[CDRIVER-3380] Fix BSON_ASSERT triggered by invalid JavaScript/JSON Created: 01/Oct/19  Updated: 28/Oct/23  Resolved: 18/May/22

Status: Closed
Project: C Driver
Component/s: libbson
Affects Version/s: None
Fix Version/s: 1.22.0, 1.22.0-beta0

Type: Bug Priority: Major - P3
Reporter: Roberto Sanchez Assignee: Colby Pike
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Bad JavaScript/JSON input to libbson causes assertion failure. This was identified during fuzz testing. Fuzzer output follows:

/home/admin/mongo-c-driver.git/src/libbson/src/bson/bson.c:1005 bson_append_code_with_scope(): precondition failed: javascript
==2261== ERROR: libFuzzer: deadly signal
    #0 0x4fbfe7 in __sanitizer_print_stack_trace (/home/admin/mongo-c-driver.git/cmake-build/src/libbson/json-to-bson+0x4fbfe7)   
    #1 0x44aceb in fuzzer::PrintStackTrace() (/home/admin/mongo-c-driver.git/cmake-build/src/libbson/json-to-bson+0x44aceb)
    #2 0x42e91b in fuzzer::Fuzzer::CrashCallback() (/home/admin/mongo-c-driver.git/cmake-build/src/libbson/json-to-bson+0x42e91b) 
    #3 0x42e8df in fuzzer::Fuzzer::StaticCrashSignalCallback() (/home/admin/mongo-c-driver.git/cmake-build/src/libbson/json-to-bson+0x42e8df)
    #4 0x7f18d839872f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1272f)
    #5 0x7f18d804e7ba in gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x377ba)
    #6 0x7f18d8039534 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22534)
    #7 0x7f18d840b7f1 in bson_append_code_with_scope /home/admin/mongo-c-driver.git/src/libbson/src/bson/bson.c
    #8 0x7f18d8438600 in _bson_json_read_append_code /home/admin/mongo-c-driver.git/src/libbson/src/bson/bson-json.c:1422:8
    #9 0x7f18d8438600 in _bson_json_read_end_map /home/admin/mongo-c-driver.git/src/libbson/src/bson/bson-json.c:1592
    #10 0x7f18d8438600 in _pop_callback /home/admin/mongo-c-driver.git/src/libbson/src/bson/bson-json.c:1936
    #11 0x7f18d84567aa in jsonsl_feed /home/admin/mongo-c-driver.git/src/libbson/src/jsonsl/jsonsl.c:692:17
    #12 0x7f18d8431e83 in bson_json_reader_read /home/admin/mongo-c-driver.git/src/libbson/src/bson/bson-json.c:2069:10
    #13 0x522633 in LLVMFuzzerTestOneInput /home/admin/mongo-c-driver.git/src/libbson/examples/json-to-bson.c:53:16
    #14 0x42feaa in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/admin/mongo-c-driver.git/cmake-build/src/libbson/json-to-bson+0x42feaa)
    #15 0x42f445 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/admin/mongo-c-driver.git/cmake-build/src/libbson/json-to-bson+0x42f445)
    #16 0x43118e in fuzzer::Fuzzer::MutateAndTestOne() (/home/admin/mongo-c-driver.git/cmake-build/src/libbson/json-to-bson+0x43118e)
    #17 0x431e65 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/home/admin/mongo-c-driver.git/cmake-build/src/libbson/json-to-bson+0x431e65)
    #18 0x427e90 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/admin/mongo-c-driver.git/cmake-build/src/libbson/json-to-bson+0x427e90)
    #19 0x44b4a2 in main (/home/admin/mongo-c-driver.git/cmake-build/src/libbson/json-to-bson+0x44b4a2)
    #20 0x7f18d803b09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #21 0x4219a9 in _start (/home/admin/mongo-c-driver.git/cmake-build/src/libbson/json-to-bson+0x4219a9)   



 Comments   
Comment by Jeremy Mikola [ 22/Jul/22 ]

colby.pike@mongodb.com: Is it possible that this issue broke parsing for legacy syntax? Specifically, the Doctrine ODM team noticed a build failure because they had some code that nested $regularExpression within a $regex field in extended JSON (just like the linked spec example). Assuming `BSON_JSON_LF_REGEX` corresponds to the $regex key, I think adding that to the case for the "Unexpected nested object value for..." error might have been an unintended regression.

See doctrine/mongodb-odm#2452 for more context.

Comment by Githook User [ 11/May/22 ]

Author:

{'name': 'vector-of-bool', 'email': 'vectorofbool@gmail.com', 'username': 'vector-of-bool'}

Message: CDRIVER-3380 Fixup JSON specials and decimal128 parsing (#988)

Generated at Wed Feb 07 21:17:51 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.