[CDRIVER-2693] Segfault in bson_b64_pton parsing valid BSON Created: 09/Jun/18  Updated: 28/Oct/23  Resolved: 12/Jun/18

Status: Closed
Project: C Driver
Component/s: libbson
Affects Version/s: 1.10.2
Fix Version/s: 1.10.3

Type: Bug Priority: Major - P3
Reporter: Dan Bauman Assignee: A. Jesse Jiryu Davis
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

CentOS 7
cmake3


Attachments: Text File 000-initialize-b64rmap.patch    
Issue Links:
Depends
is depended on by SERVER-35672 Include BSON 1.10.3 in embedded SDK Closed
Problem/Incident
causes CDRIVER-2695 Share threading config checks between... Closed
is caused by CDRIVER-2429 Factor libbson and libmongoc base64 code Closed
Related
related to CDRIVER-2688 Crash from swift driver calling bson_... Closed

 Description   

installed via 

 

cmake3 -DCMAKE_INSTALL_PREFIX=/usr -DENABLE_AUTOMATIC_INIT_AND_CLEANUP=OFF -DENABLE_BSON=ONLY -DCMAKE_BUILD_TYPE=Debug .
cd src/libbson
make
make install

 

 

#include <stdio.h>
#include <bson.h>
static void test_binary(){
 bson_t *b, *c;
 char *str;
 size_t len;
 b = bson_new ();
 const uint8_t binary[] = {0, 1, 2, 3, 4};
 BSON_ASSERT (bson_append_binary (b, "binary", -1, BSON_SUBTYPE_BINARY, binary, sizeof binary));
 str = bson_as_json (b, &len);
 //str = "{ \"binary\" : { \"$binary\" : \"AAECAwQ=\", \"$type\" : \"00\" } }"
 bson_error_t e;
 c = bson_new_from_json(str, len, &e);
 printf("%s\n", str);
 bson_free (str);
 bson_destroy (b);
}
int
main (int argc,
 char *argv[])
{
 test_binary();
 return 0;
}

 

bson_new_from_json calls

bson_json_reader_read calls

jsonsl_feed calls

bson_b64_pton

 

segfaults on line

c = bson_new_from_json(str, len, &e);

 



 Comments   
Comment by Githook User [ 12/Jun/18 ]

Author:

{'username': 'ajdavis', 'name': 'A. Jesse Jiryu Davis', 'email': 'jesse@mongodb.com'}

Message: CDRIVER-2693 segfault in bson_b64_pton

The function relies on data that is initialized by mongoc_init, but a
libbson-only application never calls mongoc_init. Use pthread_once to
initialize the data on demand instead.
Branch: r1.10
https://github.com/mongodb/mongo-c-driver/commit/7fc3903846fd110e823d971c5f96a148fd3cdf1c

Comment by Githook User [ 12/Jun/18 ]

Author:

{'username': 'ajdavis', 'name': 'A. Jesse Jiryu Davis', 'email': 'jesse@mongodb.com'}

Message: CDRIVER-2693 segfault in bson_b64_pton

The function relies on data that is initialized by mongoc_init, but a
libbson-only application never calls mongoc_init. Use pthread_once to
initialize the data on demand instead.

  1. Conflicts:
  2. NEWS
    Branch: r1.10
    https://github.com/mongodb/mongo-c-driver/commit/8a1e7fd5ce751a1be35bb27531321e79450fc2e1
Comment by A. Jesse Jiryu Davis [ 12/Jun/18 ]

Needs backport to 1.10.3.

Comment by A. Jesse Jiryu Davis [ 11/Jun/18 ]

A kind of primitive global static bool "b64rmap_initialized" saved the libbson version from this; the libmongoc version had no such check whether the map was initialized, and when we merged the repos we took libmongoc's version.

Comment by Githook User [ 11/Jun/18 ]

Author:

{'username': 'ajdavis', 'name': 'A. Jesse Jiryu Davis', 'email': 'jesse@mongodb.com'}

Message: CDRIVER-2693 segfault in bson_b64_pton

The function relies on data that is initialized by mongoc_init, but a
libbson-only application never calls mongoc_init. Use pthread_once to
initialize the data on demand instead.
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/2e68e612ca38a6be540bc7ddaca420f788c78f9f

Comment by A. Jesse Jiryu Davis [ 09/Jun/18 ]

Thanks Dan, that's a useful investigation. We need to guard initialization of the map with more than just a global boolean, as you realize. bson_context_get_default() has a good example of the technique:

bson_context_t *
bson_context_get_default (void)
{
   static bson_once_t once = BSON_ONCE_INIT;
 
   bson_once (&once, _bson_context_init_default);
 
   return &gContextDefault;
}

The function "bson_once" is defined as InitOnceExecuteOnce on Windows and pthread_once everywhere else.

Comment by Dan Bauman [ 09/Jun/18 ]

this patch works for my needs

I realize there are some threading/performance considerations when iintegrated with Mongo-c-driver

 

000-initialize-b64rmap.patch

 

Comment by Dan Bauman [ 09/Jun/18 ]

the b64 map isn't initialized

bson_b64_initialize_rmap

seems to do the trick, but need a good place to call it, but it's private and can't find a libbson init function

 

 
MONGOC_ONCE_FUN (_mongoc_do_init)

doesn't get run when using libbson disconnected from the c driver

 

 

Generated at Wed Feb 07 21:16:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.