[CDRIVER-1351] libbson aborts or segfaults on invalid base64 $binary data Created: 01/Jul/16  Updated: 10/Aug/16  Resolved: 28/Jul/16

Status: Closed
Project: C Driver
Component/s: libbson
Affects Version/s: None
Fix Version/s: 1.4.0

Type: Bug Priority: Major - P3
Reporter: Shane Harvey Assignee: Shane Harvey
Resolution: Done Votes: 0
Labels: intern2016
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible

 Description   

When given invalid "$binary" data libbson will crash with either an explicit abort or a segmentation fault.

An abort is caused when the first binary type parsed is invalid.

 static void
 test_bson_json_read_corrupt_binary(void)
 {
    bson_error_t error;
    const char *json = "{ "
        " \"a\" : { \"$numberLong\" : \"1\" },"
        " \"invalid\" : { \"$binary\" : \"invalid\", \"$type\" : \"80\" } }";
    bson_t b;
    bool r;
    char *str;
 
    // This will abort "src/bson/bson.c:789 bson_append_binary(): precondition failed: binary"
    r = bson_init_from_json (&b, json, -1, &error);
    assert (!r);
 
    bson_destroy (&b);
 }

Abort stack trace:

➜  libbson git:(master) ✗ .libs/test-libbson -l /bson/json/read/corrupt_binary --no-fork
{
  "host": {
    "sysname": "Darwin",
    "release": "15.5.0",
    "machine": "x86_64",
    "memory": {
      "pagesize": 4096,
      "npages": 4194304
    }
  },
  "options": {
    "parallel": false,
    "fork": false
  },
  "results": [
src/bson/bson.c:789 bson_append_binary(): precondition failed: binary
[1]    58981 abort (core dumped)  .libs/test-libbson -l /bson/json/read/corrupt_binary --no-fork
➜  libbson git:(master) ✗ lldb -c /cores/core.58981 .libs/test-libbson
(lldb) target create ".libs/test-libbson" --core "/cores/core.58981"
warning: (x86_64) /cores/core.58981 load command 64 LC_SEGMENT_64 has a fileoff + filesize (0x269b3000) that extends beyond the end of the file (0x269b2000), the segment will be truncated to match
warning: (x86_64) /cores/core.58981 load command 65 LC_SEGMENT_64 has a fileoff (0x269b3000) that extends beyond the end of the file (0x269b2000), ignoring this section
Core file '/cores/core.58981' (x86_64) was loaded.
(lldb) bt
* thread #1: tid = 0x0000, 0x00007fff8e1b3f06 libsystem_kernel.dylib`__pthread_kill + 10, stop reason = signal SIGSTOP
  * frame #0: 0x00007fff8e1b3f06 libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007fff8bf0c4ec libsystem_pthread.dylib`pthread_kill + 90
    frame #2: 0x00007fff8e3a56e7 libsystem_c.dylib`abort + 129
    frame #3: 0x0000000105107814 libbson-1.0.0.dylib`bson_append_binary + 468
    frame #4: 0x000000010511243c libbson-1.0.0.dylib`_bson_json_read_end_map + 1244
    frame #5: 0x000000010511b0b6 libbson-1.0.0.dylib`yajl_do_parse + 1574
    frame #6: 0x0000000105110358 libbson-1.0.0.dylib`bson_json_reader_read + 360
    frame #7: 0x0000000105110993 libbson-1.0.0.dylib`bson_init_from_json + 227
    frame #8: 0x00000001050d32d1 test-libbson`test_bson_json_read_corrupt_binary + 65
    frame #9: 0x00000001050c1a4a test-libbson`TestSuite_RunTest + 426
    frame #10: 0x00000001050c1375 test-libbson`TestSuite_Run + 341
    frame #11: 0x00000001050c1f68 test-libbson`main + 200
    frame #12: 0x00007fff889725ad libdyld.dylib`start + 1

A segfault is caused when a valid binary object is parsed before the invalid one.

