Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-67315

32 bit integer overflow in DocumentSourceSort::createBoundedSort() call

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 6.0.0-rc11, 6.1.0-rc0
    • Affects Version/s: 6.0.0-rc10, 6.1.0-rc0
    • Component/s: None
    • None
    • Fully Compatible
    • ALL
    • v6.0
    • Hide

      This issue can be reproduced outside of the sanitizer by:

      Applying the following patch:

      diff --git a/src/mongo/db/pipeline/document_source_sort.cpp b/src/mongo/db/pipeline/document_source_sort.cpp
index 8083629fbfd..8d6c2e2e530 100644
--- a/src/mongo/db/pipeline/document_source_sort.cpp
+++ b/src/mongo/db/pipeline/document_source_sort.cpp
@@ -425,6 +425,7 @@ intrusive_ptr<DocumentSourceSort> DocumentSourceSort::createBoundedSort(
     long long boundOffset,
     boost::optional<long long> limit,
     const intrusive_ptr<ExpressionContext>& expCtx) {
+    invariant(boundOffset >= 0);
 
     auto ds = DocumentSourceSort::create(expCtx, pat);

       
      2) Running jstests/noPassthrough/timeseries_sort.js

      Show
      This issue can be reproduced outside of the sanitizer by: Applying the following patch: diff --git a/src/mongo/db/pipeline/document_source_sort.cpp b/src/mongo/db/pipeline/document_source_sort.cpp index 8083629fbfd..8d6c2e2e530 100644 --- a/src/mongo/db/pipeline/document_source_sort.cpp +++ b/src/mongo/db/pipeline/document_source_sort.cpp @@ -425,6 +425,7 @@ intrusive_ptr<DocumentSourceSort> DocumentSourceSort::createBoundedSort( long long boundOffset, boost::optional< long long > limit, const intrusive_ptr<ExpressionContext>& expCtx) { + invariant(boundOffset >= 0); auto ds = DocumentSourceSort::create(expCtx, pat);   2) Running jstests/noPassthrough/timeseries_sort.js
    • QO 2022-06-27
    • 177

      Overflow is possible in the following code when a 32 bit integer is multiplied by 1000. This happens in practice when time-series bucket granularity is set to "hours" with a bucket max span seconds value of 2592000 and the bucket unpacking with sort optimization is in play.

      https://github.com/mongodb/mongo/blob/fecef7a1f75e196a24715fabb0721124e71e170b/src/mongo/db/pipeline/pipeline_d.cpp#L1412-L1414

            Assignee:
            james.wahlin@mongodb.com James Wahlin
            Reporter:
            james.wahlin@mongodb.com James Wahlin
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: