Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-76776

Crash found by op_msg_fuzzer

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 7.1.0-rc0
    • Affects Version/s: None
    • Component/s: None
    • None
    • Service Arch
    • Fully Compatible
    • ALL
    • Service Arch 2023-06-12

      Hi,

      I found a crash input using the op_msg_fuzzer. The POC (base64 form) is :

      /8sAAJmZltPUBwAAJG9vCG9vb29vb29vb29v////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////9vbzlvb29vb29vb29v729vb29vusU7gwAA
AAAA3QcAAAH//0QkBgA=

      To reproduce: 

      cat poc_base64 | base64 -d > poc
./op_msg_fuzzer ./poc

      Tested on Ubuntu 22.04

      I have a question abou the harness. In `op_msg_fuzzer_fixture.cpp`, the harness creates a `Msg` from the fuzzer provided buffer:

          int new_size = Size + sizeof(int);
    auto sb = SharedBuffer::allocate(new_size);
    memcpy(sb.get(), &new_size, sizeof(int));
    memcpy(sb.get() + sizeof(int), Data, Size);
    Message msg(std::move(sb));

      It seems such a message is not always valid (cannot be sent to the server from the client) so it might be a false crash? If so, is there any way to filter out such false crashes? If not, should I report all the crash I find using the harness? I would like to contribute to improve the correctness and security of mongodb. Looking forwards to hearing back from you.

            Assignee:
            amirsaman.memaripour@mongodb.com Amirsaman Memaripour
            Reporter:
            changochen1@gmail.com Yongheng Chen
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: