Bypassing Serialization Binders with BinaryFormatter Mutation

Adam Sitnik · carlossanlop · commit d17e0d08ba87 · 2024-06-11T16:38:00.000Z
diff --git a/src/libraries/System.Runtime.Serialization.Formatters/src/System/Runtime/Serialization/Formatters/Binary/BinaryObjectWriter.cs b/src/libraries/System.Runtime.Serialization.Formatters/src/System/Runtime/Serialization/Formatters/Binary/BinaryObjectWriter.cs
@@ -375,7 +375,7 @@ private void WriteMembers(NameInfo memberNameInfo,
                 return;
             }
 
-            if (!WriteKnownValueClass(memberNameInfo, memberTypeNameInfo, memberData!))
+            if (!WriteKnownValueClass(memberNameInfo, memberTypeNameInfo, memberData!, ref assignUniqueIdToValueType))
             {
                 if (outType == null)
                 {
@@ -624,10 +624,10 @@ private void WriteArrayMember(WriteObjectInfo objectInfo, NameInfo arrayElemType
                 actualTypeInfo._isArrayItem = true;
             }
 
-            if (!WriteKnownValueClass(arrayElemTypeNameInfo, actualTypeInfo, data!))
+            bool assignUniqueIdForValueTypes = false;
+            if (!WriteKnownValueClass(arrayElemTypeNameInfo, actualTypeInfo, data!, ref assignUniqueIdForValueTypes))
             {
                 object obj = data!;
-                bool assignUniqueIdForValueTypes = false;
                 if (ReferenceEquals(arrayElemTypeNameInfo._type, Converter.s_typeofObject))
                 {
                     assignUniqueIdForValueTypes = true;
@@ -807,11 +807,12 @@ private long Schedule(object obj, bool assignUniqueIdToValueType, Type? type, Wr
         }
 
         // Determines if a type is a primitive type, if it is it is written
-        private bool WriteKnownValueClass(NameInfo memberNameInfo, NameInfo typeNameInfo, object data)
+        private bool WriteKnownValueClass(NameInfo memberNameInfo, NameInfo typeNameInfo, object data, ref bool assignUniqueIdToValueType)
         {
             if (ReferenceEquals(typeNameInfo._type, Converter.s_typeofString))
             {
                 WriteString(memberNameInfo, typeNameInfo, data);
+                return true;
             }
             else
             {
@@ -825,18 +826,22 @@ private bool WriteKnownValueClass(NameInfo memberNameInfo, NameInfo typeNameInfo
                     if (typeNameInfo._isArray) // null if an array
                     {
                         _serWriter.WriteItem(memberNameInfo, typeNameInfo, data);
+                        return true;
                     }
-                    else
+                    else if (memberNameInfo._type == typeNameInfo._type
+                        || memberNameInfo._type == typeof(object)
+                        || (memberNameInfo._type != null && Nullable.GetUnderlyingType(memberNameInfo._type) != null))
                     {
                         _serWriter.WriteMember(memberNameInfo, typeNameInfo, data);
+                        return true;
                     }
                 }
             }
 
-            return true;
+            assignUniqueIdToValueType = true;
+            return false;
         }
 
-
         // Writes an object reference to the stream.
         private void WriteObjectRef(NameInfo nameInfo, long objectId) =>
             _serWriter!.WriteMemberObjectRef(nameInfo, (int)objectId);
diff --git a/src/libraries/System.Runtime.Serialization.Formatters/tests/BinaryFormatterTests.cs b/src/libraries/System.Runtime.Serialization.Formatters/tests/BinaryFormatterTests.cs
@@ -535,6 +535,25 @@ public void Roundtrip_ArrayContainingArrayAtNonZeroLowerBound()
             BinaryFormatterHelpers.Clone(Array.CreateInstance(typeof(uint[]), new[] { 5 }, new[] { 1 }));
         }
 
+        [Fact]
+        [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, ".NET Framework has not been patched yet.")]
+        public void BypassingSerializationBinders()
+        {
+            Tuple<IComparable, object> tuple = new Tuple<IComparable, object>(42, new byte[] { 1, 2, 3, 4 });
+            BinaryFormatter formatter = new BinaryFormatter();
+
+            using (MemoryStream stream = new MemoryStream())
+            {
+                formatter.Serialize(stream, tuple);
+
+                stream.Position = 0;
+
+                Tuple<IComparable, object> deserialized = (Tuple<IComparable, object>)formatter.Deserialize(stream);
+                Assert.Equal(tuple.Item1, deserialized.Item1);
+                Assert.Equal(tuple.Item2, deserialized.Item2);
+            }
+        }
+
         private static void ValidateEqualityComparer(object obj)
         {
             Type objType = obj.GetType();

