[SERVER-19597] Overwriting ObjectId leads to null pointer crash Created: 24/Jul/15  Updated: 19/Sep/15  Resolved: 28/Jul/15

Status: Closed
Project: Core Server
Component/s: JavaScript
Affects Version/s: 3.1.6
Fix Version/s: 3.1.7

Type: Bug Priority: Major - P3
Reporter: J Delaney Assignee: Mira Carey
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

// Running without db.eval will crash the shell instead
var s = '' +
't = db.foo;' +
't.drop();' +
'ObjectId = t.stats();' +
't.save({ a: "apple" });';
 
db.eval(s);

Sprint: Platform 7 08/10/15
Participants:

 Description   

ASan Report:

==4976== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000250128b sp 0x7f91c65b6560 bp 0x7f91c65b6960 T15)
AddressSanitizer can not provide additional info.
    #0 0x250128a in BSONObj /home/jdelaney/mongo/src/mongo/bson/bsonobj.h:129
    #1 0x250128a in mongo::mozjs::ObjectWrapper::writeThis(mongo::BSONObjBuilder*) /home/jdelaney/mongo/src/mongo/scripting/mozjs/objectwrapper.cpp:344
    #2 0x25210be in mongo::mozjs::ValueWriter::_writeObject(mongo::BSONObjBuilder*, mongo::StringData, JS::Handle<JSObject*>) /home/jdelaney/mongo/src/mongo/scripting/mozjs/valuewriter.cpp:247
    #3 0x252372d in mongo::mozjs::ValueWriter::writeThis(mongo::BSONObjBuilder*, mongo::StringData) /home/jdelaney/mongo/src/mongo/scripting/mozjs/valuewriter.cpp:172
    #4 0x250050f in mongo::mozjs::ObjectWrapper::_writeField(mongo::BSONObjBuilder*, mongo::mozjs::ObjectWrapper::Key, mongo::BSONObj*) /home/jdelaney/mongo/src/mongo/scripting/mozjs/objectwrapper.cpp:381
    #5 0x2501439 in mongo::mozjs::ObjectWrapper::writeThis(mongo::BSONObjBuilder*) /home/jdelaney/mongo/src/mongo/scripting/mozjs/objectwrapper.cpp:352
    #6 0x251acdb in mongo::mozjs::ValueWriter::toBSON() /home/jdelaney/mongo/src/mongo/scripting/mozjs/valuewriter.cpp:102
    #7 0x24f9be0 in mongo::mozjs::ObjectInfo::Functions::bsonsize(JSContext*, JS::CallArgs) /home/jdelaney/mongo/src/mongo/scripting/mozjs/object.cpp:59
    #8 0x24fb190 in mongo::mozjs::ObjectInfo::Functions::WRAPPER_bsonsize(JSContext*, unsigned int, JS::Value*) /home/jdelaney/mongo/src/mongo/scripting/mozjs/object.h:44
    #9 0x2c901c5 in CallJSNative /home/jdelaney/mongo/src/third_party/mozjs-38/extract/js/src/jscntxtinlines.h:226
    #10 0x2c901c5 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /home/jdelaney/mongo/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:498
    #11 0x2c78e89 in Interpret(JSContext*, js::RunState&) /home/jdelaney/mongo/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:2602
    #12 0x2c8f82f in js::RunScript(JSContext*, js::RunState&) /home/jdelaney/mongo/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:448
    #13 0x2c90075 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /home/jdelaney/mongo/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:517
    #14 0x2c9345b in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /home/jdelaney/mongo/src/third_party/mozjs-38/extract/js/src/vm/Interpreter.cpp:554
    #15 0x363f73a in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/jdelaney/mongo/src/third_party/mozjs-38/extract/js/src/jsapi.cpp:4216
    #16 0x24c288b in Call /home/jdelaney/mongo/src/third_party/mozjs-38/include/jsapi.h:3754
    #17 0x24c288b in mongo::mozjs::MozJSImplScope::invoke(unsigned long long, mongo::BSONObj const*, mongo::BSONObj const*, int, bool, bool, bool) /home/jdelaney/mongo/src/mongo/scripting/mozjs/implscope.cpp:525
    #18 0x250c773 in operator() /home/jdelaney/mongo/src/mongo/scripting/mozjs/proxyscope.cpp:190
    #19 0x250c773 in std::_Function_handler<void (), mongo::mozjs::MozJSProxyScope::invoke(unsigned long long, mongo::BSONObj const*, mongo::BSONObj const*, int, bool, bool, bool)::{lambda()#1}>::_M_invoke(std::_Any_data const&) /usr/include/c++/4.8/functional:2071
    #20 0x250cfd4 in std::function<void ()>::operator()() const /usr/include/c++/4.8/functional:2471
    #21 0x250cfd4 in mongo::mozjs::MozJSProxyScope::implThread() /home/jdelaney/mongo/src/mongo/scripting/mozjs/proxyscope.cpp:306
    #22 0x7f91d360ea3f (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb1a3f)
    #23 0x7f91d3c85b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x18b97)
    #24 0x7f91d2e2b181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #25 0x7f91d2b5847c (/lib/x86_64-linux-gnu/libc.so.6+0xfa47c)
SUMMARY: AddressSanitizer: SEGV /home/jdelaney/mongo/src/mongo/bson/bsonobj.h:129 BSONObj
Thread T15 created by T14 here:
    #0 0x7f91d3c77b5b (/usr/lib/x86_64-linux-gnu/libasan.so.0+0xab5b)
    #1 0x7f91d360ec8e (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb1c8e)
Thread T14 created by T0 here:
    #0 0x7f91d3c77b5b (/usr/lib/x86_64-linux-gnu/libasan.so.0+0xab5b)
    #1 0x258fdb2 in mongo::PortMessageServer::accepted(std::shared_ptr<mongo::Socket>, long long) /home/jdelaney/mongo/src/mongo/util/net/message_server_port.cpp:148
    #2 0x257ec26 in mongo::Listener::initAndListen() /home/jdelaney/mongo/src/mongo/util/net/listen.cpp:351
    #3 0x9bcc44 in _initAndListen /home/jdelaney/mongo/src/mongo/db/db.cpp:587
    #4 0x9bcc44 in mongo::initAndListen(int) /home/jdelaney/mongo/src/mongo/db/db.cpp:592
    #5 0x92b966 in mongoDbMain /home/jdelaney/mongo/src/mongo/db/db.cpp:822
    #6 0x92b966 in main /home/jdelaney/mongo/src/mongo/db/db.cpp:637
    #7 0x7f91d2a7fec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
==4976== ABORTING

In ObjectWrapper::writeThis, originalBSON is being set to NULL when BSONInfo::originalBSON is called.

Does not affect 3.0.x



 Comments   
Comment by Githook User [ 28/Jul/15 ]

Author:

{u'username': u'hanumantmk', u'name': u'Jason Carey', u'email': u'jcarey@argv.me'}

Message: SERVER-19597 originalBSON can be called on proto

originalBSON can be called on the BSON prototype, which returns a
nullptr for the bson out param and a !altered. We have to check !altered
&& originalBSON to avoid nullptr dereferences.
Branch: master
https://github.com/mongodb/mongo/commit/4bc0ca5f2190f851c25bd09f33bedbe57b23f758

Generated at Thu Feb 08 03:51:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.