[SERVER-9686] HexData, UUID, and MD5 in v8 crash process when called with invalid hex string Created: 14/May/13  Updated: 19/Sep/15  Resolved: 11/Aug/15

Status: Closed
Project: Core Server
Component/s: JavaScript, Shell
Affects Version/s: 2.4.3
Fix Version/s: 3.1.7

Type: Bug Priority: Major - P3
Reporter: Shaun Verch Assignee: Jonathan Reams
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-9175 Add more round trip jstests for javas... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Build 7 08/10/15, Build 8 08/31/15
Participants:

 Description   

MongoDB shell version: 2.5.0-pre-
connecting to: test
Tue May 14 13:29:47.602 [initandlisten] connection accepted from 127.0.0.1:49842 #1 (1 connection now open)
Server has startup warnings:
Tue May 14 12:32:09.790 [initandlisten]
Tue May 14 12:32:09.790 [initandlisten] ** NOTE: This is a development version (2.5.0-pre-) of MongoDB.
Tue May 14 12:32:09.790 [initandlisten] **       Not recommended for production.
Tue May 14 12:32:09.790 [initandlisten]
> HexData(0,"invalidhex")
Tue May 14 13:30:00.461   Assertion failure false src/mongo/util/hex.h 34
0x1078d1725 0x1078a272b 0x107878d8b 0x107726560 0x107726592 0x10785d838 0x10785dfbf 0x107828cd6 0x107a6067d 0x107a60a2b 0x107a5d788 0x1583106362
 0   mongo                               0x00000001078d1725 _ZN5mongo15printStackTraceERSo + 37
 1   mongo                               0x00000001078a272b _ZN5mongo10logContextEPKc + 123
 2   mongo                               0x0000000107878d8b _ZN5mongo12verifyFailedEPKcS1_j + 427
 3   mongo                               0x0000000107726560 _ZN5mongo7fromHexEc + 128
 4   mongo                               0x0000000107726592 _ZN5mongo7fromHexEPKc + 34
 5   mongo                               0x000000010785d838 _ZN5mongoL12hexToBinDataEPNS_7V8ScopeEN2v85LocalINS2_6ObjectEEEiSs + 200
 6   mongo                               0x000000010785dfbf _ZN5mongo11hexDataInitEPNS_7V8ScopeERKN2v89ArgumentsE + 447
 7   mongo                               0x0000000107828cd6 _ZN5mongo7V8Scope10v8CallbackERKN2v89ArgumentsE + 560
 8   mongo                               0x0000000107a6067d _ZN2v88internalL19HandleApiCallHelperILb0EEEPNS0_11MaybeObjectENS0_12_GLOBAL__N_116BuiltinArgumentsILNS0_21BuiltinExtraArgumentsE1EEEPNS0_7IsolateE + 1789
 9   mongo                               0x0000000107a60a2b _ZN2v88internalL26Builtin_Impl_HandleApiCallENS0_12_GLOBAL__N_116BuiltinArgumentsILNS0_21BuiltinExtraArgumentsE1EEEPNS0_7IsolateE + 43
 10  mongo                               0x0000000107a5d788 _ZN2v88internalL21Builtin_HandleApiCallENS0_12_GLOBAL__N_116BuiltinArgumentsILNS0_21BuiltinExtraArgumentsE1EEEPNS0_7IsolateE + 136
 11  ???                                 0x0000001583106362 0x0 + 92393202530
Tue May 14 13:30:00.465
 
***aborting after verify() failure as this is a debug/test build
 
 
Tue May 14 13:30:00.465 mongo got signal 6 (Abort trap: 6), stack trace:
 
Tue May 14 13:30:00.468 0x1078d1725 0x1076a4c94 0x7fff946cc8ea 0x10942e068 0x7fff94723dce 0x107878f67 0x107726560 0x107726592 0x10785d838 0x10785dfbf 0x107828cd6 0x107a6067d 0x107a60a2b 0x107a5d788 0x1583106362
 0   mongo                               0x00000001078d1725 _ZN5mongo15printStackTraceERSo + 37
 1   mongo                               0x00000001076a4c94 _Z12quitAbruptlyi + 388
 2   libsystem_c.dylib                   0x00007fff946cc8ea _sigtramp + 26
 3   ???                                 0x000000010942e068 0x0 + 4450345064
 4   libsystem_c.dylib                   0x00007fff94723dce abort + 143
 5   mongo                               0x0000000107878f67 _ZN5mongo12verifyFailedEPKcS1_j + 903
 6   mongo                               0x0000000107726560 _ZN5mongo7fromHexEc + 128
 7   mongo                               0x0000000107726592 _ZN5mongo7fromHexEPKc + 34
 8   mongo                               0x000000010785d838 _ZN5mongoL12hexToBinDataEPNS_7V8ScopeEN2v85LocalINS2_6ObjectEEEiSs + 200
 9   mongo                               0x000000010785dfbf _ZN5mongo11hexDataInitEPNS_7V8ScopeERKN2v89ArgumentsE + 447
 10  mongo                               0x0000000107828cd6 _ZN5mongo7V8Scope10v8CallbackERKN2v89ArgumentsE + 560
 11  mongo                               0x0000000107a6067d _ZN2v88internalL19HandleApiCallHelperILb0EEEPNS0_11MaybeObjectENS0_12_GLOBAL__N_116BuiltinArgumentsILNS0_21BuiltinExtraArgumentsE1EEEPNS0_7IsolateE + 1789
 12  mongo                               0x0000000107a60a2b _ZN2v88internalL26Builtin_Impl_HandleApiCallENS0_12_GLOBAL__N_116BuiltinArgumentsILNS0_21BuiltinExtraArgumentsE1EEEPNS0_7IsolateE + 43
 13  mongo                               0x0000000107a5d788 _ZN2v88internalL21Builtin_HandleApiCallENS0_12_GLOBAL__N_116BuiltinArgumentsILNS0_21BuiltinExtraArgumentsE1EEEPNS0_7IsolateE + 136
 14  ???                                 0x0000001583106362 0x0 + 92393202530
 
Tue May 14 13:30:00.473 [conn1] end connection 127.0.0.1:49842 (0 connections now open)

This also causes mongod to crash if run in db.eval.



 Comments   
Comment by Githook User [ 11/Aug/15 ]

Author:

{u'username': u'jbreams', u'name': u'Jonathan Reams', u'email': u'jbreams@mongodb.com'}

Message: SERVER-10152 SERVER-9686 Validate arguments to BinData/HexData constructors
Branch: master
https://github.com/mongodb/mongo/commit/d93cd99dfef38f9b0c13efe1c91b9c1107f9e7e9

Comment by Shaun Verch [ 11/Jun/14 ]

I get the backtrace, but the process does not exit:

$ ./mongo --nodb
MongoDB shell version: 2.7.2-pre-
> HexData(0, "invalidhex")
2014-06-11T15:23:06.111-0400 Assertion failure false src/mongo/util/hex.h 46
2014-06-11T15:23:06.115-0400
 0x10018be3f 0x10014ab70 0x10013a4fa 0x100114023 0x10011422a 0x100102670 0x1002a0f20 0x23c875406362
----- BEGIN BACKTRACE -----
{"backtrace":[{"b":"100000000","o":"18BE3F"},{"b":"100000000","o":"14AB70"},{"b":"100000000","o":"13A4FA"},{"b":"100000000","o":"114023"},{"b":"100000000","o":"11422A"},{"b":"100000000","o":"102670"},{"b":"100000000","o":"2A0F20"},{"b":"0","o":"23C875406362"}],"processInfo":{ "mongodbVersion" : "2.7.2-pre-", "gitVersion" : "9a79086787202f821c6f1bb4e4a430b0462517c3", "uname" : { "sysname" : "Darwin", "release" : "12.5.0", "version" : "Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64", "machine" : "x86_64" }, "somap" : [ { "path" : "/Users/sv/dev/mongodb_repos/DOC/./mongo", "machType" : 2, "b" : "100000000", "buildId" : "41DED68C9FE93D349F3B02C5C9959EB1" }, { "path" : "/usr/lib/libSystem.B.dylib", "machType" : 6, "b" : "7FFF8C80E000", "buildId" : "365477ABD641389DB8F4A1FAE9657EEE" }, { "path" : "/usr/lib/libstdc++.6.dylib", "machType" : 6, "b" : "7FFF910E8000", "buildId" : "EAA2B53EEADE39CFA0EFFB9D4940672A" }, { "path" : "/usr/lib/system/libcache.dylib", "machType" : 6, "b" : "7FFF8AF60000", "buildId" : "65187C6E3FBF3EB8A1AA389445E2984D" }, { "path" : "/usr/lib/system/libcommonCrypto.dylib", "machType" : 6, "b" : "7FFF93CCE000", "buildId" : "BAAFE0C9BB863CA788C0E3CBA98DA06F" }, { "path" : "/usr/lib/system/libcompiler_rt.dylib", "machType" : 6, "b" : "7FFF90932000", "buildId" : "08F8731D596139F1AD004590321D24A9" }, { "path" : "/usr/lib/system/libcopyfile.dylib", "machType" : 6, "b" : "7FFF91FA0000", "buildId" : "876573D0E9073566A108577EAD1B6182" }, { "path" : "/usr/lib/system/libdispatch.dylib", "machType" : 6, "b" : "7FFF89120000", "buildId" : "D26996BFFC5739EB8829F63585561E09" }, { "path" : "/usr/lib/system/libdnsinfo.dylib", "machType" : 6, "b" : "7FFF89628000", "buildId" : "14202FFBC3CA3FCC94B014611BF8692D" }, { "path" : "/usr/lib/system/libdyld.dylib", "machType" : 6, "b" : "7FFF8B65F000", "buildId" : "F59367C9C110382BA6959035A6DD387E" }, { "path" : "/usr/lib/system/libkeymgr.dylib", "machType" : 6, "b" : "7FFF8B65E000", "buildId" : "CC9E3394BE16397F926BE579B60EE429" }, { "path" : "/usr/lib/system/liblaunch.dylib", "machType" : 6, "b" : "7FFF8C04F000", "buildId" : "2F71CAF86524329EAC56C506658B4C0C" }, { "path" : "/usr/lib/system/libmacho.dylib", "machType" : 6, "b" : "7FFF91152000", "buildId" : "BF332AD9E89F387E92A46E1AB74BD4D9" }, { "path" : "/usr/lib/system/libquarantine.dylib", "machType" : 6, "b" : "7FFF936B4000", "buildId" : "143B726EDF4737A890AAF059CFD1A2E4" }, { "path" : "/usr/lib/system/libremovefile.dylib", "machType" : 6, "b" : "7FFF910E6000", "buildId" : "6763BC8E18B83AD98FFAB43713A7264F" }, { "path" : "/usr/lib/system/libsystem_blocks.dylib", "machType" : 6, "b" : "7FFF933B5000", "buildId" : "D92DCBC3541C37BDAADEACC75A0C59C8" }, { "path" : "/usr/lib/system/libsystem_c.dylib", "machType" : 6, "b" : "7FFF8E376000", "buildId" : "543B05AECFA53EFE8E5877225411BA6B" }, { "path" : "/usr/lib/system/libsystem_dnssd.dylib", "machType" : 6, "b" : "7FFF94B37000", "buildId" : "BDCB8566018934C0963435ABD3EFE25B" }, { "path" : "/usr/lib/system/libsystem_info.dylib", "machType" : 6, "b" : "7FFF8C95A000", "buildId" : "4FFCA2427F04365F87A6D4EFB89503C1" }, { "path" : "/usr/lib/system/libsystem_kernel.dylib", "machType" : 6, "b" : "7FFF952A8000", "buildId" : "4B7993C3F62D3AC1AF92414A0D6EED5E" }, { "path" : "/usr/lib/system/libsystem_m.dylib", "machType" : 6, "b" : "7FFF936B7000", "buildId" : "B434BE5C25AB3EBDBAA75304B34E3441" }, { "path" : "/usr/lib/system/libsystem_network.dylib", "machType" : 6, "b" : "7FFF93C78000", "buildId" : "0D99F24E56FE380FB81B4A4C630EE587" }, { "path" : "/usr/lib/system/libsystem_notify.dylib", "machType" : 6, "b" : "7FFF8ED04000", "buildId" : "C49275CC835A3207AFBA8C01374927B6" }, { "path" : "/usr/lib/system/libsystem_sandbox.dylib", "machType" : 6, "b" : "7FFF954F1000", "buildId" : "B739DA63B675387AAD84412A651143C0" }, { "path" : "/usr/lib/system/libunc.dylib", "machType" : 6, "b" : "7FFF954CB000", "buildId" : "92805328CD3634FF9436571AB0485072" }, { "path" : "/usr/lib/system/libunwind.dylib", "machType" : 6, "b" : "7FFF95254000", "buildId" : "21703D362DAB3D8B8442EAAB23C060D3" }, { "path" : "/usr/lib/system/libxpc.dylib", "machType" : 6, "b" : "7FFF954CE000", "buildId" : "70BC645B69523264930CC835010CCEF9" }, { "path" : "/usr/lib/system/libcorecrypto.dylib", "machType" : 6, "b" : "7FFF8E963000", "buildId" : "CE0C29A3C420339BADAA52F4683233CC" }, { "path" : "/usr/lib/libobjc.A.dylib", "machType" : 6, "b" : "7FFF91BF8000", "buildId" : "90D31928F48D3E37874F220A51FD9E37" }, { "path" : "/usr/lib/libauto.dylib", "machType" : 6, "b" : "7FFF91FA8000", "buildId" : "AD5A4CE7CB53313C9FAE673303CC2D35" }, { "path" : "/usr/lib/libc++abi.dylib", "machType" : 6, "b" : "7FFF91E2B000", "buildId" : "D86169F39F31377A9AF3DB17142052E4" }, { "path" : "/usr/lib/libc++.1.dylib", "machType" : 6, "b" : "7FFF8D3B8000", "buildId" : "20E31B9019B93C2AA9EB474E08F9FE05" }, { "path" : "/usr/lib/libDiagnosticMessagesClient.dylib", "machType" : 6, "b" : "7FFF8E443000", "buildId" : "8548E0DC0D2F30B6B045FE8A038E76D8" } ] }}
 mongo(_ZN5mongo15printStackTraceERSo+0x2F) [0x10018be3f]
 mongo(_ZN5mongo10logContextEPKc+0xA0) [0x10014ab70]
 mongo(_ZN5mongo12verifyFailedEPKcS1_j+0x12A) [0x10013a4fa]
 mongo(_ZN5mongoL12hexToBinDataEPNS_7V8ScopeEiSs+0xF3) [0x100114023]
 mongo(_ZN5mongo11hexDataInitEPNS_7V8ScopeERKN2v89ArgumentsE+0xCA) [0x10011422a]
 mongo(_ZN5mongo7V8Scope10v8CallbackERKN2v89ArgumentsE+0x74) [0x100102670]
 mongo(_ZN2v88internalL21Builtin_HandleApiCallENS0_12_GLOBAL__N_116BuiltinArgumentsILNS0_21BuiltinExtraArgumentsE1EEEPNS0_7IsolateE+0x1D0) [0x1002a0f20]
 ??? [0x23c875406362]
-----  END BACKTRACE  -----
2014-06-11T15:23:06.118-0400 Error: assertion src/mongo/util/hex.h:46
    at (shell):1:1

Comment by Andreas Nilsson [ 11/Jun/14 ]

sverch what happens if you run this on a release build?

Comment by Shaun Verch [ 08/Jul/13 ]

Note that this only gets triggered in debug builds because verify is only terminal in debug builds.

Comment by Tad Marshall [ 15/May/13 ]

HexData validation was added for SpiderMonkey in commit https://github.com/mongodb/mongo/commit/72e14b4afbb2777281eb0c40612596ed1223730e ... see testhexString() in src/mongo/scripting/engine_spidermonkey.cpp . The _HexData() routine in that file does a few checks for validity ... subtype range test, even hex string length, only hex digits. The V8 interface code doesn't seem to be doing similar tests.

Comment by Shaun Verch [ 14/May/13 ]

I plan to have argument checking tests as part of this ticket, but the round trip tests for these types are in SERVER-9175.

Generated at Thu Feb 08 03:21:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.