Details
-
Bug
-
Resolution: Fixed
-
Major - P3
-
None
-
None
-
None
-
Service Arch
-
Fully Compatible
-
ALL
-
Service Arch 2023-06-12
Description
Hi,
I found a crash input using the op_msg_fuzzer. The POC (base64 form) is :
/8sAAJmZltPUBwAAJG9vCG9vb29vb29vb29v//////////////////////////////////////// |
////////////////////////////////////////////////////////////////////////////
|
//////////////////////////////////////////9vbzlvb29vb29vb29v729vb29vusU7gwAA
|
AAAA3QcAAAH//0QkBgA= |
To reproduce:
cat poc_base64 | base64 -d > poc
|
./op_msg_fuzzer ./poc
|
Tested on Ubuntu 22.04
I have a question abou the harness. In `op_msg_fuzzer_fixture.cpp`, the harness creates a `Msg` from the fuzzer provided buffer:
int new_size = Size + sizeof(int); |
auto sb = SharedBuffer::allocate(new_size);
|
memcpy(sb.get(), &new_size, sizeof(int)); |
memcpy(sb.get() + sizeof(int), Data, Size); |
Message msg(std::move(sb));
|
It seems such a message is not always valid (cannot be sent to the server from the client) so it might be a false crash? If so, is there any way to filter out such false crashes? If not, should I report all the crash I find using the harness? I would like to contribute to improve the correctness and security of mongodb. Looking forwards to hearing back from you.