[SERVER-41024] safeInt32 and safeInt64 IDL types are not safe for all numerical inputs, results in UB Created: 06/May/19  Updated: 29/Oct/23  Resolved: 03/Jun/19

Status: Closed
Project: Core Server
Component/s: IDL
Affects Version/s: None
Fix Version/s: 4.1.14

Type: Bug Priority: Major - P3
Reporter: David Storch Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-26148 Commands should convert integers from... Backlog
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Security 2019-05-20, Security 2019-06-03
Participants:

 Description   

There are a handful of "basic types" provided by the IDL in basic_types.idl. Among these basic types are safeInt32 and safeInt64, which purport to convert any numerical BSON element (int, long, double, or decimal) into either a 32 bit signed integer or 64 bit signed integer. However, the deserializers for these types just call BSONElement::numberInt() and BSONElement::numberLong(), which do not implement a safe conversion from any double to an integer. In particular, a double which is too large to fit inside a long (or int) will result in undefined behavior.

Any IDL-generated parser will therefore produce UB if provided unsanitized input containing a very large double. There are several uses of safeInt64 and safeInt32 in the code base which may be affected. For instance, the size parameter to the create command looks like it could result in UB if the client specified the value as a very large double.



 Comments   
Comment by Githook User [ 03/Jun/19 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-41024 safeInt64 IDL types are not safe for all numerical inputs, results in UB
Branch: master
https://github.com/mongodb/mongo/commit/28000675e7cf1b6ab55a0aaa0fcb07a7f3c49512

Generated at Thu Feb 08 04:56:37 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.