[SERVER-36926] Undefined behavior from signed overflow in cursor manager, can result in mongos invariant failure Created: 29/Aug/18  Updated: 29/Oct/23  Resolved: 10/Sep/18

Status: Closed
Project: Core Server
Component/s: Querying
Affects Version/s: None
Fix Version/s: 4.1.3, 4.0.24, 3.6.24

Type: Bug Priority: Major - P3
Reporter: Ian Boros Assignee: Ted Tuckman
Resolution: Fixed Votes: 0
Labels: asdf, bkp, neweng
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Duplicate
is duplicated by SERVER-27796 Invariant failure in cluster_cursor_m... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.0, v3.6
Sprint: Query 2018-10-08
Participants:
Case:

 Description   

david.storch pointed this out while we were reading some code at my desk:

The call to std::abs(_pseudoRandom.nextInt32()) here could result in undefined behavior if _pseudoRandom.nextInt32() returns MIN_INT. Most compilers will probably do something reasonable in this situation. Many will probably just return MIN_INT, meaning that it's possible to get a negative cursor id.



 Comments   
Comment by Githook User [ 06/Apr/21 ]

Author:

{'name': 'Ted Tuckman', 'email': 'ted.tuckman@mongodb.com', 'username': 'TedTuckman'}

Message: SERVER-36926 Remove possibility of passing INT_MIN to abs() in ClusterCursorManager

(cherry picked from commit 0e5b2946e1750fd4a5ac30cdc6d67d6fda94d378)
(cherry picked from commit 368553479c74478d15204383289d1291ad097909)
Branch: v3.6
https://github.com/mongodb/mongo/commit/fc3f626537400cf3b6dd89daf9ee8f50c45e03cb

Comment by Githook User [ 05/Apr/21 ]

Author:

{'name': 'Ted Tuckman', 'email': 'ted.tuckman@mongodb.com', 'username': 'TedTuckman'}

Message: SERVER-36926 Remove possibility of passing INT_MIN to abs() in ClusterCursorManager

(cherry picked from commit 0e5b2946e1750fd4a5ac30cdc6d67d6fda94d378)
Branch: v4.0
https://github.com/mongodb/mongo/commit/368553479c74478d15204383289d1291ad097909

Comment by David Storch [ 05/Apr/21 ]

I have identified that this issue is the root cause of SERVER-27796, which means that it should be backported to all supported branches. See my comment here for additional details.

Comment by Githook User [ 10/Sep/18 ]

Author:

{'name': 'Ted Tuckman', 'email': 'ted.tuckman@mongodb.com', 'username': 'TedTuckman'}

Message: SERVER-36926 Remove possibility of passing INT_MIN to abs() in ClusterCursorManager
Branch: master
https://github.com/mongodb/mongo/commit/0e5b2946e1750fd4a5ac30cdc6d67d6fda94d378

Comment by David Storch [ 07/Sep/18 ]

We can fix this by generating a new random number when we get MIN_INT, before calling std::abs().

Generated at Thu Feb 08 04:44:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.