[SERVER-76776] Crash found by op_msg_fuzzer Created: 03/May/23  Updated: 29/Oct/23  Resolved: 01/Jun/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.1.0-rc0

Type: Bug Priority: Major - P3
Reporter: Yongheng Chen Assignee: Amirsaman Memaripour
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Service Arch
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Service Arch 2023-06-12
Participants:

 Description   

Hi,

I found a crash input using the op_msg_fuzzer. The POC (base64 form) is :

/8sAAJmZltPUBwAAJG9vCG9vb29vb29vb29v////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////9vbzlvb29vb29vb29v729vb29vusU7gwAA
AAAA3QcAAAH//0QkBgA= 

To reproduce: 

cat poc_base64 | base64 -d > poc
./op_msg_fuzzer ./poc

Tested on Ubuntu 22.04

I have a question abou the harness. In `op_msg_fuzzer_fixture.cpp`, the harness creates a `Msg` from the fuzzer provided buffer:

    int new_size = Size + sizeof(int);
    auto sb = SharedBuffer::allocate(new_size);
    memcpy(sb.get(), &new_size, sizeof(int));
    memcpy(sb.get() + sizeof(int), Data, Size);
    Message msg(std::move(sb)); 

It seems such a message is not always valid (cannot be sent to the server from the client) so it might be a false crash? If so, is there any way to filter out such false crashes? If not, should I report all the crash I find using the harness? I would like to contribute to improve the correctness and security of mongodb. Looking forwards to hearing back from you.



 Comments   
Comment by Yongheng Chen [ 02/Jun/23 ]

amirsaman.memaripour@mongodb.com Thank you for the fix!

Comment by Amirsaman Memaripour [ 01/Jun/23 ]

changochen1@gmail.com, the issue is now fixed on the master branch. Thank you for reporting.

Comment by Githook User [ 01/Jun/23 ]

Author:

{'name': 'Amirsaman Memaripour', 'email': 'amirsaman.memaripour@mongodb.com', 'username': 'samanca'}

Message: SERVER-76776 Change the log severity for `handleRequest`
Branch: master
https://github.com/mongodb/mongo/commit/68fe704cba58ff049ecae19a4637985b322d490a

Comment by Yongheng Chen [ 26/May/23 ]

Hi amirsaman.memaripour@mongodb.com, thanks for the reply! Do you have any advise to filter out such test-only failure?

Comment by Amirsaman Memaripour [ 26/May/23 ]

changochen1@gmail.com, thank you for reporting this issue. The reported crash is test-only: failure to parse an incoming message only terminates the user-operation in production builds. We will keep this ticket in our backlog to address the test failure in near future. Thanks again for reporting this.

Generated at Thu Feb 08 06:33:34 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.