Original file line number	Diff line number	Diff line change
`@@ -375,7 +375,7 @@ private void WriteMembers(NameInfo memberNameInfo,`
`375`	`375`	`return;`
`376`	`376`	`}`
`377`	`377`
`378`		`- if (!WriteKnownValueClass(memberNameInfo, memberTypeNameInfo, memberData!))`
	`378`	`+ if (!WriteKnownValueClass(memberNameInfo, memberTypeNameInfo, memberData!, ref assignUniqueIdToValueType))`
`379`	`379`	`{`
`380`	`380`	`if (outType == null)`
`381`	`381`	`{`
`@@ -624,10 +624,10 @@ private void WriteArrayMember(WriteObjectInfo objectInfo, NameInfo arrayElemType`
`624`	`624`	`actualTypeInfo._isArrayItem = true;`
`625`	`625`	`}`
`626`	`626`
`627`		`- if (!WriteKnownValueClass(arrayElemTypeNameInfo, actualTypeInfo, data!))`
	`627`	`+ bool assignUniqueIdForValueTypes = false;`
	`628`	`+ if (!WriteKnownValueClass(arrayElemTypeNameInfo, actualTypeInfo, data!, ref assignUniqueIdForValueTypes))`
`628`	`629`	`{`
`629`	`630`	`object obj = data!;`
`630`		`- bool assignUniqueIdForValueTypes = false;`
`631`	`631`	`if (ReferenceEquals(arrayElemTypeNameInfo._type, Converter.s_typeofObject))`
`632`	`632`	`{`
`633`	`633`	`assignUniqueIdForValueTypes = true;`
`@@ -807,11 +807,12 @@ private long Schedule(object obj, bool assignUniqueIdToValueType, Type? type, Wr`
`807`	`807`	`}`
`808`	`808`
`809`	`809`	`// Determines if a type is a primitive type, if it is it is written`
`810`		`- private bool WriteKnownValueClass(NameInfo memberNameInfo, NameInfo typeNameInfo, object data)`
	`810`	`+ private bool WriteKnownValueClass(NameInfo memberNameInfo, NameInfo typeNameInfo, object data, ref bool assignUniqueIdToValueType)`
`811`	`811`	`{`
`812`	`812`	`if (ReferenceEquals(typeNameInfo._type, Converter.s_typeofString))`
`813`	`813`	`{`
`814`	`814`	`WriteString(memberNameInfo, typeNameInfo, data);`
	`815`	`+ return true;`
`815`	`816`	`}`
`816`	`817`	`else`
`817`	`818`	`{`
`@@ -825,18 +826,22 @@ private bool WriteKnownValueClass(NameInfo memberNameInfo, NameInfo typeNameInfo`
`825`	`826`	`if (typeNameInfo._isArray) // null if an array`
`826`	`827`	`{`
`827`	`828`	`_serWriter.WriteItem(memberNameInfo, typeNameInfo, data);`
	`829`	`+ return true;`
`828`	`830`	`}`
`829`		`- else`
	`831`	`+ else if (memberNameInfo._type == typeNameInfo._type`
	`832`	`+ \|\| memberNameInfo._type == typeof(object)`
	`833`	`+ \|\| (memberNameInfo._type != null && Nullable.GetUnderlyingType(memberNameInfo._type) != null))`
`830`	`834`	`{`
`831`	`835`	`_serWriter.WriteMember(memberNameInfo, typeNameInfo, data);`
	`836`	`+ return true;`
`832`	`837`	`}`
`833`	`838`	`}`
`834`	`839`	`}`
`835`	`840`
`836`		`- return true;`
	`841`	`+ assignUniqueIdToValueType = true;`
	`842`	`+ return false;`
`837`	`843`	`}`
`838`	`844`
`839`		`-`
`840`	`845`	`// Writes an object reference to the stream.`
`841`	`846`	`private void WriteObjectRef(NameInfo nameInfo, long objectId) =>`
`842`	`847`	`_serWriter!.WriteMemberObjectRef(nameInfo, (int)objectId);`