[SERVER-21957] Circular JS objects cause use-after-free in ObjectWrapper::toBSON Created: 18/Dec/15 Updated: 08/Jan/24 Resolved: 21/Dec/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | JavaScript |
| Affects Version/s: | 3.2.0 |
| Fix Version/s: | 3.2.13, 3.3.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Andrew Morrow (Inactive) | Assignee: | Andrew Morrow (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | bkp | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Backwards Compatibility: | Fully Compatible | ||||
| Operating System: | ALL | ||||
| Backport Requested: |
v3.2
|
||||
| Steps To Reproduce: | Run the depth_limit.js script in a shell running under valgrind |
||||
| Sprint: | Platforms 2017-03-27 | ||||
| Participants: | |||||
| Description |
|
The BSONObjBuilder declared in ObjectWrapper::toBSON needs to remain in scope until after all of the WriteFieldRecursionFrame objects in the 'frames' LifetimeStack are destroyed, because each frame, when destroyed, may write to memory owned by the BSONObjBuilder. Unfortunately, the BSONObjBuilder is declared after the frames object. So, normal object destruction sequencing means that the BSONObjBuilder will be destroyed before the frames, leading to a use after free. Note that during normal processing, this won't happen, as the loop that comprises the primary body of the function pops (and destroys) all frames before leaving the function. In that case, any frames that had referenced the BSONObjBuilder have already been destroyed. However, if the function is exited via an exception, as would happen if the object being walked was circular, then the frames have not all been popped, and the incorrect object sequencing will result in a use-after-free. |
| Comments |
| Comment by Githook User [ 10/Apr/17 ] |
|
Author: {u'username': u'acmorrow', u'name': u'Andrew Morrow', u'email': u'acm@mongodb.com'}Message: (cherry picked from commit effa414a8262d0816dd4c879260a6ce96b0d1fb5) |
| Comment by Githook User [ 21/Dec/15 ] |
|
Author: {u'username': u'acmorrow', u'name': u'Andrew Morrow', u'email': u'acm@mongodb.com'}Message: |