Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-83952

Fix fuzzer failures for BSONColumn validation

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 7.3.0-rc0, 7.0.5, 6.0.15
    • Affects Version/s: None
    • Component/s: None
    • None
    • Fully Compatible
    • ALL
    • v7.0, v6.0
    • Execution Team 2023-12-11, Execution Team 2023-12-25

      Henrik's new fuzzer for BSONColumn validation showed two new failures, these need to be fixed before backporting the BSONColumn validator

       

      ==1960==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000003af2 at pc 0x7f99ca113de8 bp 0x7fffd46def20 sp 0x7fffd46def18
READ of size 4 at 0x602000003af2 thread T0
    #0 0x7f99ca113de7 in mongo::DataType::Handler<int, void>::unsafeLoad(int*, char const*, unsigned long*) /mnt/d/mongo/src/mongo/base/data_type.h:67:17
    #1 0x7f99ca113de7 in void mongo::DataType::unsafeLoad<int>(int*, char const*, unsigned long*) /mnt/d/mongo/src/mongo/base/data_type.h:147:9
    #2 0x7f99ca113de7 in mongo::DataType::Handler<mongo::LittleEndian<int>, void>::unsafeLoad(mongo::LittleEndian<int>*, char const*, unsigned long*) /mnt/d/mongo/src/mongo/base/data_type_endian.h:90:13
    #3 0x7f99ca11385c in void mongo::DataType::unsafeLoad<mongo::LittleEndian<int> >(mongo::LittleEndian<int>*, char const*, unsigned long*) /mnt/d/mongo/src/mongo/base/data_type.h:147:9
    #4 0x7f99ca11385c in mongo::ConstDataView const& mongo::ConstDataView::readInto<mongo::LittleEndian<int> >(mongo::LittleEndian<int>*, long) const /mnt/d/mongo/src/mongo/base/data_view.h:53:9
    #5 0x7f99ca488bf1 in mongo::LittleEndian<int> mongo::ConstDataView::read<mongo::LittleEndian<int> >(long) const /mnt/d/mongo/src/mongo/base/data_view.h:62:9
    #6 0x7f99ca488bf1 in mongo::BSONElement::computeSize(signed char, char const*, int, int) /mnt/d/mongo/src/mongo/bson/bsonelement.cpp:740:57
    #7 0x7f99ca109d0c in mongo::(anonymous namespace)::ValidateBuffer<false, mongo::(anonymous namespace)::DefaultValidator>::validateAndMeasureElem() /mnt/d/mongo/src/mongo/bson/bson_validate.cpp:451:20
    #8 0x7f99ca109d0c in mongo::(anonymous namespace)::ColumnValidator::doValidateBSONColumn(char const*, int, mongo::BSONValidateModeEnum) /mnt/d/mongo/src/mongo/bson/bson_validate.cpp:745:37
    #9 0x7f99ca10c9fd in mongo::validateBSONColumn(char const*, int, mongo::BSONValidateModeEnum) /mnt/d/mongo/src/mongo/bson/bson_validate.cpp:825:12
    #10 0x7f99ca10c9fd in LLVMFuzzerTestOneInput /mnt/d/mongo/src/mongo/bson/util/bsoncolumnbuilder_reopen_fuzzer.cpp:47:14
    #11 0x7f99ca037d01 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /data/mci/55d12b474ed7aa92a28123b16653600f/toolchain-builder/tmp/build-llvm-v4.sh-zf2/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
    #12 0x7f99ca03711d in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /data/mci/55d12b474ed7aa92a28123b16653600f/toolchain-builder/tmp/build-llvm-v4.sh-zf2/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3
    #13 0x7f99ca038d6a in fuzzer::Fuzzer::MutateAndTestOne() /data/mci/55d12b474ed7aa92a28123b16653600f/toolchain-builder/tmp/build-llvm-v4.sh-zf2/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19
    #14 0x7f99ca0398f5 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /data/mci/55d12b474ed7aa92a28123b16653600f/toolchain-builder/tmp/build-llvm-v4.sh-zf2/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5
    #15 0x7f99ca027444 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /data/mci/55d12b474ed7aa92a28123b16653600f/toolchain-builder/tmp/build-llvm-v4.sh-zf2/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6
