Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-21957

Circular JS objects cause use-after-free in ObjectWrapper::toBSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 3.2.13, 3.3.0
    • Affects Version/s: 3.2.0
    • Component/s: JavaScript
    • Fully Compatible
    • ALL
    • v3.2
    • Hide

      Run the depth_limit.js script in a shell running under valgrind

      Run the depth_limit.js script in a shell running under valgrind
    • Platforms 2017-03-27

      The BSONObjBuilder declared in ObjectWrapper::toBSON needs to remain in scope until after all of the WriteFieldRecursionFrame objects in the 'frames' LifetimeStack are destroyed, because each frame, when destroyed, may write to memory owned by the BSONObjBuilder.

      Unfortunately, the BSONObjBuilder is declared after the frames object. So, normal object destruction sequencing means that the BSONObjBuilder will be destroyed before the frames, leading to a use after free.

      Note that during normal processing, this won't happen, as the loop that comprises the primary body of the function pops (and destroys) all frames before leaving the function. In that case, any frames that had referenced the BSONObjBuilder have already been destroyed.

      However, if the function is exited via an exception, as would happen if the object being walked was circular, then the frames have not all been popped, and the incorrect object sequencing will result in a use-after-free.

            andrew.morrow@mongodb.com Andrew Morrow (Inactive)
            andrew.morrow@mongodb.com Andrew Morrow (Inactive)
            0 Vote for this issue
            7 Start watching this issue