Uploaded image for project: 'Python Driver'
  1. Python Driver
  2. PYTHON-532

User-triggerable NULL pointer dereference due to utter plebbery

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical - P2
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.5.2
    • Component/s: None
    • Labels:
      None
    • Environment:
      ALL THE ENVIRONMENTS
    • Backwards Compatibility:
      Major Change
    • # Replies:
      13
    • Last comment by Customer:
      true

      Description

      Steps to reproduce:

      Step 1. Use Mongo as WEB SCALE DOCUMENT STORE OF CHOICE LOL

      Step 2. Assume basic engineering principles applied throughout due to HEAVY MARKETING SUGGESTING AWESOMENESS.

      Step 3. Spend 6 months fighting plebbery across the spectrum, mostly succeed.

      Step 4. NIGHT BEFORE INVESTOR DEMO, TRY UPLOADING SOME DATA WITH "{$ref: '#/mongodb/plebtastic'"

      Step 5. LOL WTF?!?!? PYMONGO CRASH?? :OOO LOOOL WEBSCALE

      Step 6. It's 4am now. STILL INVESTIGATING

      b4cb9be0 pymongo/_cbsonmodule.c (Mike Dirolf 2009-11-10 14:54:39 -0500 1196) /* Decoding for DBRefs */

      Oh Mike!!!

      Step 7. DISCOVER PYMONGO DOES NOT CHECK RETURN VALUES IN MULTIPLE PLACES. DISCOVER ORIGINAL AUTHOR SHOULD NOT BE ALLOWED NEAR COMPUTER

      0558b0d4 pymongo/_cbsonmodule.c (Mike Dirolf 2009-06-08 15:06:12 -0400 1197) if (strcmp(buffer + position + 5, "$ref") == 0) { / DBRef */
      f3da57be pymongo/_cbsonmodule.c (sibsibsib 2010-08-03 13:24:14 +0800 1198) PyObject* dbref;
      b4cb9be0 pymongo/_cbsonmodule.c (Mike Dirolf 2009-11-10 14:54:39 -0500 1199) PyObject* collection = PyDict_GetItemString(value, "$ref");
      ...
      30c253e6 pymongo/_cbsonmodule.c (Mike Dirolf 2010-06-22 12:29:20 -0400 1206) PyDict_DelItemString(value, "$id");
      ...
      6b0a9ccb pymongo/_cbsonmodule.c (Mike Dirolf 2010-06-21 15:15:00 -0400 1220) Py_DECREF(id);

      LOOOOL!

      OH MIKE OH MIKE!! BUT WHAT IF $ref DOESNT HAVE $id KEY? LOOL

      Step 8. REALIZE I CAN CRASH 99% OF ALL WEB 3.9 SHIT-TASTIC WEBSCALE MONGO-DEPLOYING SERVICES WITH 16 BYTE POST

      Step 9. REALIZE 10GEN ARE TOO WORTHLESSLY CLUELESS TO LICENCE A STATIC ANALYZER THAT WOULD HAVE NOTICED THIS PROBLEM IN 0.0000001 NANOSECONDS?!!?!?@#

      Step 10. TRY DELETING _cbson.so.

      Step 11. LOOOOOOOOOOOOL MORE NULL PTR DEREFS IN _cmessage.so!!?!? LOLLERPLEX??!? NULL IS FOR LOSERS LOLOL

      Steps to fix:

      1. MIKE WAS BORN A TECH WRITER. REVOKE COMMIT PRIVS TODAY

      2. BUY A GODDAMNED COVERITY LICENCE YOU AMATEURS

      3. ADD process_dbrefs=False TO ALL THE DRIVERS

      4. FIX NULL PTR DEREFERENCE

      5. PUBLISH SECURITY ADVISORY OR I WILL DO IT FOR YOU

        Issue Links

          Activity

          Hide
          behackett Bernie Hackett added a comment -

          Jibbers McGee, no problem. I understand your frustration. Thanks again for the report.

          Show
          behackett Bernie Hackett added a comment - Jibbers McGee , no problem. I understand your frustration. Thanks again for the report.
          Hide
          imatlin Igor Matlin added a comment -

          Hello Jibbers McGee and others,

          My name is Igor Matlin and I work for Coverity. 10gen does license our software, and to my knowledge they have been quite diligent in running and fixing issues identified by Coverity Static Analysis.

