownValueClass(NameInfo memberNameInfo, NameInfo typeNameInfo, object data)
+        private bool WriteKnownValueClass(NameInfo memberNameInfo, NameInfo typeNameInfo, object data, ref bool assignUniqueIdToValueType)
         {
             if (ReferenceEquals(typeNameInfo._type, Converter.s_typeofString))
             {
                 WriteString(memberNameInfo, typeNameInfo, data);
+                return true;
             }
             else
             {
@@ -817,18 +818,22 @@ private bool WriteKnownValueClass(NameInfo memberNameInfo, NameInfo typeNameInfo
                     if (typeNameInfo._isArray) // null if an array
                     {
                         _serWriter.WriteItem(memberNameInfo, typeNameInfo, data);
+                        return true;
                     }
-                    else
+                    else if (memberNameInfo._type == typeNameInfo._type
+                        || memberNameInfo._type == typeof(object)
+                        || (memberNameInfo._type != null && Nullable.GetUnderlyingType(memberNameInfo._type) != null))
                     {
                         _serWriter.WriteMember(memberNameInfo, typeNameInfo, data);
+                        return true;
                     }
                 }
             }
 
-            return true;
+            assignUniqueIdToValueType = true;
+            return false;
         }
 
-
         // Writes an object reference to the stream.
         private void WriteObjectRef(NameInfo nameInfo, long objectId) =>
             _serWriter!.WriteMemberObjectRef(nameInfo, (int)objectId);
diff --git a/src/libraries/System.Runtime.Serialization.Formatters/tests/BinaryFormatterTests.cs b/src/libraries/System.Runtime.Serialization.Formatters/tests/BinaryFormatterTests.cs
@@ -536,6 +536,25 @@ public void Roundtrip_ArrayContainingArrayAtNonZeroLowerBound()
             BinaryFormatterHelpers.Clone(Array.CreateInstance(typeof(uint[]), new[] { 5 }, new[] { 1 }));
         }
 
+        [Fact]
+        [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, ".NET Framework has not been patched yet.")]
+        public void BypassingSerializationBinders()
+        {
+            Tuple<IComparable, object> tuple = new Tuple<IComparable, object>(42, new byte[] { 1, 2, 3, 4 });
+            BinaryFormatter formatter = new BinaryFormatter();
+
+            using (MemoryStream stream = new MemoryStream())
+            {
+                formatter.Serialize(stream, tuple);
+
+                stream.Position = 0;
+
+                Tuple<IComparable, object> deserialized = (Tuple<IComparable, object>)formatter.Deserialize(stream);
+                Assert.Equal(tuple.Item1, deserialized.Item1);
+                Assert.Equal(tuple.Item2, deserialized.Item2);
+            }
+        }
+
         private static void ValidateEqualityComparer(object obj)
         {
             Type objType = obj.GetType();

Original file line number	Diff line number	Diff line change
`@@ -367,7 +367,7 @@ private void WriteMembers(NameInfo memberNameInfo,`
`367`	`367`	`return;`
`368`	`368`	`}`
`369`	`369`
`370`		`- if (!WriteKnownValueClass(memberNameInfo, memberTypeNameInfo, memberData!))`
	`370`	`+ if (!WriteKnownValueClass(memberNameInfo, memberTypeNameInfo, memberData!, ref assignUniqueIdToValueType))`
`371`	`371`	`{`
`372`	`372`	`if (outType == null)`
`373`	`373`	`{`
`@@ -616,10 +616,10 @@ private void WriteArrayMember(WriteObjectInfo objectInfo, NameInfo arrayElemType`
`616`	`616`	`actualTypeInfo._isArrayItem = true;`
`617`	`617`	`}`
`618`	`618`
`619`		`- if (!WriteKnownValueClass(arrayElemTypeNameInfo, actualTypeInfo, data!))`
	`619`	`+ bool assignUniqueIdForValueTypes = false;`
	`620`	`+ if (!WriteKnownValueClass(arrayElemTypeNameInfo, actualTypeInfo, data!, ref assignUniqueIdForValueTypes))`
`620`	`621`	`{`
`621`	`622`	`object obj = data!;`
`622`		`- bool assignUniqueIdForValueTypes = false;`
`623`	`623`	`if (ReferenceEquals(arrayElemTypeNameInfo._type, Converter.s_typeofObject))`
`624`	`624`	`{`
`625`	`625`	`assignUniqueIdForValueTypes = true;`
`@@ -799,11 +799,12 @@ private long Schedule(object obj, bool assignUniqueIdToValueType, Type? type, Wr`
`799`	`799`	`}`
`800`	`800`
`801`	`801`	`// Determines if a type is a primitive type, if it is it is written`
`802`		`- private bool WriteKnownValueClass(NameInfo memberNameInfo, NameInfo typeNameInfo, object data)`
	`802`	`+ private bool WriteKnownValueClass(NameInfo memberNameInfo, NameInfo typeNameInfo, object data, ref bool assignUniqueIdToValueType)`
`803`	`803`	`{`
`804`	`804`	`if (ReferenceEquals(typeNameInfo._type, Converter.s_typeofString))`
`805`	`805`	`{`
`806`	`806`	`WriteString(memberNameInfo, typeNameInfo, data);`
	`807`	`+ return true;`
`807`	`808`	`}`
`808`	`809`	`else`
`809`	`810`	`{`
`@@ -817,18 +818,22 @@ private bool WriteKnownValueClass(NameInfo memberNameInfo, NameInfo typeNameInfo`
`817`	`818`	`if (typeNameInfo._isArray) // null if an array`
`818`	`819`	`{`
`819`	`820`	`_serWriter.WriteItem(memberNameInfo, typeNameInfo, data);`
	`821`	`+ return true;`
`820`	`822`	`}`
`821`		`- else`
	`823`	`+ else if (memberNameInfo._type == typeNameInfo._type`
	`824`	`+ \|\| memberNameInfo._type == typeof(object)`
	`825`	`+ \|\| (memberNameInfo._type != null && Nullable.GetUnderlyingType(memberNameInfo._type) != null))`
`822`	`826`	`{`
`823`	`827`	`_serWriter.WriteMember(memberNameInfo, typeNameInfo, data);`
	`828`	`+ return true;`
`824`	`829`	`}`
`825`	`830`	`}`
`826`	`831`	`}`
`827`	`832`
`828`		`- return true;`
	`833`	`+ assignUniqueIdToValueType = true;`
	`834`	`+ return false;`
`829`	`835`	`}`
`830`	`836`
`831`		`-`
`832`	`837`	`// Writes an object reference to the stream.`
`833`	`838`	`private void WriteObjectRef(NameInfo nameInfo, long objectId) =>`
`834`	`839`	`_serWriter!.WriteMemberObjectRef(nameInfo, (int)objectId);`