 static void
 test_bson_json_read_corrupt_binary2(void)
 {
    bson_error_t error;
    const char *json = "{ "
        " \"valid\" : { \"$binary\" : \"YXNkZmFz\", \"$type\" : \"80\" },"
        " \"invalid\" : { \"$binary\" : \"invalid\", \"$type\" : \"80\" } }";
    bson_t b;
    bool r;
    char *str;
 
    // This causes a segmentation fault
    r = bson_init_from_json (&b, json, -1, &error);
    assert (!r);
 
    bson_destroy (&b);
 }

segfault stack trace:

➜  libbson git:(master) ✗ .libs/test-libbson -l /bson/json/read/corrupt_binary2 --no-fork
{
  "host": {
    "sysname": "Darwin",
    "release": "15.5.0",
    "machine": "x86_64",
    "memory": {
      "pagesize": 4096,
      "npages": 4194304
    }
  },
  "options": {
    "parallel": false,
    "fork": false
  },
  "results": [
[1]    59011 segmentation fault (core dumped)  .libs/test-libbson -l /bson/json/read/corrupt_binary2 --no-fork
➜  libbson git:(master) ✗ lldb -c /cores/core.59011 .libs/test-libbson
(lldb) target create ".libs/test-libbson" --core "/cores/core.59011"
warning: (x86_64) /cores/core.59011 load command 63 LC_SEGMENT_64 has a fileoff + filesize (0x268b3000) that extends beyond the end of the file (0x268b2000), the segment will be truncated to match
warning: (x86_64) /cores/core.59011 load command 64 LC_SEGMENT_64 has a fileoff (0x268b3000) that extends beyond the end of the file (0x268b2000), ignoring this section
Core file '/cores/core.59011' (x86_64) was loaded.
(lldb) bt
* thread #1: tid = 0x0000, 0x00007fff9627df49 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 41, stop reason = signal SIGSTOP
  * frame #0: 0x00007fff9627df49 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 41
    frame #1: 0x000000010c7914dd libbson-1.0.0.dylib`_bson_append + 429
    frame #2: 0x000000010c791774 libbson-1.0.0.dylib`bson_append_binary + 308
    frame #3: 0x000000010c79c43c libbson-1.0.0.dylib`_bson_json_read_end_map + 1244
    frame #4: 0x000000010c7a50b6 libbson-1.0.0.dylib`yajl_do_parse + 1574
    frame #5: 0x000000010c79a358 libbson-1.0.0.dylib`bson_json_reader_read + 360
    frame #6: 0x000000010c79a993 libbson-1.0.0.dylib`bson_init_from_json + 227
    frame #7: 0x000000010c759361 test-libbson`test_bson_json_read_corrupt_binary2 + 65



 Comments   
Comment by Githook User [ 27/Jul/16 ]

Author:

{u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@emptysquare.net'}

Message: Merge pull request #172 from ShaneHarvey/CDRIVER-1351

CDRIVER-1351 Handle parsing invalid base64 in $binary
Branch: master
https://github.com/mongodb/libbson/commit/8296c47942bcbf68c7a09904f0db8f05cdcda940

Comment by Githook User [ 27/Jul/16 ]

Author:

{u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@emptysquare.net'}

Message: Merge pull request #172 from ShaneHarvey/CDRIVER-1351

CDRIVER-1351 Handle parsing invalid base64 in $binary
Branch: master
https://github.com/mongodb/libbson/commit/8296c47942bcbf68c7a09904f0db8f05cdcda940

Comment by Githook User [ 27/Jul/16 ]

Author:

{u'username': u'ShaneHarvey', u'name': u'Shane Harvey', u'email': u'shane.harvey@mongodb.com'}

Message: CDRIVER-1351 Handle parsing invalid base64 in $binary
Branch: master
https://github.com/mongodb/libbson/commit/297b3333fef0188581ac1e73e988537022fef513

Generated at Wed Feb 07 21:12:15 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.