[SERVER-14350] Server crash when $centerSphere has non-positive radius Created: 25/Jun/14  Updated: 11/Jul/16  Resolved: 01/Jul/14

Status: Closed
Project: Core Server
Component/s: Querying
Affects Version/s: 2.6.3
Fix Version/s: 2.6.4, 2.7.3

Type: Bug Priority: Major - P3
Reporter: Marc Knaup Assignee: Greg Studer
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
related to SERVER-14984 Server aborts when running $centerSph... Closed
Operating System: ALL
Backport Completed:
Steps To Reproduce:

MongoDB Shell

db.test.find({ coordinates: { $within: { $centerSphere: [ [ 0, 0 ], -1 ] }}})

Participants:

 Description   
Issue Status as of Jul 22, 2014

ISSUE SUMMARY
Specifying a non-positive value (including NaN) for the radius in a $centerSphere geo query causes a fatal assertion and a crash of the server.

USER IMPACT
Users who don't validate the inputs of their geo queries client-side can crash the server. Like all server failures, this may lead to immediate or eventual (in the case of replica sets) unavailability of the database.

WORKAROUNDS
Make sure that the radius specified in $centerSphere for geo queries is a positive number.

AFFECTED VERSIONS
All production releases up to version 2.6.3 are affected by this issue.

FIX VERSION
The fix is included in the 2.6.4 production release.

RESOLUTION DETAILS
Added validation for circular regions in $near / $within.

Original description

Our software accidently performed a $centerSphere query with NaN as radius which caused mongod to crash due to an assertion failure.

The same crash happens when a negative radius was passed.

mongod.log

2014-06-25T11:45:29.228+0000 [conn25] SEVERE: src/third_party/s2/s2cap.cc:36:  Check failed: (angle.radians()) >= (0)
2014-06-25T11:45:29.229+0000 [conn25] test.test Fatal Assertion 0
2014-06-25T11:45:29.247+0000 [conn25] test.test 0x11da801 0x117c9f9 0x115f43d 0x127ab0d 0x1284b2e 0xb3cbea 0xb474f6 0xb49d32 0xb4c0d9 0xbf1e00 0xbf08b4 0xbead3d 0xbec7ba 0xbed122 0xd178ab 0xd52c62 0xb9c972 0xb9ef52 0x76f2bf 0x1190afb
 /usr/bin/mongod(_ZN5mongo15printStackTraceERSo+0x21) [0x11da801]
 /usr/bin/mongod(_ZN5mongo10logContextEPKc+0x159) [0x117c9f9]
 /usr/bin/mongod(_ZN5mongo13fassertFailedEi+0xcd) [0x115f43d]
 /usr/bin/mongod(_ZN15LogMessageFatalD1Ev+0x1d) [0x127ab0d]
 /usr/bin/mongod(_ZN5S2Cap13FromAxisAngleERK7Vector3IdERK7S1Angle+0x7e) [0x1284b2e]
 /usr/bin/mongod(_ZN5mongo9GeoParser8parseCapERKNS_7BSONObjEPNS_10CapWithCRSE+0xc1a) [0xb3cbea]
 /usr/bin/mongod(_ZN5mongo17GeometryContainer9parseFromERKNS_7BSONObjE+0x936) [0xb474f6]
 /usr/bin/mongod(_ZN5mongo8GeoQuery16parseLegacyQueryERKNS_7BSONObjE+0x7b2) [0xb49d32]
 /usr/bin/mongod(_ZN5mongo8GeoQuery9parseFromERKNS_7BSONObjE+0x19) [0xb4c0d9]
 /usr/bin/mongod(_ZN5mongo31expressionParserGeoCallbackRealEPKciRKNS_7BSONObjE+0x1e0) [0xbf1e00]
 /usr/bin/mongod(_ZN5boost6detail8function17function_invoker3IPFN5mongo10StatusWithIPNS3_15MatchExpressionEEEPKciRKNS3_7BSONObjEES7_S9_iSC_E6invokeERNS1_15function_bufferES9_iSC_+0x14) [0xbf08b4]
 /usr/bin/mongod(_ZN5mongo21MatchExpressionParser14_parseSubFieldERKNS_7BSONObjEPKNS_18AndMatchExpressionEPKcRKNS_11BSONElementEi+0xc6d) [0xbead3d]
 /usr/bin/mongod(_ZN5mongo21MatchExpressionParser9_parseSubEPKcRKNS_7BSONObjEPNS_18AndMatchExpressionEi+0x28a) [0xbec7ba]
 /usr/bin/mongod(_ZN5mongo21MatchExpressionParser6_parseERKNS_7BSONObjEi+0x5c2) [0xbed122]
 /usr/bin/mongod(_ZN5mongo14CanonicalQuery12canonicalizeERKNS_12QueryMessageEPPS0_+0xab) [0xd178ab]
 /usr/bin/mongod(_ZN5mongo11newRunQueryERNS_7MessageERNS_12QueryMessageERNS_5CurOpES1_+0x572) [0xd52c62]
 /usr/bin/mongod() [0xb9c972]
 /usr/bin/mongod(_ZN5mongo16assembleResponseERNS_7MessageERNS_10DbResponseERKNS_11HostAndPortE+0x442) [0xb9ef52]
 /usr/bin/mongod(_ZN5mongo16MyMessageHandler7processERNS_7MessageEPNS_21AbstractMessagingPortEPNS_9LastErrorE+0x9f) [0x76f2bf]
 /usr/bin/mongod(_ZN5mongo17PortMessageServer17handleIncomingMsgEPv+0x4fb) [0x1190afb]



 Comments   
Comment by Githook User [ 15/Jul/14 ]

Author:

{u'username': u'gregstuder', u'name': u'Greg Studer', u'email': u'greg@10gen.com'}

Message: SERVER-14350 validate distances for circular regions in $near/$within
(cherry picked from commit 7a0d83d88d18d5c28fe13bd5dc0b13d1c6c2ef22)
Branch: v2.6
https://github.com/mongodb/mongo/commit/6c64f236204a14b3c4dd3157bc9202acfbdbf363

Comment by Githook User [ 30/Jun/14 ]

Author:

{u'username': u'gregstuder', u'name': u'Greg Studer', u'email': u'greg@10gen.com'}

Message: SERVER-14350 validate distances for circular regions in $near/$within
Branch: master
https://github.com/mongodb/mongo/commit/7a0d83d88d18d5c28fe13bd5dc0b13d1c6c2ef22

Comment by Ramon Fernandez Marina [ 25/Jun/14 ]

fluidsonic, thanks for your report. We're able to reproduce the problem and we're investigating.

Generated at Thu Feb 08 03:34:34 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.