[SERVER-22710] NetworkInterfaceAsio timers have UB signed integer overflow in chrono conversions Created: 17/Feb/16  Updated: 16/Mar/16  Resolved: 03/Mar/16

Status: Closed
Project: Core Server
Component/s: Networking
Affects Version/s: None
Fix Version/s: 3.3.3

Type: Bug Priority: Major - P3
Reporter: Andrew Morrow (Inactive) Assignee: Mira Carey
Resolution: Done Votes: 0
Labels: undefined-sanitizer
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Run any NIA test under UBSAN

Sprint: Platforms 11 (03/11/16)
Participants:

 Description   

The MalformedMessageTest (and others) reveals a signed integer overflow with ASIO timers:

/usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/chrono:176:38: runtime error: signed integer overflow: 9223370581106577305 * 1000000 cannot be represented in type 'long'
    #0 0x8128d4 in std::chrono::duration<long, std::ratio<1l, 1000000000l> > std::chrono::__duration_cast_impl<std::chrono::duration<long, std::ratio<1l, 1000000000l> >, std::ratio<1000000l, 1l>, long, false, true>::__cast<long, std::ratio<1l, 1000l> >(std::chrono::duration<long, std::ratio<1l, 1000l> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/chrono:176:8
    #1 0x8128d4 in _ZNSt6chrono13duration_castINS_8durationIlSt5ratioILl1ELl1000000000EEEElS2_ILl1ELl1000EEEENSt9enable_ifIXsr13__is_durationIT_EE5valueES7_E4typeERKNS1_IT0_T1_EE /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/chrono:203
    #2 0x8128d4 in std::chrono::duration<long, std::ratio<1l, 1000000000l> >::duration<long, std::ratio<1l, 1000l>, void>(std::chrono::duration<long, std::ratio<1l, 1000l> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/chrono:271
    #3 0x8128d4 in mongo::executor::connection_pool_asio::ASIOTimer::setTimeout(std::chrono::duration<long, std::ratio<1l, 1000l> >, std::function<void ()>)::$_0::operator()() const /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/executor/connection_pool_asio.cpp:60
    #4 0x8128d4 in void asio::asio_handler_invoke<mongo::executor::connection_pool_asio::ASIOTimer::setTimeout(std::chrono::duration<long, std::ratio<1l, 1000l> >, std::function<void ()>)::$_0>(mongo::executor::connection_pool_asio::ASIOTimer::setTimeout(std::chrono::duration<long, std::ratio<1l, 1000l> >, std::function<void ()>)::$_0&, ...) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/asio-asio-1-11-0/asio/include/asio/handler_invoke_hook.hpp:68
    #5 0x8128d4 in void asio_handler_invoke_helpers::invoke<mongo::executor::connection_pool_asio::ASIOTimer::setTimeout(std::chrono::duration<long, std::ratio<1l, 1000l> >, std::function<void ()>)::$_0, mongo::executor::connection_pool_asio::ASIOTimer::setTimeout(std::chrono::duration<long, std::ratio<1l, 1000l> >, std::function<void ()>)::$_0>(mongo::executor::connection_pool_asio::ASIOTimer::setTimeout(std::chrono::duration<long, std::ratio<1l, 1000l> >, std::function<void ()>)::$_0&, mongo::executor::connection_pool_asio::ASIOTimer::setTimeout(std::chrono::duration<long, std::ratio<1l, 1000l> >, std::function<void ()>)::$_0&) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/asio-asio-1-11-0/asio/include/asio/detail/handler_invoke_helpers.hpp:37
    #6 0x812a5b in void asio::detail::handler_work<mongo::executor::connection_pool_asio::ASIOTimer::setTimeout(std::chrono::duration<long, std::ratio<1l, 1000l> >, std::function<void ()>)::$_0, asio::system_executor>::complete<mongo::executor::connection_pool_asio::ASIOTimer::setTimeout(std::chrono::duration<long, std::ratio<1l, 1000l> >, std::function<void ()>)::$_0>(mongo::executor::connection_pool_asio::ASIOTimer::setTimeout(std::chrono::duration<long, std::ratio<1l, 1000l> >, std::function<void ()>)::$_0&, mongo::executor::connection_pool_asio::ASIOTimer::setTimeout(std::chrono::duration<long, std::ratio<1l, 1000l> >, std::function<void ()>)::$_0&) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/asio-asio-1-11-0/asio/include/asio/detail/handler_work.hpp:81:5
    #7 0x812a5b in asio::detail::completion_handler<mongo::executor::connection_pool_asio::ASIOTimer::setTimeout(std::chrono::duration<long, std::ratio<1l, 1000l> >, std::function<void ()>)::$_0>::do_complete(void*, asio::detail::scheduler_operation*, std::error_code const&, unsigned long) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/asio-asio-1-11-0/asio/include/asio/detail/completion_handler.hpp:69
    #8 0x90f401 in asio::detail::scheduler_operation::complete(void*, std::error_code const&, unsigned long) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/asio-asio-1-11-0/asio/include/asio/detail/scheduler_operation.hpp:39:5
    #9 0x90f401 in asio::detail::strand_service::do_complete(void*, asio::detail::scheduler_operation*, std::error_code const&, unsigned long) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/asio-asio-1-11-0/asio/include/asio/detail/impl/strand_service.ipp:167
    #10 0x9082c6 in asio::detail::scheduler_operation::complete(void*, std::error_code const&, unsigned long) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/asio-asio-1-11-0/asio/include/asio/detail/scheduler_operation.hpp:39:5
    #11 0x9082c6 in asio::detail::scheduler::do_run_one(asio::detail::scoped_lock<asio::detail::posix_mutex>&, asio::detail::scheduler_thread_info&, std::error_code const&) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/asio-asio-1-11-0/asio/include/asio/detail/impl/scheduler.ipp:369
    #12 0x8ff784 in asio::detail::scheduler::run(std::error_code&) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/asio-asio-1-11-0/asio/include/asio/detail/impl/scheduler.ipp:146:10
    #13 0x8ff66a in asio::io_service::run() /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/asio-asio-1-11-0/asio/include/asio/impl/io_service.ipp:60:19
    #14 0x821168 in mongo::executor::NetworkInterfaceASIO::startup()::$_0::operator()() const /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/executor/network_interface_asio.cpp:116:17
    #15 0x821168 in void std::_Bind_simple<mongo::executor::NetworkInterfaceASIO::startup()::$_0 ()>::_M_invoke<>(std::_Index_tuple<>) /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/functional:1530
    #16 0x821168 in std::_Bind_simple<mongo::executor::NetworkInterfaceASIO::startup()::$_0 ()>::operator()() /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/functional:1520
    #17 0x821168 in std::thread::_Impl<std::_Bind_simple<mongo::executor::NetworkInterfaceASIO::startup()::$_0 ()> >::_M_run() /usr/bin/../lib/gcc/x86_64-linux-gnu/5.2.1/../../../../include/c++/5.2.1/thread:115
    #18 0x7fccdbc7102f  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb902f)
    #19 0x7fccdb9a16a9 in start_thread /build/buildd/glibc-2.21/nptl/pthread_create.c:333
    #20 0x7fccdb4bfeec in clone /build/buildd/glibc-2.21/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109



 Comments   
Comment by Githook User [ 03/Mar/16 ]

Author:

{u'username': u'hanumantmk', u'name': u'Jason Carey', u'email': u'jcarey@argv.me'}

Message: SERVER-22710 Fix UB in ASIO timeout durations

std::chrono types can naturally signed integer overflow if you
accidentally pass a large duration in lower granularity
(std::chrono::milliseconds::max()) to a higher granularity constructor
(std::chrono::nanoseconds).

We have to clamp our casts to ensure that we don't wrap around to
negative values.
Branch: master
https://github.com/mongodb/mongo/commit/9778d0678715fc3f9b9f725cfd11ea85ce03b2fc

Generated at Thu Feb 08 04:01:13 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.