    #16 0x7f99ca051632 in main /data/mci/55d12b474ed7aa92a28123b16653600f/toolchain-builder/tmp/build-llvm-v4.sh-zf2/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #17 0x7f99c6fa70b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
    #18 0x7f99ca01b83d in _start (/mnt/d/mongo/build/install/bin/bsoncolumnbuilder_reopen_fuzzer+0x28ca83d) 
      terminate called after throwing an instance of 'mongo::error_details::throwExceptionForStatus(mongo::Status const&)::NonspecificAssertionException'
  what():  BSONElement: bad type 25 @ 0x602000000af0
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1954==ERROR: AddressSanitizer: ABRT on unknown address 0x03e8000007a2 (pc 0x7fdbcc6f618b bp 0x60400002ef90 sp 0x7fffc09cd6f0 T0)
    #0 0x7fdbcc6f618b in raise /build/glibc-ZN95T4/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:51:1
    #1 0x7fdbcc6d5858 in abort /build/glibc-ZN95T4/glibc-2.31/stdlib/abort.c:79:7
    #2 0x7fdbd079c370 in __gnu_cxx::__verbose_terminate_handler() (.cold) (/mnt/d/mongo/build/install/bin/bsoncolumnbuilder_reopen_fuzzer+0x3925370)
    #3 0x7fdbd079abc9 in __cxxabiv1::__terminate(void (*)()) (/mnt/d/mongo/build/install/bin/bsoncolumnbuilder_reopen_fuzzer+0x3923bc9)
    #4 0x7fdbd079ac34 in std::terminate() (/mnt/d/mongo/build/install/bin/bsoncolumnbuilder_reopen_fuzzer+0x3923c34)
    #5 0x7fdbcf82b69a in __clang_call_terminate (/mnt/d/mongo/build/install/bin/bsoncolumnbuilder_reopen_fuzzer+0x29b469a)
    #6 0x7fdbcf8320d4 in mongo::(anonymous namespace)::ColumnValidator::doValidateBSONColumn(char const*, int, mongo::BSONValidateModeEnum) /mnt/d/mongo/src/mongo/bson/bson_validate.cpp
    #7 0x7fdbcf8329fd in mongo::validateBSONColumn(char const*, int, mongo::BSONValidateModeEnum) /mnt/d/mongo/src/mongo/bson/bson_validate.cpp:825:12
    #8 0x7fdbcf8329fd in LLVMFuzzerTestOneInput /mnt/d/mongo/src/mongo/bson/util/bsoncolumnbuilder_reopen_fuzzer.cpp:47:14
    #9 0x7fdbcf75dd01 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /data/mci/55d12b474ed7aa92a28123b16653600f/toolchain-builder/tmp/build-llvm-v4.sh-zf2/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
    #10 0x7fdbcf75d11d in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /data/mci/55d12b474ed7aa92a28123b16653600f/toolchain-builder/tmp/build-llvm-v4.sh-zf2/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3
    #11 0x7fdbcf75ed6a in fuzzer::Fuzzer::MutateAndTestOne() /data/mci/55d12b474ed7aa92a28123b16653600f/toolchain-builder/tmp/build-llvm-v4.sh-zf2/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19
    #12 0x7fdbcf75f8f5 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /data/mci/55d12b474ed7aa92a28123b16653600f/toolchain-builder/tmp/build-llvm-v4.sh-zf2/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5
    #13 0x7fdbcf74d444 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /data/mci/55d12b474ed7aa92a28123b16653600f/toolchain-builder/tmp/build-llvm-v4.sh-zf2/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6
    #14 0x7fdbcf777632 in main /data/mci/55d12b474ed7aa92a28123b16653600f/toolchain-builder/tmp/build-llvm-v4.sh-zf2/llvm-project-llvmorg/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #15 0x7fdbcc6d70b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
    #16 0x7fdbcf74183d in _start (/mnt/d/mongo/build/install/bin/bsoncolumnbuilder_reopen_fuzzer+0x28ca83d)

            Assignee:
            binh.vo@mongodb.com Binh Vo
            Reporter:
            binh.vo@mongodb.com Binh Vo
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: