[SERVER-36926] Undefined behavior from signed overflow in cursor manager, can result in mongos invariant failure Created: 29/Aug/18 Updated: 29/Oct/23 Resolved: 10/Sep/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Querying |
| Affects Version/s: | None |
| Fix Version/s: | 4.1.3, 4.0.24, 3.6.24 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Ian Boros | Assignee: | Ted Tuckman |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | asdf, bkp, neweng | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Operating System: | ALL | ||||||||||||
| Backport Requested: |
v4.0, v3.6
|
||||||||||||
| Sprint: | Query 2018-10-08 | ||||||||||||
| Participants: | |||||||||||||
| Case: | (copied to CRM) | ||||||||||||
| Description |
|
david.storch pointed this out while we were reading some code at my desk: The call to std::abs(_pseudoRandom.nextInt32()) here could result in undefined behavior if _pseudoRandom.nextInt32() returns MIN_INT. Most compilers will probably do something reasonable in this situation. Many will probably just return MIN_INT, meaning that it's possible to get a negative cursor id. |
| Comments |
| Comment by Githook User [ 06/Apr/21 ] |
|
Author: {'name': 'Ted Tuckman', 'email': 'ted.tuckman@mongodb.com', 'username': 'TedTuckman'}Message: (cherry picked from commit 0e5b2946e1750fd4a5ac30cdc6d67d6fda94d378) |
| Comment by Githook User [ 05/Apr/21 ] |
|
Author: {'name': 'Ted Tuckman', 'email': 'ted.tuckman@mongodb.com', 'username': 'TedTuckman'}Message: (cherry picked from commit 0e5b2946e1750fd4a5ac30cdc6d67d6fda94d378) |
| Comment by David Storch [ 05/Apr/21 ] |
|
I have identified that this issue is the root cause of |
| Comment by Githook User [ 10/Sep/18 ] |
|
Author: {'name': 'Ted Tuckman', 'email': 'ted.tuckman@mongodb.com', 'username': 'TedTuckman'}Message: |
| Comment by David Storch [ 07/Sep/18 ] |
|
We can fix this by generating a new random number when we get MIN_INT, before calling std::abs(). |