[SERVER-67315] 32 bit integer overflow in DocumentSourceSort::createBoundedSort() call Created: 15/Jun/22  Updated: 29/Oct/23  Resolved: 16/Jun/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 6.0.0-rc10, 6.1.0-rc0
Fix Version/s: 6.0.0-rc11, 6.1.0-rc0

Type: Bug Priority: Major - P3
Reporter: James Wahlin Assignee: James Wahlin
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v6.0
Steps To Reproduce:

This issue can be reproduced outside of the sanitizer by:

Applying the following patch:

diff --git a/src/mongo/db/pipeline/document_source_sort.cpp b/src/mongo/db/pipeline/document_source_sort.cpp
index 8083629fbfd..8d6c2e2e530 100644
--- a/src/mongo/db/pipeline/document_source_sort.cpp
+++ b/src/mongo/db/pipeline/document_source_sort.cpp
@@ -425,6 +425,7 @@ intrusive_ptr<DocumentSourceSort> DocumentSourceSort::createBoundedSort(
     long long boundOffset,
     boost::optional<long long> limit,
     const intrusive_ptr<ExpressionContext>& expCtx) {
+    invariant(boundOffset >= 0);
 
     auto ds = DocumentSourceSort::create(expCtx, pat);
 

 
2) Running jstests/noPassthrough/timeseries_sort.js

Sprint: QO 2022-06-27
Participants:
Linked BF Score: 177

 Description   

Overflow is possible in the following code when a 32 bit integer is multiplied by 1000. This happens in practice when time-series bucket granularity is set to "hours" with a bucket max span seconds value of 2592000 and the bucket unpacking with sort optimization is in play.

https://github.com/mongodb/mongo/blob/fecef7a1f75e196a24715fabb0721124e71e170b/src/mongo/db/pipeline/pipeline_d.cpp#L1412-L1414



 Comments   
Comment by Githook User [ 16/Jun/22 ]

Author:

{'name': 'James Wahlin', 'email': 'james@mongodb.com', 'username': 'jameswahlin'}

Message: SERVER-67315 Fix possible int32 overflow on call to DocumentSourceSort::createBoundedSort()

(cherry picked from commit c5b3c193d802c5618db349af4efdadbca5e59125)
Branch: v6.0
https://github.com/mongodb/mongo/commit/363112bd64c28b28b12c57fa6335b50a8fe624df

Comment by Githook User [ 16/Jun/22 ]

Author:

{'name': 'James Wahlin', 'email': 'james@mongodb.com', 'username': 'jameswahlin'}

Message: SERVER-67315 Fix possible int32 overflow on call to DocumentSourceSort::createBoundedSort()
Branch: master
https://github.com/mongodb/mongo/commit/c5b3c193d802c5618db349af4efdadbca5e59125

Generated at Thu Feb 08 06:07:49 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.