Fix GitHub_25027 in the interpreter by verifying stack depth at CEE_RET (#118976)

kg · web-flow · commit b2c99a07dd9e · 2025-08-22T08:48:38.000-07:00
diff --git a/src/coreclr/interpreter/compiler.cpp b/src/coreclr/interpreter/compiler.cpp
@@ -623,6 +623,19 @@ void InterpCompiler::CheckStackHelper(int n)
     }
 }
 
+void InterpCompiler::CheckStackExact(int n)
+{
+    int32_t currentSize = (int32_t)(m_pStackPointer - m_pStackBase);
+    if (currentSize < n)
+    {
+        BADCODE("Stack underflow");
+    }
+    else if (currentSize > n)
+    {
+        BADCODE("Stack contains extra data");
+    }
+}
+
 void InterpCompiler::PushTypeExplicit(StackType stackType, CORINFO_CLASS_HANDLE clsHnd, int size)
 {
     EnsureStack(1);
@@ -3921,11 +3934,12 @@ void InterpCompiler::GenerateCode(CORINFO_METHOD_INFO* methodInfo)
 
                 if (retType == InterpTypeVoid)
                 {
+                    CheckStackExact(0);
                     AddIns(INTOP_RET_VOID);
                 }
                 else if (retType == InterpTypeVT)
                 {
-                    CHECK_STACK(1);
+                    CheckStackExact(1);
                     AddIns(INTOP_RET_VT);
                     m_pStackPointer--;
                     int32_t retVar = m_pStackPointer[0].var;
@@ -3934,7 +3948,7 @@ void InterpCompiler::GenerateCode(CORINFO_METHOD_INFO* methodInfo)
                 }
                 else
                 {
-                    CHECK_STACK(1);
+                    CheckStackExact(1);
                     AddIns(INTOP_RET);
                     m_pStackPointer--;
                     m_pLastNewIns->SetSVar(m_pStackPointer[0].var);
diff --git a/src/coreclr/interpreter/compiler.h b/src/coreclr/interpreter/compiler.h
@@ -690,6 +690,7 @@ class InterpCompiler
     int32_t m_stackCapacity;
 
     void CheckStackHelper(int n);
+    void CheckStackExact(int n);
     void EnsureStack(int additional);
     void PushTypeExplicit(StackType stackType, CORINFO_CLASS_HANDLE clsHnd, int size);
     void PushStackType(StackType stackType, CORINFO_CLASS_HANDLE clsHnd);

Original file line number	Diff line number	Diff line change
`@@ -623,6 +623,19 @@ void InterpCompiler::CheckStackHelper(int n)`
`623`	`623`	`}`
`624`	`624`	`}`
`625`	`625`
	`626`	`+void InterpCompiler::CheckStackExact(int n)`
	`627`	`+{`
	`628`	`+ int32_t currentSize = (int32_t)(m_pStackPointer - m_pStackBase);`
	`629`	`+ if (currentSize < n)`
	`630`	`+ {`
	`631`	`+ BADCODE("Stack underflow");`
	`632`	`+ }`
	`633`	`+ else if (currentSize > n)`
	`634`	`+ {`
	`635`	`+ BADCODE("Stack contains extra data");`
	`636`	`+ }`
	`637`	`+}`
	`638`	`+`
`626`	`639`	`void InterpCompiler::PushTypeExplicit(StackType stackType, CORINFO_CLASS_HANDLE clsHnd, int size)`
`627`	`640`	`{`
`628`	`641`	`EnsureStack(1);`
`@@ -3921,11 +3934,12 @@ void InterpCompiler::GenerateCode(CORINFO_METHOD_INFO* methodInfo)`
`3921`	`3934`
`3922`	`3935`	`if (retType == InterpTypeVoid)`
`3923`	`3936`	`{`
	`3937`	`+ CheckStackExact(0);`
`3924`	`3938`	`AddIns(INTOP_RET_VOID);`
`3925`	`3939`	`}`
`3926`	`3940`	`else if (retType == InterpTypeVT)`
`3927`	`3941`	`{`
`3928`		`- CHECK_STACK(1);`
	`3942`	`+ CheckStackExact(1);`
`3929`	`3943`	`AddIns(INTOP_RET_VT);`
`3930`	`3944`	`m_pStackPointer--;`
`3931`	`3945`	`int32_t retVar = m_pStackPointer[0].var;`
`@@ -3934,7 +3948,7 @@ void InterpCompiler::GenerateCode(CORINFO_METHOD_INFO* methodInfo)`
`3934`	`3948`	`}`
`3935`	`3949`	`else`
`3936`	`3950`	`{`
`3937`		`- CHECK_STACK(1);`
	`3951`	`+ CheckStackExact(1);`
`3938`	`3952`	`AddIns(INTOP_RET);`
`3939`	`3953`	`m_pStackPointer--;`
`3940`	`3954`	`m_pLastNewIns->SetSVar(m_pStackPointer[0].var);`