[SERVER-37258] UBSAN report from MurmurHash in UnorderedFastKeyTable on clang 6 Created: 21/Sep/18  Updated: 29/Oct/23  Resolved: 23/Oct/18

Status: Closed
Project: Core Server
Component/s: Internal Code
Affects Version/s: None
Fix Version/s: 4.1.5

Type: Bug Priority: Major - P3
Reporter: Spencer Jackson Assignee: Mira Carey
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Service Arch 2018-10-08, Service Arch 2018-10-22, Service Arch 2018-11-05
Participants:
Linked BF Score: 45

 Description   

The clang 6 version of UBSAN reports the following error when starting binaries:

% UBSAN_OPTIONS=print_stacktrace=1 build/ninjaASAN/mongo/bson/bson_obj_test                                                                         
src/mongo/base/data_view.h:46:23: runtime error: addition of unsigned offset to 0x55eb06831084 overflowed to 0x55eb06831080                                                                                       
    #0 0x55eb05d1e642 in mongo::ConstDataView::view(unsigned long) const /home/sajack/mongo/src/mongo/base/data_view.h:46:23                                                                                      
    #1 0x55eb0642de6a in mongo::ConstDataView const& mongo::ConstDataView::read<mongo::ReverseLittleEndian<unsigned int> >(mongo::ReverseLittleEndian<unsigned int>*, unsigned long) const /home/sajack/mongo/src/mongo/base/data_view.h:51:33
    #2 0x55eb0642daf8 in mongo::ReverseLittleEndian<unsigned int> mongo::ConstDataView::read<mongo::ReverseLittleEndian<unsigned int> >(unsigned long) const /home/sajack/mongo/src/mongo/base/data_view.h:60:9   
    #3 0x55eb0642c646 in getblock(unsigned int const*, int) /home/sajack/mongo/src/third_party/murmurhash3/MurmurHash3.cpp:67:10                                                                                  
    #4 0x55eb0642c646 in MurmurHash3_x86_32(void const*, int, unsigned int, void*) /home/sajack/mongo/src/third_party/murmurhash3/MurmurHash3.cpp:123                                                             
    #5 0x55eb061e7275 in mongo::StringMapTraits::hash(mongo::StringData) /home/sajack/mongo/src/mongo/util/string_map.h:43:9                                                                                      
    #6 0x55eb061e612c in mongo::StringMapTraits::HashedKey::HashedKey(mongo::StringData) /home/sajack/mongo/src/mongo/util/string_map.h:61:68                                                                     
    #7 0x55eb061e3f5c in mongo::UnorderedFastKeyTable<mongo::StringData, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, mongo::BSONType, mongo::StringMapTraits>::UnorderedFastKeyTable(std::initializer_list<std::pair<mongo::StringData, mongo::BSONType> >) /home/sajack/mongo/src/mongo/util/unordered_fast_key_table_internal.h:101:20                                                        
    #8 0x55eb05b5c8d9 in __cxx_global_var_init.26 /home/sajack/mongo/src/mongo/bson/bsontypes.cpp:96:43
    #9 0x55eb05b5cae8 in _GLOBAL__sub_I_bsontypes.cpp /home/sajack/mongo/src/mongo/bson/bsontypes.cpp
    #10 0x55eb0663074c in __libc_csu_init (/home/sajack/mongo/build/ninjaASAN/mongo/bson/bson_obj_test+0x134b74c)                                                                                                 
    #11 0x7f8d1cd0f1ad in __libc_start_main (/usr/lib/libc.so.6+0x241ad)
    #12 0x55eb05b6258d in _start (/home/sajack/mongo/build/ninjaASAN/mongo/bson/bson_obj_test+0x87d58d)
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mongo/base/data_view.h:46:23 in
% clang --version                                                                                                                                   
clang version 6.0.1 (tags/RELEASE_601/final)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin



 Comments   
Comment by Githook User [ 23/Oct/18 ]

Author:

{'name': 'Jason Carey', 'email': 'jcarey@argv.me', 'username': 'hanumantmk'}

Message: SERVER-37258 Fix UB in MurmurHash3

When we did the data view integration into murmurhash3 (to make it big
endian safe) we missed that murmurhash3 uses negative offsets of
pointers. Because DataView took size_t for offsetting parameters, this
involved wrapping pointers around (adding very large numbers to pointers
to produce negative offsets). That's UB, and newer ubsan caught it.

This change fixes that by making the DataView offsetting logic ptrdiff_t
based.

It also introduces test vectors for murmurhash3 that I've used to verify
that we haven't changed its output.
Branch: master
https://github.com/mongodb/mongo/commit/bb91ac5a2c0b647b80d65d4aaf5a448351b9cc33

Generated at Thu Feb 08 04:45:28 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.