[SERVER-22702] The $push modifier exhibits UB when validating the $position field Created: 17/Feb/16  Updated: 16/Mar/16  Resolved: 24/Feb/16

Status: Closed
Project: Core Server
Component/s: Write Ops
Affects Version/s: None
Fix Version/s: 3.3.3

Type: Bug Priority: Major - P3
Reporter: Andrew Morrow (Inactive) Assignee: Tess Avitabile (Inactive)
Resolution: Done Votes: 0
Labels: undefined-sanitizer
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Minor Change
Operating System: ALL
Steps To Reproduce:

Run the modifier_push_test under UBSAN

Sprint: Query 11 (03/14/16)
Participants:

 Description   

The problematic code is here:

https://github.com/mongodb/mongo/blob/95ca58f7396c1c4e1c5e54caa81dda875ca87b57/src/mongo/db/ops/modifier_push.cpp#L322-L325

However, the entire validation block looks suspect and should probably be refactored.

(/home/andrew/Documents/10gen/dev/src/mongodb/build/optdebug/mongo/db/ops/modifier_push_test+0x5c5561): runtime error: value 9e+19 is outside the range of representable values of type 'long'
    #0 0x6ba3ad in mongo::ModifierPush::init(mongo::BSONElement const&, mongo::ModifierInterface::Options const&, bool*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/ops/modifier_push.cpp:322:46
    #1 0x5cdfe1 in (anonymous namespace)::UnitTest__ToPosition__BadInputs::_doTest() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/ops/modifier_push_test.cpp:1292:9
    #2 0x6e49c8 in mongo::unittest::Test::run() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest.cpp:147:9
    #3 0x5cdccf in void mongo::unittest::Suite::runTestObject<(anonymous namespace)::UnitTest__ToPosition__BadInputs>() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest.h:405:9
    #4 0x6e615d in mongo::unittest::TestHolder::run() const /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest.h:257:9
    #5 0x6e615d in mongo::unittest::Suite::run(std::string const&, int) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest.cpp:263
    #6 0x6e7627 in mongo::unittest::Suite::run(std::vector<std::string, std::allocator<std::string> > const&, std::string const&, int) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest.cpp:321:27
    #7 0x6ecd47 in main /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest_main.cpp:40:12
    #8 0x7f7c49d6ba3f in __libc_start_main /build/buildd/glibc-2.21/csu/libc-start.c:289
    #9 0x5af0c8 in _start (/home/andrew/Documents/10gen/dev/src/mongodb/build/optdebug/mongo/db/ops/modifier_push_test+0x5af0c8)



 Comments   
Comment by Tess Avitabile (Inactive) [ 24/Feb/16 ]

Previously a the $position field for the $push modifier was required to be representable as a 64-bit integer. Now it is required to be representable as a 32-bit integer.

Comment by Githook User [ 24/Feb/16 ]

Author:

{u'username': u'tessavitabile', u'name': u'Tess Avitabile', u'email': u'tess.avitabile@mongodb.com'}

Message: SERVER-22702 Clean up push position validation and eliminate UB
Branch: master
https://github.com/mongodb/mongo/commit/08643f4ff5107be79c65de89773d91e7d616f9d5

Generated at Thu Feb 08 04:01:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.