[SERVER-22693] Scope::append exhibits UB by trying to cast NaN to long long Created: 17/Feb/16  Updated: 16/Mar/16  Resolved: 26/Feb/16

Status: Closed
Project: Core Server
Component/s: JavaScript
Affects Version/s: None
Fix Version/s: 3.3.3

Type: Bug Priority: Major - P3
Reporter: Andrew Morrow (Inactive) Assignee: Samantha Ritter (Inactive)
Resolution: Done Votes: 0
Labels: undefined-sanitizer
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Run jstests/core/constructors.js under UBSAN

Sprint: Platforms 11 (03/11/16)
Participants:

 Description   

See https://github.com/mongodb/mongo/blob/3b90410d75079ea80800eadc65bf599d9d525817/src/mongo/scripting/engine.cpp#L106

The relevant UBSAN stack trace is:

[MongoDFixture:job0] (/home/andrew/Documents/10gen/dev/src/mongodb/mongod+0x1001861): runtime error: value nan is outside the range of representable values of type 'long long'
[MongoDFixture:job0]     #0 0x1d2da3e in mongo::Scope::append(mongo::BSONObjBuilder&, char const*, char const*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/scripting/engine.cpp:106:69
[MongoDFixture:job0]     #1 0x1314398 in mongo::(anonymous namespace)::dbEval(mongo::OperationContext*, std::string const&, mongo::BSONObj const&, mongo::BSONObjBuilder&, std::string&) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/dbeval.cpp:146:5
[MongoDFixture:job0]     #2 0x13136f8 in mongo::(anonymous namespace)::CmdEval::run(mongo::OperationContext*, std::string const&, mongo::BSONObj&, int, std::string&, mongo::BSONObjBuilder&) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/dbeval.cpp:189:16
[MongoDFixture:job0]     #3 0x1307263 in mongo::Command::run(mongo::OperationContext*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/dbcommands.cpp:1464:19
[MongoDFixture:job0]     #4 0x1305682 in mongo::Command::execCommand(mongo::OperationContext*, mongo::Command*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/dbcommands.cpp:1332:18
[MongoDFixture:job0]     #5 0x1214624 in mongo::runCommands(mongo::OperationContext*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/commands.cpp:498:9
[MongoDFixture:job0]     #6 0x14b4803 in mongo::(anonymous namespace)::receivedRpc(mongo::OperationContext*, mongo::Client&, mongo::DbResponse&, mongo::Message&) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/instance.cpp:304:9
[MongoDFixture:job0]     #7 0x14b4803 in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/instance.cpp:525
[MongoDFixture:job0]     #8 0x1012e54 in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:173:17
[MongoDFixture:job0]     #9 0x1dcb6ad in mongo::PortMessageServer::handleIncomingMsg(void*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/util/net/message_server_port.cpp:229:17
[MongoDFixture:job0]     #10 0x7f00e24936a9 in start_thread /build/buildd/glibc-2.21/nptl/pthread_create.c:333
[MongoDFixture:job0]     #11 0x7f00e1fb1eec in clone /build/buildd/glibc-2.21/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
[MongoDFixture:job0]



 Comments   
Comment by Githook User [ 26/Feb/16 ]

Author:

{u'username': u'samantharitter', u'name': u'samantharitter', u'email': u'samantha.ritter@10gen.com'}

Message: SERVER-22693 Avoid unsafe cast to long long in ValueWriter
Branch: master
https://github.com/mongodb/mongo/commit/0030e3176dc6c6ee60be204c6df1c6913ffda83d

Comment by Githook User [ 26/Feb/16 ]

Author:

{u'username': u'samantharitter', u'name': u'samantharitter', u'email': u'samantha.ritter@10gen.com'}

Message: SERVER-22693 Avoid unsafe casts to numbers in scripting engine
Branch: master
https://github.com/mongodb/mongo/commit/4ba65cba550e4589e46f63870e47322397001b1f

Generated at Thu Feb 08 04:01:11 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.