Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 5.0.0-rc0
Affects Version/s: 4.4.5
Component/s: None
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Steps To Reproduce:
Hide

Run the following with the undefined behaviour sanitizer in jstests/core/

(function() { "use strict"; const coll = db.int_key_pattern; coll.drop(); assert.commandWorked(db.createCollection(coll.getName())); assert.commandWorked(coll.insert({x: 1, y: "foo", z: 1})); coll.createIndex({_id: 1.8446744073709552e+19}); coll.createIndex({_id: -1.8446744073709552e+19}); coll.createIndex({x: 1.8446744073709552e+19}); coll.createIndex({x: -1.8446744073709552e+19}); coll.createIndex({y: 'text', z: 4294967296}); coll.createIndex({y: 'text', z: -4294967296}); }());
Show
Run the following with the undefined behaviour sanitizer in jstests/core/ (function() { "use strict" ; const coll = db.int_key_pattern; coll.drop(); assert .commandWorked(db.createCollection(coll.getName())); assert .commandWorked(coll.insert({x: 1, y: "foo" , z: 1})); coll.createIndex({_id: 1.8446744073709552e+19}); coll.createIndex({_id: -1.8446744073709552e+19}); coll.createIndex({x: 1.8446744073709552e+19}); coll.createIndex({x: -1.8446744073709552e+19}); coll.createIndex({y: 'text' , z: 4294967296}); coll.createIndex({y: 'text' , z: -4294967296}); }());
Sprint:
Execution Team 2021-05-17
Linked BF Score:
168
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

The undefined behaviour sanitizer was trying to create indexes with numeric key patterns outside the range of representable values of 'int'. The input wasn't rejected by the createIndexes command and code at later points called BSONElement::numberInt() assuming it's safe.

Here are two spots that UBSan found, but there may be more:

I've verified that this behaviour already exists on v4.4, so the solution will need to be cautious as index specifications with these patterns can already be stored durably.

depends on

SERVER-56745 fix index_id_options.js tags

Closed

Assignee:: Benety Goh
Reporter:: Gregory Wlodarek
Participants:: Benety Goh, Githook User, Gregory Wlodarek
Votes:: 0 Vote for this issue
Watchers:: 5 Start watching this issue

Created:: Apr 30 2021 01:35:22 PM UTC
Updated:: Oct 29 2023 09:54:14 PM UTC
Resolved:: May 11 2021 03:22:55 PM UTC
Confidence Status Last Update:: 07/May/21 4:52 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates