Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-88202

Fix possible integer overflow in BSON validation

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 8.0.0-rc0, 6.0.15, 7.0.9, 7.3.2, 5.0.30
    • Affects Version/s: None
    • Component/s: None
    • None
    • Storage Execution
    • Fully Compatible
    • ALL
    • v7.3, v7.0, v6.0, v5.0
    • Execution Team 2024-04-01

      Found by fuzzer:

       

      src/mongo/bson/bson_validate.cpp:470:30: runtime error: signed integer overflow: 2 + 2147483647 cannot be represented in type 'int'    #0 0xaaaac4d8fd28 in mongo::(anonymous namespace)::ValidateBuffer<false, mongo::(anonymous namespace)::DefaultValidator>::validateAndMeasureElem() /home/ubuntu/mongo/src/mongo/bson/bson_validate.cpp:470:30    #1 0xaaaac4d8fd28 in mongo::(anonymous namespace)::ColumnValidator::doValidateBSONColumn(char const*, int, mongo::BSONValidateModeEnum, mongo::ValidationVersion) /home/ubuntu/mongo/src/mongo/bson/bson_validate.cpp:768:37    #2 0xaaaac4c63000 in LLVMFuzzerTestOneInput /home/ubuntu/mongo/src/mongo/bson/util/bsoncolumn_decompress_fuzzer.cpp:40:10    #3 0xaaaac4baca7c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /data/mci/a0fb36c8538079c1f46d9ce374d7b561/toolchain-builder/tmp/build-llvm-v4.sh-XmU/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15    #4 0xaaaac4bac190 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /data/mci/a0fb36c8538079c1f46d9ce374d7b561/toolchain-builder/tmp/build-llvm-v4.sh-XmU/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3    #5 0xaaaac4bad99c in fuzzer::Fuzzer::MutateAndTestOne() /data/mci/a0fb36c8538079c1f46d9ce374d7b561/toolchain-builder/tmp/build-llvm-v4.sh-XmU/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19    #6 0xaaaac4bae654 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /data/mci/a0fb36c8538079c1f46d9ce374d7b561/toolchain-builder/tmp/build-llvm-v4.sh-XmU/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5    #7 0xaaaac4b9e438 in fuzzer::FuzzerDriver(int*, char**, int (unsigned char const, unsigned long)) /data/mci/a0fb36c8538079c1f46d9ce374d7b561/toolchain-builder/tmp/build-llvm-v4.sh-XmU/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6    #8 0xaaaac4bc2dc8 in main /data/mci/a0fb36c8538079c1f46d9ce374d7b561/toolchain-builder/tmp/build-llvm-v4.sh-XmU/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10    #9 0xffff7f3873f8 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16    #10 0xffff7f3874c8 in __libc_start_main csu/../csu/libc-start.c:392:3    #11 0xaaaac4b94fac in _start (/home/ubuntu/mongo/build/install/bin/bsoncolumn_decompress_fuzzer+0x21b4fac)
      SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mongo/bson/bson_validate.cpp:470:30 inMS: 2 PersAutoDict-ChangeBinInt- DE: "\xff\xff\xff\x7f"-; base unit: 940ada7fbb2f71f7df937aa9fac304f0d3ba9c0c0x3,0x0,0xff,0xff,0xff,0x7f,0x0,0x8,0x0,0x0,0x0,0x0,0x0,\x03\x00\xff\xff\xff\x7f\x00\x08\x00\x00\x00\x00\x00artifact_prefix='./'; Test unit written to ./crash-7dbb956712dd41a215c0334b49cace3eebe4d78eBase64: AwD///9/AAgAAAAAAA==

            Assignee:
            binh.vo@mongodb.com Binh Vo
            Reporter:
            binh.vo@mongodb.com Binh Vo
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: