[SERVER-56513] Numeric index key patterns can be outside the range of representable values of type 'int' Created: 30/Apr/21  Updated: 29/Oct/23  Resolved: 11/May/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 4.4.5
Fix Version/s: 5.0.0-rc0

Type: Bug Priority: Major - P3
Reporter: Gregory Wlodarek Assignee: Benety Goh
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-56745 fix index_id_options.js tags Closed
Problem/Incident
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Run the following with the undefined behaviour sanitizer in jstests/core/

(function() {
"use strict";
 
const coll = db.int_key_pattern;
coll.drop();
 
assert.commandWorked(db.createCollection(coll.getName()));
assert.commandWorked(coll.insert({x: 1, y: "foo", z: 1}));
 
coll.createIndex({_id: 1.8446744073709552e+19});
coll.createIndex({_id: -1.8446744073709552e+19});
coll.createIndex({x: 1.8446744073709552e+19});
coll.createIndex({x: -1.8446744073709552e+19});
coll.createIndex({y: 'text', z: 4294967296});
coll.createIndex({y: 'text', z: -4294967296});
}());

Sprint: Execution Team 2021-05-17
Participants:
Linked BF Score: 168

 Description   

The undefined behaviour sanitizer was trying to create indexes with numeric key patterns outside the range of representable values of 'int'. The input wasn't rejected by the createIndexes command and code at later points called BSONElement::numberInt() assuming it's safe.

Here are two spots that UBSan found, but there may be more:

  1. IndexDescriptor
  2. FTSSpec

I've verified that this behaviour already exists on v4.4, so the solution will need to be cautious as index specifications with these patterns can already be stored durably.



 Comments   
Comment by Githook User [ 08/May/21 ]

Author:

{'name': 'Benety Goh', 'email': 'benety@mongodb.com', 'username': 'benety'}

Message: SERVER-56513 fix IndexDescriptor::isIdIndexPattern() to handle out of bounds direction values in _id key patterns
Branch: master
https://github.com/mongodb/mongo/commit/5b10b587b11dcf21a10406ad2ad6753e1e3a983e

Comment by Benety Goh [ 07/May/21 ]

Needs some cleanup in SERVER-56745 before we can retry the fix for IndexDescriptor.

Comment by Githook User [ 07/May/21 ]

Author:

{'name': 'Benety Goh', 'email': 'benety@mongodb.com', 'username': 'benety'}

Message: Revert "SERVER-56513 fix IndexDescriptor::isIdIndexPattern() to handle out of bounds direction values in _id key patterns"

This reverts commit c1ffed1b5d9495d61b7cb30ec00b7b024898acdf.
Branch: master
https://github.com/mongodb/mongo/commit/3c818a31e3c1aea8f2ff36d3924cb53a4c6a6126

Comment by Githook User [ 06/May/21 ]

Author:

{'name': 'Benety Goh', 'email': 'benety@mongodb.com', 'username': 'benety'}

Message: SERVER-56513 fix IndexDescriptor::isIdIndexPattern() to handle out of bounds direction values in _id key patterns
Branch: master
https://github.com/mongodb/mongo/commit/c1ffed1b5d9495d61b7cb30ec00b7b024898acdf

Comment by Githook User [ 06/May/21 ]

Author:

{'name': 'Benety Goh', 'email': 'benety@mongodb.com', 'username': 'benety'}

Message: SERVER-56513 remove KeyPattern::isIdKeyPattern()

This is redundant when we have IndexDescriptor::isIdIndex().
Branch: master
https://github.com/mongodb/mongo/commit/2a469ee7af51dfb78bd266b8ae7de288d803d084

Comment by Githook User [ 05/May/21 ]

Author:

{'name': 'Benety Goh', 'email': 'benety@mongodb.com', 'username': 'benety'}

Message: SERVER-56513 fix FTSSpec::fixSpec() to handle int values in key patterns that are out of bounds
Branch: master
https://github.com/mongodb/mongo/commit/aa394f2e69b756b6ebc92bb842f828ec14334f49

Comment by Benety Goh [ 05/May/21 ]

There is a similar function to check the _id key pattern in KeyPattern. Fortunately, this function is used in only one place which also has access to IndexDescriptor.

Generated at Thu Feb 08 05:39:28 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.