Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-13537

Large skip and and limit values can cause crash in blocking sort stage

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.6.1, 2.7.0
    • Affects Version/s: 2.6.0
    • Component/s: Querying
    • None
    • ALL

      Issue Status as of April 15, 2014

      ISSUE SUMMARY
      Very large values for .skip() and .limit() can cause an out-of-bounds error in the sort stage of a query and crash the server. Specifically, the error is caused when both skip and limit values fit into 32-bit signed ints individually but their sum overflows a signed 32-bit int and flips a positive limit value to a negative one.

      USER IMPACT
      Limited, but users can be affected as this is a regression and large limit values previously worked.

      WORKAROUNDS
      Use a lower limit value to avoid the issue.

      RESOLUTION
      Cast skip and limit to unsigned int values to ensure the sum doesn't result in a negative value.

      AFFECTED VERSIONS
      Version 2.6.0 is affected by this bug.

      PATCHES
      The patch is included in the 2.6.1 production release.

      Original description

      2014-04-10T02:45:04.086+0800 [conn952] SEVERE: Got signal: 6 (Aborted).
      Backtrace:0x11bd301 0x11bc6de 0x3355832960 0x33558328e5 0x33558340c5 0x335582ba0e 0x335582bad0 0xac7944 0xaca025 0xaa6f8f 0xaa082c 0xaaaa81 0xac3661 0xd44534 0xd44f89 0xd47b8a 0xd4acf8 0xb96382 0xb98962 0x76b76f
      ./mongod(_ZN5mongo15printStackTraceERSo+0x21) [0x11bd301]
      ./mongod() [0x11bc6de]
      /lib64/libc.so.6() [0x3355832960]
      /lib64/libc.so.6(gsignal+0x35) [0x33558328e5]
      /lib64/libc.so.6(abort+0x175) [0x33558340c5]
      /lib64/libc.so.6() [0x335582ba0e]
      /lib64/libc.so.6(__assert_perror_fail+0) [0x335582bad0]
      ./mongod(_ZN5mongo9SortStage11addToBufferERKNS0_16SortableDataItemE+0x454) [0xac7944]
      ./mongod(_ZN5mongo9SortStage4workEPm+0x865) [0xaca025]
      ./mongod(_ZN5mongo7OrStage4workEPm+0x12f) [0xaa6f8f]
      ./mongod(_ZN5mongo18KeepMutationsStage4workEPm+0x3c) [0xaa082c]
      ./mongod(_ZN5mongo15ProjectionStage4workEPm+0x51) [0xaaaa81]
      ./mongod(_ZN5mongo9SkipStage4workEPm+0x61) [0xac3661]
      ./mongod(_ZN5mongo15MultiPlanRunner12workAllPlansEPNS_7BSONObjE+0x1b4) [0xd44534]
      ./mongod(_ZN5mongo15MultiPlanRunner12pickBestPlanEPmPNS_7BSONObjE+0xa9) [0xd44f89]
      ./mongod(_ZN5mongo15MultiPlanRunner7getNextEPNS_7BSONObjEPNS_7DiskLocE+0x3fa) [0xd47b8a]
      ./mongod(ZN5mongo11newRunQueryERNS_7MessageERNS_12QueryMessageERNS_5CurOpES1+0x958) [0xd4acf8]
      ./mongod() [0xb96382]
      ./mongod(_ZN5mongo16assembleResponseERNS_7MessageERNS_10DbResponseERKNS_11HostAndPortE+0x442) [0xb98962]
      ./mongod(_ZN5mongo16MyMessageHandler7processERNS_7MessageEPNS_21AbstractMessagingPortEPNS_9LastErrorE+0x9f) [0x76b76f]

            Assignee:
            david.storch@mongodb.com David Storch
            Reporter:
            tma995@gmail.com Tianxiang Ma
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: