Fix DAC verify signature issue (#5470)

Mike McLaughlin · web-flow · commit a3c354f4ea00 · 2025-05-12T23:51:30.000Z
Running `clrstack` a second time after a verify DAC failure succeeds.

Runtime.GetDacFilePath wasn't caching the verifySignature parameter so
the DAC wasn't being verified once the dac path was cached.

Verify the DAC path passed to the DBI entry points for the `clrstack -i`
path in RuntimeWrapper.CreateCorDebugProcess.

Display the ISettingsService values in both `runtimes` and `sosstatus`.
diff --git a/src/Microsoft.Diagnostics.DebugServices.Implementation/Runtime.cs b/src/Microsoft.Diagnostics.DebugServices.Implementation/Runtime.cs
@@ -25,6 +25,7 @@ public class Runtime : IRuntime, IDisposable
         private Version _runtimeVersion;
         private ClrRuntime _clrRuntime;
         private string _dacFilePath;
+        private bool _verifySignature;      // This only applies to the regular DAC, not the CDAC
         private string _cdacFilePath;
         private string _dbiFilePath;
 
@@ -113,19 +114,22 @@ public string GetCDacFilePath()
 
         public string GetDacFilePath(out bool verifySignature)
         {
-            verifySignature = false;
             if (_settingsService.ForceUseContractReader)
             {
+                // Don't verify signature when using the CDAC and don't change the cached value
+                // because it only applies to the regular DAC in _dacFilePath.
+                verifySignature = false;
                 return GetCDacFilePath();
             }
             if (_dacFilePath is null)
             {
                 _dacFilePath = GetLibraryPath(DebugLibraryKind.Dac);
                 if (_dacFilePath is not null)
                 {
-                    verifySignature = _settingsService.DacSignatureVerificationEnabled;
+                    _verifySignature = _settingsService.DacSignatureVerificationEnabled;
                 }
             }
+            verifySignature = _verifySignature;
             return _dacFilePath;
         }
 
@@ -339,7 +343,8 @@ public override string ToString()
             if (_dacFilePath is not null)
             {
                 sb.AppendLine();
-                sb.Append($"    DAC: {_dacFilePath}");
+                string verify = _verifySignature ? "(verify)" : "(don't verify)";
+                sb.Append($"    DAC: {_dacFilePath} {verify}");
             }
             if (_cdacFilePath is not null)
             {
diff --git a/src/Microsoft.Diagnostics.ExtensionCommands/Host/CommandFormatHelpers.cs b/src/Microsoft.Diagnostics.ExtensionCommands/Host/CommandFormatHelpers.cs
@@ -16,6 +16,15 @@ public static class CommandFormatHelpers
         public const string DebugHeaderExport = "DotNetRuntimeDebugHeader";
         public const string ContractDescriptorExport = "DotNetRuntimeContractDescriptor";
 
+        public static void DisplaySettingService(this CommandBase command)
+        {
+            ISettingsService settingsService = command.Services.GetService<ISettingsService>() ?? throw new DiagnosticsException("Settings service required");
+            command.Console.WriteLine("Settings:");
+            command.Console.WriteLine($"-> Use CDAC contract reader: {settingsService.UseContractReader}");
+            command.Console.WriteLine($"-> Force use CDAC contract reader: {settingsService.ForceUseContractReader}");
+            command.Console.WriteLine($"-> DAC signature verification check enabled: {settingsService.DacSignatureVerificationEnabled}");
+        }
+
         /// <summary>
         /// Displays the special diagnostics info header memory block (.NET Core 8 or later on Linux/MacOS)
         /// </summary>
diff --git a/src/Microsoft.Diagnostics.ExtensionCommands/Host/RuntimesCommand.cs b/src/Microsoft.Diagnostics.ExtensionCommands/Host/RuntimesCommand.cs
@@ -128,10 +128,8 @@ public override void Invoke()
                     }
                     this.DisplayResources(runtime.RuntimeModule, all: false, indent: "    ");
                     this.DisplayRuntimeExports(runtime.RuntimeModule, error: true, indent: "    ");
-                    WriteLine($"Use CDAC contract reader: {SettingsService.UseContractReader}");
-                    WriteLine($"Force use CDAC contract reader: {SettingsService.ForceUseContractReader}");
-                    WriteLine($"DAC signature verification check enabled: {SettingsService.DacSignatureVerificationEnabled}");
                 }
+                this.DisplaySettingService();
             }
         }
     }
diff --git a/src/Microsoft.Diagnostics.ExtensionCommands/Host/StatusCommand.cs b/src/Microsoft.Diagnostics.ExtensionCommands/Host/StatusCommand.cs
@@ -63,6 +63,7 @@ public override void Invoke()
                     }
                 }
                 this.DisplaySpecialInfo();
+                this.DisplaySettingService();
                 Write(SymbolService.ToString());
 
                 List<Assembly> extensions = new(ServiceManager.ExtensionsLoaded);
diff --git a/src/SOS/SOS.Extensions/HostServices.cs b/src/SOS/SOS.Extensions/HostServices.cs
@@ -356,6 +356,10 @@ private int DispatchCommand(
             {
                 return HResult.E_INVALIDARG;
             }
+            if (_commandService is null)
+            {
+                return HResult.E_FAIL;
+            }
             try
             {
                 _commandService.Execute(commandName, commandArguments, string.Equals(commandName, "help", StringComparison.OrdinalIgnoreCase) ?  _contextServiceFromDebuggerServices.Services : _servicesWithManagedOnlyFilter);
diff --git a/src/SOS/SOS.Hosting/RuntimeWrapper.cs b/src/SOS/SOS.Hosting/RuntimeWrapper.cs
@@ -383,10 +383,9 @@ private IntPtr CreateClrDataProcess(IntPtr dacHandle)
         private IntPtr CreateCorDebugProcess()
         {
             string dbiFilePath = _runtime.GetDbiFilePath();
-            string dacFilePath = _runtime.GetDacFilePath(out bool verifySignature);
-            if (dbiFilePath == null || dacFilePath == null)
+            if (dbiFilePath == null)
             {
-                Trace.TraceError($"Could not find matching DBI {dbiFilePath ?? ""} or DAC {dacFilePath ?? ""} for this runtime: {_runtime.RuntimeModule.FileName}");
+                Trace.TraceError($"Could not find matching DBI {dbiFilePath ?? ""} for this runtime: {_runtime.RuntimeModule.FileName}");
                 return IntPtr.Zero;
             }
             if (_dbiHandle == IntPtr.Zero)
@@ -415,6 +414,16 @@ private IntPtr CreateCorDebugProcess()
             int hresult = 0;
             try
             {
+                // This will verify the DAC signature if needed before DBI is passed the DAC path or handle
+                IntPtr dacHandle = GetDacHandle();
+                if (dacHandle == IntPtr.Zero)
+                {
+                    return IntPtr.Zero;
+                }
+
+                // The DAC was verified in the GetDacHandle call above. Ignore the verifySignature parameter here.
+                string dacFilePath = _runtime.GetDacFilePath(out bool _);
+
                 OpenVirtualProcessImpl2Delegate openVirtualProcessImpl2 = SOSHost.GetDelegateFunction<OpenVirtualProcessImpl2Delegate>(_dbiHandle, "OpenVirtualProcessImpl2");
                 if (openVirtualProcessImpl2 != null)
                 {
@@ -436,12 +445,6 @@ private IntPtr CreateCorDebugProcess()
                     return corDebugProcess;
                 }
 
-                IntPtr dacHandle = GetDacHandle();
-                if (dacHandle == IntPtr.Zero)
-                {
-                    return IntPtr.Zero;
-                }
-
                 // On Linux/MacOS the DAC module handle needs to be re-created using the DAC PAL instance
                 // before being passed to DBI's OpenVirtualProcess* implementation. The DBI and DAC share
                 // the same PAL where dbgshim has it's own.

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ public class Runtime : IRuntime, IDisposable`
`25`	`25`	`private Version _runtimeVersion;`
`26`	`26`	`private ClrRuntime _clrRuntime;`
`27`	`27`	`private string _dacFilePath;`
	`28`	`+ private bool _verifySignature; // This only applies to the regular DAC, not the CDAC`
`28`	`29`	`private string _cdacFilePath;`
`29`	`30`	`private string _dbiFilePath;`
`30`	`31`
`@@ -113,19 +114,22 @@ public string GetCDacFilePath()`
`113`	`114`
`114`	`115`	`public string GetDacFilePath(out bool verifySignature)`
`115`	`116`	`{`
`116`		`- verifySignature = false;`
`117`	`117`	`if (_settingsService.ForceUseContractReader)`
`118`	`118`	`{`
	`119`	`+ // Don't verify signature when using the CDAC and don't change the cached value`
	`120`	`+ // because it only applies to the regular DAC in _dacFilePath.`
	`121`	`+ verifySignature = false;`
`119`	`122`	`return GetCDacFilePath();`
`120`	`123`	`}`
`121`	`124`	`if (_dacFilePath is null)`
`122`	`125`	`{`
`123`	`126`	`_dacFilePath = GetLibraryPath(DebugLibraryKind.Dac);`
`124`	`127`	`if (_dacFilePath is not null)`
`125`	`128`	`{`
`126`		`- verifySignature = _settingsService.DacSignatureVerificationEnabled;`
	`129`	`+ _verifySignature = _settingsService.DacSignatureVerificationEnabled;`
`127`	`130`	`}`
`128`	`131`	`}`
	`132`	`+ verifySignature = _verifySignature;`
`129`	`133`	`return _dacFilePath;`
`130`	`134`	`}`
`131`	`135`
`@@ -339,7 +343,8 @@ public override string ToString()`
`339`	`343`	`if (_dacFilePath is not null)`
`340`	`344`	`{`
`341`	`345`	`sb.AppendLine();`
`342`		`- sb.Append($" DAC: {_dacFilePath}");`
	`346`	`+ string verify = _verifySignature ? "(verify)" : "(don't verify)";`
	`347`	`+ sb.Append($" DAC: {_dacFilePath} {verify}");`
`343`	`348`	`}`
`344`	`349`	`if (_cdacFilePath is not null)`
`345`	`350`	`{`
Original file line number	Diff line number	Diff line change
`@@ -128,10 +128,8 @@ public override void Invoke()`
`128`	`128`	`}`
`129`	`129`	`this.DisplayResources(runtime.RuntimeModule, all: false, indent: " ");`
`130`	`130`	`this.DisplayRuntimeExports(runtime.RuntimeModule, error: true, indent: " ");`
`131`		`- WriteLine($"Use CDAC contract reader: {SettingsService.UseContractReader}");`
`132`		`- WriteLine($"Force use CDAC contract reader: {SettingsService.ForceUseContractReader}");`
`133`		`- WriteLine($"DAC signature verification check enabled: {SettingsService.DacSignatureVerificationEnabled}");`
`134`	`131`	`}`
	`132`	`+ this.DisplaySettingService();`
`135`	`133`	`}`
`136`	`134`	`}`
`137`	`135`	`}`
Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,7 @@ public override void Invoke()`
`63`	`63`	`}`
`64`	`64`	`}`
`65`	`65`	`this.DisplaySpecialInfo();`
	`66`	`+ this.DisplaySettingService();`
`66`	`67`	`Write(SymbolService.ToString());`
`67`	`68`
`68`	`69`	`List<Assembly> extensions = new(ServiceManager.ExtensionsLoaded);`
Original file line number	Diff line number	Diff line change
`@@ -356,6 +356,10 @@ private int DispatchCommand(`
`356`	`356`	`{`
`357`	`357`	`return HResult.E_INVALIDARG;`
`358`	`358`	`}`
	`359`	`+ if (_commandService is null)`
	`360`	`+ {`
	`361`	`+ return HResult.E_FAIL;`
	`362`	`+ }`
`359`	`363`	`try`
`360`	`364`	`{`
`361`	`365`	`_commandService.Execute(commandName, commandArguments, string.Equals(commandName, "help", StringComparison.OrdinalIgnoreCase) ? _contextServiceFromDebuggerServices.Services : _servicesWithManagedOnlyFilter);`