[SERVER-12709] Server assertion if granting role with many privileges Created: 13/Feb/14  Updated: 29/Oct/15  Resolved: 29/Oct/15

Status: Closed
Project: Core Server
Component/s: Security, Stability
Affects Version/s: 2.5.5
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Andreas Nilsson Assignee: Unassigned
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File usercache.js    
Issue Links:
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Run the enclosed script usercache.js. (it will take 10-15 minutes). The actual crash happened for i = 9800.

Participants:

 Description   

When granting a role with many privileges the total size of the user document might overshoot the maximum BSONObj size 16MB. Actually the error happens when retrieving the user information in getUserDescription.

The enclosed test was run on mongod but I would assume the crash applies to mongos as well.

2014-02-12T19:31:17.531-0500 [conn2] Assertion: 10334:BSONObj size: 16839711 (0x100F41F) is invalid. Size must be between 0 and 16793600(16MB) First element: _id: "admin.admin"
2014-02-12T19:31:17.535-0500 [conn2] 0x100766510 0x10070e15b 0x1006fc89a 0x1006fc73c 0x10000b150 0x10000818c 0x1000ced24 0x1000b31de 0x1000b2769 0x1001b9515 0x1001cdf66 0x1001f0cf5 0x1001f1bb5 0x1001f2e6b 0x100432395 0x1002e2560 0x10000f0c7 0x10071c8e1 0x1007a0491 0x7fff9111d899 
 0   mongod                              0x0000000100766510 _ZN5mongo15printStackTraceERSo + 64
 1   mongod                              0x000000010070e15b _ZN5mongo10logContextEPKc + 155
 2   mongod                              0x00000001006fc89a _ZN5mongo11msgassertedEiPKc + 346
 3   mongod                              0x00000001006fc73c _ZN5mongo11msgassertedEiRKSs + 12
 4   mongod                              0x000000010000b150 _ZNK5mongo7BSONObj14_assertInvalidEv + 1536
 5   mongod                              0x000000010000818c _ZN5mongo14BSONObjBuilder3objEv + 156
 6   mongod                              0x00000001000ced24 _ZN5mongo30AuthzManagerExternalStateLocal18getUserDescriptionERKNS_8UserNameEPNS_7BSONObjE + 4452
 7   mongod                              0x00000001000b31de _ZN5mongo20AuthorizationManager12_fetchUserV2ERKNS_8UserNameEPSt8auto_ptrINS_4UserEE + 78
 8   mongod                              0x00000001000b2769 _ZN5mongo20AuthorizationManager11acquireUserERKNS_8UserNameEPPNS_4UserE + 1065
 9   mongod                              0x00000001001b9515 _ZN5mongoL19getCurrentUserRolesEPNS_20AuthorizationManagerERKNS_8UserNameEPNSt3tr113unordered_setINS_8RoleNameENS5_4hashIS7_EESt8equal_toIS7_ESaIS7_ELb0EEE + 37
 10  mongod                              0x00000001001cdf66 _ZN5mongo19CmdGrantRolesToUser3runERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb + 982
 11  mongod                              0x00000001001f0cf5 _ZN5mongo12_execCommandEPNS_7CommandERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb + 37
 12  mongod                              0x00000001001f1bb5 _ZN5mongo7Command11execCommandEPS0_RNS_6ClientEiPKcRNS_7BSONObjERNS_14BSONObjBuilderEb + 2629
 13  mongod                              0x00000001001f2e6b _ZN5mongo12_runCommandsEPKcRNS_7BSONObjERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi + 875
 14  mongod                              0x0000000100432395 _ZN5mongo11newRunQueryERNS_7MessageERNS_12QueryMessageERNS_5CurOpES1_ + 741
 15  mongod                              0x00000001002e2560 _ZN5mongo16assembleResponseERNS_7MessageERNS_10DbResponseERKNS_11HostAndPortE + 1696
 16  mongod                              0x000000010000f0c7 _ZN5mongo16MyMessageHandler7processERNS_7MessageEPNS_21AbstractMessagingPortEPNS_9LastErrorE + 183
 17  mongod                              0x000000010071c8e1 _ZN5mongo17PortMessageServer17handleIncomingMsgEPv + 913



 Comments   
Comment by Spencer Jackson [ 29/Oct/15 ]

Closing in light of Andy's comment.

Comment by Andy Schwerin [ 18/Feb/14 ]

It's a quirk of debug builds that the server dies in this circumstance. Release builds only kill the operation for this kind of failure (massert).

Comment by Andreas Nilsson [ 18/Feb/14 ]

I somehow feel it is a little harsh in general to kill the entire server if we hit a BSON size limit. Maybe we should only kill the connection causing it?

Comment by Daniel Pasette (Inactive) [ 18/Feb/14 ]

can't avoid hitting the document limit, but could make the error better.

Generated at Thu Feb 08 03:29:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.