[SERVER-19904] verify() failure in filemd5 command when inserting invalid chunk data Created: 12/Aug/15  Updated: 18/May/18  Resolved: 11/May/18

Status: Closed
Project: Core Server
Component/s: GridFS
Affects Version/s: 2.6.10
Fix Version/s: 4.0.0-rc0

Type: Bug Priority: Major - P3
Reporter: J Delaney Assignee: Charlie Swanson
Resolution: Done Votes: 0
Labels: jstestfuzz, neweng
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

db.fs.drop();
 
db.fs.chunks.ensureIndex({
    n: 1
});
 
db.fs.chunks.insert({
    files_id: 1,
    n: 0, // Works when set to `new BinData(0, 'test')`
});
 
db.runCommand({
    'filemd5': 1
});

Participants:

 Description   

Assertion failure type() == BinData src/mongo/bson/bsonelement.h 450

Affects versions 2.6.0 and above (did not test further back than that).

Backtrace:

* thread #14: tid = 0xbe16fb, 0x00007fff97d9a348 libsystem_platform.dylib`OSAtomicCompareAndSwapPtrBarrier$VARIANT$mp + 8
  * frame #0: 0x00007fff97d9a348 libsystem_platform.dylib`OSAtomicCompareAndSwapPtrBarrier$VARIANT$mp + 8
    frame #1: 0x00007fff94969dd4 libsystem_pthread.dylib`__mtx_droplock + 462
    frame #2: 0x00007fff94969b4e libsystem_pthread.dylib`pthread_mutex_unlock + 63
    frame #3: 0x00007fff8d39b0df libsystem_c.dylib`fwrite + 194
    frame #4: 0x00007fff8e1b0d2a libc++.1.dylib`std::__1::__stdoutbuf<char>::overflow(int) + 82
    frame #5: 0x00007fff8e1a691d libc++.1.dylib`std::__1::basic_streambuf<char, std::__1::char_traits<char> >::xsputn(char const*, long) + 73
    frame #6: 0x00007fff8e1ad94c libc++.1.dylib`std::__1::basic_ostream<char, std::__1::char_traits<char> >::write(char const*, long) + 72
    frame #7: 0x00000001000503b5 mongod`mongo::operator<<(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, mongo::StringData)(stream=0x00007fff7b99a2f8, value=(_data = "\n\n***aborting after verify() failure as this is a debug/test build\n\n\n", _size = 69)) + 69 at string_data.cpp:57
    frame #8: 0x0000000100fd25f5 mongod`mongo::logger::MessageEventDetailsEncoder::encode(this=0x0000000104927ae0, event=0x000000010a7c14f0, os=0x00007fff7b99a2f8) + 709 at message_event_utf8_encoder.cpp:77
    frame #9: 0x0000000100716196 mongod`mongo::logger::ConsoleAppender<mongo::logger::MessageEventEphemeral, mongo::Console>::append(this=0x000000010492cd50, event=0x000000010a7c14f0) + 198 at console_appender.h:53
    frame #10: 0x0000000100fd316e mongod`mongo::logger::LogDomain<mongo::logger::MessageEventEphemeral>::append(this=0x0000000104928238, event=0x000000010a7c14f0) + 574 at log_domain-impl.h:59
    frame #11: 0x0000000100fcf36f mongod`mongo::logger::LogstreamBuilder::~LogstreamBuilder(this=0x000000010a7c1a88) + 1359 at logstream_builder.cpp:126
    frame #12: 0x0000000100fcfd25 mongod`mongo::logger::LogstreamBuilder::~LogstreamBuilder(this=0x000000010a7c1a88) + 21 at logstream_builder.cpp:119
    frame #13: 0x0000000101326b10 mongod`mongo::verifyFailed(expr=0x00000001023cbf2d, file=0x00000001023cbf3f, line=450) + 1872 at assert_util.cpp:143
    frame #14: 0x00000001000646e5 mongod`mongo::BSONElement::binDataType(this=0x000000010a7c22d8) const + 85 at bsonelement.h:450
    frame #15: 0x0000000100064730 mongod`mongo::BSONElement::binDataClean(this=0x000000010a7c22d8, len=0x000000010a7c2304) const + 32 at bsonelement.h:439
    frame #16: 0x00000001004b08f8 mongod`mongo::CmdFileMD5::run(this=0x00000001026b0170, txn=0x000000010a7c5318, dbname=0x000000010a7c32b8, jsobj=0x000000010a7c32e8, (null)=0, errmsg=0x000000010a7c32d0, result=0x000000010a7c3400) + 5976 at dbcommands.cpp:649
    frame #17: 0x00000001004a77ce mongod`mongo::Command::run(this=0x00000001026b0170, txn=0x000000010a7c5318, request=0x000000010a7c3fb0, replyBuilder=0x000000010a7c4030) + 2974 at dbcommands.cpp:1336
    frame #18: 0x00000001004a68ab mongod`mongo::Command::execCommand(txn=0x000000010a7c5318, command=0x00000001026b0170, request=0x000000010a7c3fb0, replyBuilder=0x000000010a7c4030) + 3915 at dbcommands.cpp:1260
    frame #19: 0x000000010034e9f8 mongod`mongo::runCommands(txn=0x000000010a7c5318, request=0x000000010a7c3fb0, replyBuilder=0x000000010a7c4030) + 2056 at commands.cpp:495
    frame #20: 0x000000010071bfd9 mongod`mongo::(anonymous namespace)::receivedRpc(txn=0x000000010a7c5318, client=0x0000000104c06c60, dbResponse=0x000000010a7c5390, message=0x000000010a7c5b90) + 633 at instance.cpp:290
    frame #21: 0x0000000100718989 mongod`mongo::assembleResponse(txn=0x000000010a7c5318, m=0x000000010a7c5b90, dbresponse=0x000000010a7c5390, remote=0x000000010a7c52f8) + 2441 at instance.cpp:508
    frame #22: 0x00000001000191e3 mongod`mongo::MyMessageHandler::process(this=0x0000000104c40790, m=0x000000010a7c5b90, port=0x000000010492c370) + 307 at db.cpp:165
    frame #23: 0x000000010136a827 mongod`mongo::PortMessageServer::handleIncomingMsg(arg=0x000000010492c370) + 2983 at message_server_port.cpp:229
    frame #24: 0x0000000101368baa mongod`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> > >(void*) [inlined] decltype(__f=0x0000000104928360, __args=0x0000000104928368)(void*)>(fp)(std::__1::forward<mongo::(anonymous namespace)::MessagingPortWithHandler*&>(fp0))) std::__1::__invoke<void* (*&)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*&>(void* (*&&&)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*&&&) + 24 at __functional_base:413
    frame #25: 0x0000000101368b92 mongod`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> > >(void*) [inlined] std::__1::__bind_return<void* (*)(void*), std::__1::tuple<mongo::(anonymous namespace)::MessagingPortWithHandler*>, std::__1::tuple<>, _is_valid_bind_return<void* (*)(void*), std::__1::tuple<mongo::(anonymous namespace)::MessagingPortWithHandler*>, std::__1::tuple<> >::value>::type std::__1::__apply_functor<void* (__f=0x0000000104928360, __bound_args=0x0000000104928368, (null)=__tuple_indices<0> at 0x000000010a7c5ea0, __args=0x000000010a7c5e60)(void*), std::__1::tuple<mongo::(anonymous namespace)::MessagingPortWithHandler*>, 0ul, std::__1::tuple<> >(void* (*&)(void*), std::__1::tuple<mongo::(anonymous namespace)::MessagingPortWithHandler*>&, std::__1::__tuple_indices<0ul>, std::__1::tuple<>&&) + 40 at functional:2023
    frame #26: 0x0000000101368b6a mongod`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> > >(void*) [inlined] std::__1::__bind_return<void* (*)(void*), std::__1::tuple<mongo::(anonymous namespace)::MessagingPortWithHandler*>, std::__1::tuple<>, _is_valid_bind_return<void* (*)(void*), std::__1::tuple<mongo::(anonymous namespace)::MessagingPortWithHandler*>, std::__1::tuple<> >::value>::type std::__1::__bind<void* (this=0x0000000104928360)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*>::operator()<>() + 38 at functional:2086
    frame #27: 0x0000000101368b44 mongod`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> > >(void*) [inlined] decltype(__f=0x0000000104928360)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> >(fp)(std::__1::forward<>(fp0))) std::__1::__invoke<std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> >(std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*>&&) + 11 at __functional_base:413
    frame #28: 0x0000000101368b39 mongod`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> > >(void*) [inlined] void std::__1::__thread_execute<std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> >(__t=0x0000000104928360, (null)=__tuple_indices<> at 0x000000010a7c5e38)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> >&, std::__1::__tuple_indices<>) + 25 at thread:332
    frame #29: 0x0000000101368b20 mongod`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> > >(__vp=0x0000000104928360) + 368 at thread:342
    frame #30: 0x00007fff9496b268 libsystem_pthread.dylib`_pthread_body + 131
    frame #31: 0x00007fff9496b1e5 libsystem_pthread.dylib`_pthread_start + 176
    frame #32: 0x00007fff9496941d libsystem_pthread.dylib`thread_start + 13



 Comments   
Comment by Githook User [ 11/May/18 ]

Author:

{'name': 'Fox Lady', 'email': 'dandanlin.l@gmail.com', 'username': 'Dandanlin0702'}

Message: SERVER-19904 Avoid massert on field of incorrect type.

Closes #1239

Signed-off-by: Charlie Swanson <charlie.swanson@mongodb.com>
Branch: master
https://github.com/mongodb/mongo/commit/f2853bb09946ce5bb7779ff6ad8139a23cf35a90

Comment by Githook User [ 11/May/18 ]

Author:

{'name': 'Charlie Swanson', 'email': 'charlie.swanson@mongodb.com', 'username': 'cswanson310'}

Message: SERVER-19904 Test more bad inputs with filemd5
Branch: master
https://github.com/mongodb/mongo/commit/23533e463e1fabbd9bed8753b013f1028292636d

Comment by Eric Milkie [ 15/Nov/16 ]

The crash is happening because the FileMD5 command is calling binDataClean() on BSON Elements without first checking to ensure their type is BinData.

Generated at Thu Feb 08 03:52:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.