[SERVER-12006] Fixed potential pointer overflow leading to infinite loop Created: 09/Dec/13  Updated: 11/Jul/16  Resolved: 13/Dec/13

Status: Closed
Project: Core Server
Component/s: Storage
Affects Version/s: None
Fix Version/s: 2.5.5

Type: Bug Priority: Major - P3
Reporter: Jared Wong Assignee: Andy Schwerin
Resolution: Done Votes: 0
Labels: pull-request
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

All


Backwards Compatibility: Fully Compatible
Operating System: ALL
Participants:

 Description   

Fixed potential pointer overflow leading to an infinite loop in
db/storage/record.cpp

In order to iterate over the data in the record there was a previous loop that
compared pointers:

const char * addr = _data;
const char * end = _data + _netLength();
for ( ; addr <= end ; addr += 2048 ) {
__record_touch_dummy += addr[0];

this will not work as expected because the addr pointer may overflow.

Consider the size of _data, where it is defined in mongo::ps::Slice as:

Entry _data[SliceSize]

Here _netLength is defined as:

int _netLength() const

{ return _lengthWithHeaders - HeaderSize; }

in mongo/db/pdfile.h. Where HeaderSize = 16 and _lengthWithHeaders is set in a
number of places through the function:

int& lengthWithHeaders()

{ _accessing(); return _lengthWithHeaders; }

in mongo/db/pdfile.h.

Assuming we can't guarantee anything about the exact value of _netLength (for
example, that it's always exactly a multiple of 2048) then there will be an
issue with the addr pointer overflowing the bounds of _data.

In C, it is undefined behavior to increment a pointer (in this case addr) more
than 1 past the end of the array (in this case _data) to which it points.

If the compiler so chooses, it may wrap around the pointer if it increases past
_data + SliceSize + 1. This would cause this loop to never exit because addr
would always be less than end.



 Comments   
Comment by Githook User [ 13/Dec/13 ]

Author:

{u'username': u'jaredlwong', u'name': u'Jared Wong', u'email': u'jaredlwong@gmail.com'}

Message: SERVER-12006 - Fixed potential pointer overflow leading to an infinite loop in db/storage/record.cpp

In order to iterate over the data in the record there was a previous loop that
compared pointers. This will not work as expected because the addr pointer may
overflow.

In C, it is undefined behavior to increment a pointer (in this case addr) more
than 1 past the end of the array (in this case _data) to which it points.

If the compiler so chooses, it may wrap around the pointer if it increases past
_data + SliceSize + 1. This would cause this loop to never exit because addr
would always be less than end.

Signed-off-by: Matt Kangas <matt.kangas@mongodb.com>
Branch: master
https://github.com/mongodb/mongo/commit/9ebb366ef046a10875640493cf0560359e9221b2

Generated at Thu Feb 08 03:27:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.