CounterSet.CreateCounterSetInstance can stack overflow with excessive counters

[vcsjones]

This stackalloc can stack overflow as the size of it is unbound, and depends on the number of counters in the CounterSet:

runtime/src/libraries/System.Diagnostics.PerformanceCounter/src/System/Diagnostics/PerformanceData/CounterSet.cs

Line 211 in 1019d31

byte* CounterSetBuffer = stackalloc byte[(int)CounterSetInfoSize];

Despite the variable name being capitalized, it is not const and its final value depends on _idToCounter.Count.

Can be reproduced with:

using System;
using System.Diagnostics.PerformanceData;

#pragma warning disable // Whatever

CounterSet counterSet = new(Guid.NewGuid(), Guid.NewGuid(), CounterSetInstanceType.Single);   

for (int i = 0; i < 0x10000; i++)
{
    counterSet.AddCounter(i, CounterType.ElapsedTime);
}

counterSet.CreateCounterSetInstance("potato");

After a quick check with @GrabYourPitchforks, we do not think this is a DoS vulnerability since it is unlikely that the number of times AddCounter is called is driven by untrusted user input.

Nevertheless, the runtime stack overflowing from public APIs is probably not desirable.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-diagnostics-performancecounter
See info in area-owners.md if you want to be subscribed.