[SERVER-36993] mongod crash: Invariant failure indexedOr src/mongo/db/query/index_tag.cpp 237 Created: 05/Sep/18  Updated: 29/Oct/23  Resolved: 14/Sep/18

Status: Closed
Project: Core Server
Component/s: Aggregation Framework
Affects Version/s: 3.6.7
Fix Version/s: 3.6.9, 4.0.3, 4.1.4

Type: Bug Priority: Critical - P2
Reporter: Travis Brown Assignee: David Storch
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Problem/Incident
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.0, v3.6
Sprint: Query 2018-09-24
Participants:

 Description   
CVE-2018-20802

Title: Post-auth queries on compound index may crash mongod

Description:
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.3; v3.6 versions prior to 3.6.9.

CVSS score:
This issue's CVSS:3.1 severity is scored at 6.5 using the following scoring metrics:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected versions:
MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.3; v3.6 versions prior to 3.6.9.

CWE: CWE-394: Unexpected Status Code or Return Value


Opening to discuss the security impact of SERVER-36993, which affects 3.6.3 and later. This issue was externally identified and reported.

I believe this exploit can used in a denial of service attack against atlas free tier.



 Comments   
Comment by Githook User [ 18/Sep/18 ]

Author:

{'name': 'David Storch', 'email': 'david.storch@10gen.com', 'username': 'dstorch'}

Message: SERVER-36993 Fix crash due to incorrect $or pushdown for indexed $expr.

(cherry picked from commit 0aebf209b1467df188b8915d507fc6a2dcf80ef8)
Branch: v3.6
https://github.com/mongodb/mongo/commit/2b4634bb6512c5345de2ab8f698a687c6cec9973

Comment by Githook User [ 14/Sep/18 ]

Author:

{'name': 'David Storch', 'email': 'david.storch@10gen.com', 'username': 'dstorch'}

Message: SERVER-36993 Fix crash due to incorrect $or pushdown for indexed $expr.

(cherry picked from commit ee97c0699fd55b498310996ee002328e533681a3)
Branch: v4.0
https://github.com/mongodb/mongo/commit/0aebf209b1467df188b8915d507fc6a2dcf80ef8

Comment by Githook User [ 14/Sep/18 ]

Author:

{'name': 'David Storch', 'email': 'david.storch@10gen.com', 'username': 'dstorch'}

Message: SERVER-36993 Fix crash due to incorrect $or pushdown for indexed $expr.
Branch: master
https://github.com/mongodb/mongo/commit/ee97c0699fd55b498310996ee002328e533681a3

Comment by David Storch [ 05/Sep/18 ]

This appears to be a bad interaction between $or pushdown from SERVER-13732 and the $expr rewrite optimization implemented under SERVER-31760. I'm digging in a bit more in order to identify the proper fix.

Comment by Travis Brown [ 05/Sep/18 ]

Thanks! It also looks like you fixed my formatting, which I appreciate

Comment by Kelsey Schubert [ 05/Sep/18 ]

Thanks for report travis@bryx.com, I've reproed following your example and we're investigating.

Generated at Thu Feb 08 04:44:40 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.