[SERVER-64113] unsafe cast in match expression can allow insertion of malformed FLE1-encrypted fields Created: 02/Mar/22  Updated: 29/Oct/23  Resolved: 06/Apr/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Erwin Pe Assignee: Jacob Evans
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-65318 Complete TODO listed in SERVER-64113 Closed
related to SERVER-69604 Complete TODO listed in SERVER-64113 Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: QO 2022-03-21, QO 2022-04-04, QO 2022-04-18
Participants:

 Description   

The matchesSingleElement() function of the InternalSchemaBinDataEncryptedTypeExpression match expression checks an FLE1-encrypted BinData field to determine whether the first byte of the encrypted blob has the correct value (either 0x01 for 'deterministic', or 0x02 for 'random'). Then, it performs an unsafe cast of the BinData to a FleBlobHeader structure, without first checking the size, before reading and verifying the originalBsonType field of the header, which could potentially be outside the actual binary data buffer. If the BinData input is somehow malformed such that it is shorter than the size of FleBlobHeader, and the subsequent bytes in the BSON object have the correct values so as to pass validation of the type, then the match expression could allow this malformed document to pass schema validation of FLE1 fields, and therefore allow it to be inserted.



 Comments   
Comment by Githook User [ 06/Apr/22 ]

Author:

{'name': 'Jacob Evans', 'email': 'jacob.evans@10gen.com'}

Message: SERVER-64113 Correct FLE1 match expression cast
Branch: master
https://github.com/mongodb/mongo/commit/65fb53546054c014f5ea202e295ba9e98646fb01

Generated at Thu Feb 08 05:59:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.