          Unfortunately, the code in question was not flagged. The source of PyDict_GetItemString was not available during scan, so static analysis engine had no evidence that the function can return NULL. Since flagging every instance where a return value is not checked tends to generate a lot of noise, most of our customers only scan for cases where evidence exists that a function can return NULL and analysis determines that return value is routinely checked.

          Coverity static analysis engine can be configured to be more aggressive and treat all functions where source is not available as potentially returning NULL. We will work with 10gen to determine the best combination of analysis options going forward.

          Regards,

          Igor Matlin

          Show
          imatlin Igor Matlin added a comment - Hello Jibbers McGee and others, My name is Igor Matlin and I work for Coverity. 10gen does license our software, and to my knowledge they have been quite diligent in running and fixing issues identified by Coverity Static Analysis. Unfortunately, the code in question was not flagged. The source of PyDict_GetItemString was not available during scan, so static analysis engine had no evidence that the function can return NULL. Since flagging every instance where a return value is not checked tends to generate a lot of noise, most of our customers only scan for cases where evidence exists that a function can return NULL and analysis determines that return value is routinely checked. Coverity static analysis engine can be configured to be more aggressive and treat all functions where source is not available as potentially returning NULL. We will work with 10gen to determine the best combination of analysis options going forward. Regards, Igor Matlin
          Hide
          auto auto (Inactive) added a comment -

          Author:

          {u'username': u'behackett', u'name': u'Bernie Hackett', u'email': u'bernie@10gen.com'}

          Message: Fix import when _cbson unavailable PYTHON-532

          This ensures that we don't import _cmessage in
          an incomplete state or segfault if _cbson isn't
          available. If _cbson.so has been removed we fall
          back to pure python.
          Branch: v2.5
          https://github.com/mongodb/mongo-python-driver/commit/7395ce72bf54ef64d723e1b4140556ebd12a2a07

          Show
          auto auto (Inactive) added a comment - Author: {u'username': u'behackett', u'name': u'Bernie Hackett', u'email': u'bernie@10gen.com'} Message: Fix import when _cbson unavailable PYTHON-532 This ensures that we don't import _cmessage in an incomplete state or segfault if _cbson isn't available. If _cbson.so has been removed we fall back to pure python. Branch: v2.5 https://github.com/mongodb/mongo-python-driver/commit/7395ce72bf54ef64d723e1b4140556ebd12a2a07
          Hide
          auto auto (Inactive) added a comment -

          Author:

          {u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@10gen.com'}

          Message: Fix null pointer when decoding invalid DBRef PYTHON-532
          Branch: master
          https://github.com/mongodb/mongo-python-driver/commit/842e675299318e02d8d223c458df87c029f66efc

          Show
          auto auto (Inactive) added a comment - Author: {u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@10gen.com'} Message: Fix null pointer when decoding invalid DBRef PYTHON-532 Branch: master https://github.com/mongodb/mongo-python-driver/commit/842e675299318e02d8d223c458df87c029f66efc
          Hide
          auto auto (Inactive) added a comment -

          Author:

          {u'username': u'behackett', u'name': u'Bernie Hackett', u'email': u'bernie@10gen.com'}

          Message: Fix import when _cbson unavailable PYTHON-532

          This ensures that we don't import _cmessage in
          an incomplete state or segfault if _cbson isn't
          available. If _cbson.so has been removed we fall
          back to pure python.
          Branch: master
          https://github.com/mongodb/mongo-python-driver/commit/d9b088e6d8a8b5f71acff10b6a13ba2b22fca718

          Show
          auto auto (Inactive) added a comment - Author: {u'username': u'behackett', u'name': u'Bernie Hackett', u'email': u'bernie@10gen.com'} Message: Fix import when _cbson unavailable PYTHON-532 This ensures that we don't import _cmessage in an incomplete state or segfault if _cbson isn't available. If _cbson.so has been removed we fall back to pure python. Branch: master https://github.com/mongodb/mongo-python-driver/commit/d9b088e6d8a8b5f71acff10b6a13ba2b22fca718

            People

            • Votes:
              4 Vote for this issue
              Watchers:
              31 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since reply:
                4 years, 4 weeks, 1 day ago
                Date of 1st Reply: