Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-21957

Circular JS objects cause use-after-free in ObjectWrapper::toBSON

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 3.2.0
    • Fix Version/s: 3.2.13, 3.3.0
    • Component/s: JavaScript
    • Labels:
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Requested:
      v3.2
    • Steps To Reproduce:
      Hide

      Run the depth_limit.js script in a shell running under valgrind

      Show
      Run the depth_limit.js script in a shell running under valgrind
    • Sprint:
      Platforms 2017-03-27

      Description

      The BSONObjBuilder declared in ObjectWrapper::toBSON needs to remain in scope until after all of the WriteFieldRecursionFrame objects in the 'frames' LifetimeStack are destroyed, because each frame, when destroyed, may write to memory owned by the BSONObjBuilder.

      Unfortunately, the BSONObjBuilder is declared after the frames object. So, normal object destruction sequencing means that the BSONObjBuilder will be destroyed before the frames, leading to a use after free.

      Note that during normal processing, this won't happen, as the loop that comprises the primary body of the function pops (and destroys) all frames before leaving the function. In that case, any frames that had referenced the BSONObjBuilder have already been destroyed.

      However, if the function is exited via an exception, as would happen if the object being walked was circular, then the frames have not all been popped, and the incorrect object sequencing will result in a use-after-free.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: