
User-triggerable NULL pointer dereference - jibberzmcgee
https://jira.mongodb.org/browse/PYTHON-532
======
MichaelAza
Before I even get to the tone of this bug report, I'd like to ask the guy who
made it - are you aware you just put many many users in risk here? Besides
making their services unavailable, this might lead to further exploits. There
is a way to disclose this sort of stuff. This is not it.

Now, about the tone - be a human first, programmer second. Even though it
seems 10gen screwed up big time, everyone makes mistakes. You could inform
them of what seems to be a major issue privately and politely, not ridicule
them in public. I wouldn't want it done to me and I'm sure neither would you.

As said by Chazal (old timey Jewish scholars): "Proper behavior precedes the
Torah ... and whoever humiliates another, it is as though he killed him"

EDIT: I'd just like to add that among the companies affected by this
disclosure and which are now totally open to attack are Craiglist, Firebase,
MTV, SourceForge, Codecademy and others. Here's the full list -
<http://www.mongodb.org/about/production-deployments/>

~~~
brudgers
_"be a human first"_

Dehumanization creates more harm than ten thousand crashing web apps.
Packaging the evil as the wisdom of religious scholarship changes nothing.

Refined words and moralizing demeanor but gilly suit vileness and violence.

~~~
PommeDeTerre
There's no place for political correctness when it comes to developing
critical software systems.

Databases are such a system. They're expected to attain and maintain an
extremely high level of quality and reliability. Those who build them should
expect to do everything in their power to avoid flaws, and these people should
be more than willing to accept harsh reprisals when issues are found.

When the security and safety of data is at risk, some developer's hurt
feelings should be the last thing anyone is concerned about. There are far
more pressing problems at hand in such a situation.

~~~
brudgers
Decryong the expression of humanist values as "political correctness" is the
political correctness of those who hold to a different value system.

The forum in which we are dialoguing is not the MongoDB IRC. It is HN.

The effects of dehumanizing those who do not share our background are well
documented by history. They extend well beyond hurt feelings.

------
akanet
(I'm sure there's going to be a plethora of commenters in the near future
roundly criticizing the author for his tone)

I strongly agree with the author on the rampant disconnect between Mongo's
actual quality and its marketed quality.

~~~
chris_wot
Allow me to be the first. The tone is appalling.

~~~
coldtea
And since when do hackers care about "the tone"?

~~~
chris_wot
Since forever. Who are you to stereotype all hackers as uncaring, blunt,
socially awkward and mean?

~~~
coldtea
> _Since forever. Who are you to stereotype all hackers as uncaring, blunt,
> socially awkward and mean?_

Who's Paul Graham to stereotype hackers as socially awkward and blunt?
<http://www.paulgraham.com/nerds.html>

Who's Miguel De Icaza to do
it?<http://tirania.org/blog/archive/2011/Feb-17.html>

As for me, I'm someone who's a geek and has been around geeks and/or hackers
for ages. And you has read and seen most of the hacker folklore, from the
dictionary, to Pirates of the Silicon Valley, to blogs to HN.

I also don't like the "all" qualifier you used. That can make any (otherwise
totally valid) generalisation appear wrong.

A "stereotype" is not something that necessarily applies to ALL members of a
group. It's just something that the statistical majority of some group holds.

(Or course it can also not hold at all. But the hackers I know at least, would
agree it holds for hackers, especially the more absorbed and technical ones --
e.g think Torvalds and Wozniak not DHH or some random startup coder who does
some front end work and is otherwise a total hipster).

------
antirez
I guess the tone may be disturbing, but I hope that the MongoDB team will do
the right thing and thank the user for the detailed bug report, fix the issue,
and don't focus too much on the noisy part of the message. After all he tried
to use the system, found an issue after debugging for a long time, and
contributed the finding back instead of sharing it only with his friends to
crash random servers on the internet.

~~~
coldtea
> _I guess the tone may be disturbing, but I hope that the MongoDB team will
> do the right thing and thank the user for the detailed bug report, fix the
> issue, and don't focus too much on the noisy part of the message._

Actually, just fixing the bugs after public outrage will no do.

They should focus A LOT on the noisy part of the message.

And feel shame. And then do something about it.

I'm glad for the noisy part myself.

~~~
exDM69
> They should focus A LOT on the noisy part of the message. > And feel shame.
> And then do something about it.

No the MongoDB team should not feel ashamed, the author of this bug report
should. This kind of aggressive writing is unprofessional, rude and childish.

People make mistakes, even good engineers do. They should not be yelled at
like this even if they screw up badly. Writing software is a team effort, and
the users of open source software should be a part of that team and take the
collective responsibility of finding, reporting and fixing bugs in an
effective and civilized manner.

The tone of this bug report does not help fixing this bug faster or better,
but it does make the reporter look like an ass.

~~~
jibberzmcgee
Resisting the urge to comment, but suffice to say I disagree entirely. The
level of fail on display here is indicative of a total lack of understanding
of the basic principles of working in C, with the CPython API, or as a
company, any regard for quality control – _even still 4 years after a
trivially machine-detectable bug was introduced_.

They don't even need Coverity, there are numerous cheaper and free static
analysers that could have caught this before it left 10gen's offices.

Marketing a _database_ server that crashes with such C-101 style bugs due to
the shape of the _data being stored_ is simply beyond.

I disagree that publicizing stupidity like this can do harm – the crash is
clean enough that any trivial crash restart loop (e.g. just about any
production web server) will catch it. In the meantime the company are much
more motivated to provide a fix that I need, that I should never have needed
in the first place.

For all the "responsible disclosure" idiocy on this thread, in most cases the
crash is not remotely exploitable unless some API directly stores JSON objects
provided by a user, and even then, amounts to little more than a slow request
– a crash triggering a potentially expensive restart of the failed process.
Useful for a DDoS perhaps, but not an immediate national security threat.

We happen to want this functionality since its one of the main "it's just
JSON" selling points of Mongo to begin with, we want index visibility for the
user data, and we think it's ridiculous that we should have to double-
serialize the user data (and write our own indexing) in order to avoid obvious
bugs.

~~~
exDM69
I agree that the bug itself has "n00b mistake" written all over it. It should
have not been made and should have been noticed in code reviews.

But would you go yell like that at a real person in real life when working at
the office? If not, why would it be ok to do it in a bug tracker anonymously?

I can't think of any offense I could do that would make it acceptable to yell
at me in an irate manner as in the bug report. I'm really glad I don't work
with people who consider this kind of behavior acceptable.

~~~
coldtea
> _But would you go yell like that at a real person in real life when working
> at the office?_

Definitely YES.

------
adlpz
I will join the others saying as me: as someone who has been in the situation
of debugging something for hours only to find out the cause is someone's else
incompetence, I totally find his tone acceptable.

At the same time, MongoDB is a free, OSS solution. While it's true it's
marketed way above reality, you both don't _have_ to pay for it (beyond
support) and can contribute to it if something doesn't work as you wish it
did.

~~~
exDM69
> I will join the others saying as me: as someone who has been in the
> situation of debugging something for hours only to find out the cause is
> someone's else incompetence, I totally find his tone acceptable.

This tone is _not_ acceptable in a formal bug report. It's fine to pour out
your frustration in this tone to your coworkers over a pint of beer, but it is
not fine to go and yell it at someones face in a formal environment.

Everyone has wasted hours and hours in a frustrating debugging spree, we all
know that feeling. Get over it and be a professional, report the bug, fix it
and shut up.

~~~
adlpz
Well, you are right. I would have said I found his tone _understandable_ , not
really _acceptable_.

------
aktau
I personally don't fault the author too much for his tone, because I
understand his situation (been there, done that). Something like this is on
the verge (and probably over) of being unacceptable. In inherited a project
with MongoDB as well and even though I haven't run in to many problems except
for MongoDB 2.0.x (debian wheezy) removing the journal file somewhere during a
shutdown but only removing the lock file later, which can and does lead to a
race condition and a database that refuses to start up unless removing the
lockfile manually)... I sincerely hold my heart I don't run into things like
this. Luckily Mongo is only used for some kind of persistent object storage
for a PHP webapp. (the db is all of 10MB...).

------
latch
The l33sp3@k as well as the [attempt] at humor at 10gen's expense is fine.

Anyone who thinks that publicly attacking an individual at this level is in
any way acceptable should work hard at being more empathic. No long hours of
working justify this.

~~~
antihero
"Anyone who thinks that publicly attacking an individual at this level is in
any way acceptable should work hard at being more empathic"

YAWN. Or people could just get thicker skin so we can actually have fun? This
is just banter.

~~~
drcongo
"Banter" is a vile word for a disgusting act.

~~~
sp332
Is there a joke I'm missing? This is banter
[https://en.wikipedia.org/w/index.php?title=Banter&redire...](https://en.wikipedia.org/w/index.php?title=Banter&redirect=no)

------
lttlrck
Step 0. Assume free open source project with publicly accessible bug tracking
system with non-zero open issues is bug-free.

~~~
alcuadrado
They are profiting out of mongodb, they are getting people to invest lots of
time, trust, and money in their product.

The author has a strong point that quality of the development process for
mongodb must not be good if a bug like this one gets into production, when it
could be avoided using automated tools. This won't be such a fault for a
random open source project, but if you are making a business out of it, and
you are encouraging others to base use it as a key part of their business it
do is a great problem.

------
acc01
Is this a new kind of viral adverts for Coverity?

------
viraptor
Could someone explain what's actually so critical here? The way I understand
it is that if you can inject custom json contents into the mongodb data, you
can cause the pymongo library to crash. This should not be allowed to begin
with though - why would you allow anyone to store custom object without any
checks? I would compare it to a null reference on a badly formatted SQL query
- sure, it's a bug, but why did you allow the user to submit unescaped string
to begin with.

Or am I missing something important?

~~~
tetha
As other comments pointed out, it's not that critical per se. It crashes,
restarts and then that's it.

Beyond that, it's an undefined pointer dereference - who knows what this could
be use for in certain combinations and systems. Use a "not so critical" bug in
that subsystem, a "not so critical" mistake over there, another "somewhat
severe" error over there and you got a root shell going. It's simply
disconcerning and annoying if you consider that static checkers could have
caught it.

~~~
viraptor
It's a NULL pointer dereference, not undefined pointer from what I can see.
Unless someone was able to mmap that memory, it should simply cause an instant
crash. PyDict_GetItemString() is guaranteed to return NULL for missing fields.

------
SamReidHughes
Everybody, quick! Let's rain down condemnation on somebody!

------
Doublon
I like the style

~~~
JonnieCache
It perfectly captures the mindstate of someone who's been debugging for 16
hours straight only to find out it's someone else's fault.

EDIT: That's not to say it's professional. It is amusing to read though.

~~~
Doublon
Exactly. And we all know how it feels. WTF MIKE?

~~~
gazrogers
Lets see your long list of pristine, error-free commits then.

~~~
coldtea
Actually let's not.

Let's just shame IF his list of non-pristine commits are marketed to high
heavens, deployed worldwide, still exist in a 3+ year old codebase AND are as
basic as those.

------
kmasters
Before getting religiously high and mighty it might be instructive to run a
security scan on the whole of the Internet and see how many SQL injection
vulnerabilities exist on the websites of major US companies and small time
startups.

The fact that MongoDB has in itself a vulnerability to unchecked input is not
great. But consider that if you are dealing with client side browser or server
side software, the entire stack is rife with security vulnerabilities because
the components themselves right down to TCP/IP are inherently insecure.

Be careful out there, and write nicer bug reports. Use the process. If you
were on the other end of that bug report, you would feel differently.

~~~
kyllo
_Before getting religiously high and mighty it might be instructive to run a
security scan on the whole of the Internet and see how many SQL injection
vulnerabilities exist on the websites of major US companies and small time
startups._

Doing that will almost certainly get you thrown behind bars.

~~~
kmasters
lol I didnt say to actually DO THAT. It was to make a point that we all adopt
things that bite us, many things.

"Nobody expects the Inquisition"

