Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-94625

Return '""_sd' instead of 'StringData()' in 'getSubstringCP()'

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 8.1.0-rc0
    • Affects Version/s: None
    • Component/s: None
    • None
    • Query Execution
    • Fully Compatible
    • ALL
    • Hide

      Create a UBSAN build

      buildscripts/scons.py --variables-files=etc/scons/mongodbtoolchain_v4_clang.vars --allocator=system --sanitize=address,undefined --link-model=dynamic --opt=debug --dbg=on  --modules= --ninja --build-fast-and-loose=on ICECC=icecc CCACHE=ccache

ninja -j<jobs> install-devcore

       

      Add the following test to jstests/core/query/BF-34931.js:

      import {assertDropAndRecreateCollection} from "jstests/libs/collection_drop_recreate.js";

const coll = assertDropAndRecreateCollection(db, jsTestName());
coll.insert({str: ""});
const res = coll.find({}, {out: {"$substrCP": ["$str", 8, 1]}}).toArray();
assert.eq(res.length, 1);

      And run it with SBE enabled

      LANG=C UBSAN_OPTIONS="print_stacktrace=1:external_symbolizer_path=/opt/mongodbtoolchain/v4/bin/llvm-symbolizer" LSAN_OPTIONS="suppressions=etc/lsan.suppressions:report_objects=1" ASAN_OPTIONS="detect_leaks=1:check_initialization_order=true:strict_init_order=true:abort_on_error=1:disable_coredump=0:handle_abort=1:strict_string_checks=true:detect_invalid_pointer_pairs=1:external_symbolizer_path=/opt/mongodbtoolchain/v4/bin/llvm-symbolizer" buildscripts/resmoke.py run --suites=core '--mongodSetParameters={featureFlagSbeFull: true}' jstests/core/query/BF-34931.js

      It should be sufficient to trigger the undefined behaviour

      Show
      Create a UBSAN build buildscripts/scons.py --variables-files=etc/scons/mongodbtoolchain_v4_clang.vars --allocator=system --sanitize=address,undefined --link-model=dynamic --opt=debug --dbg=on  --modules= --ninja --build-fast-and-loose=on ICECC=icecc CCACHE=ccache ninja -j<jobs> install-devcore   Add the following test to jstests/core/query/BF-34931.js : import {assertDropAndRecreateCollection} from "jstests/libs/collection_drop_recreate.js" ; const coll = assertDropAndRecreateCollection(db, jsTestName()); coll.insert({str: ""}); const res = coll.find({}, {out: { "$substrCP" : [ "$str" , 8, 1]}}).toArray(); assert .eq(res.length, 1); And run it with SBE enabled LANG=C UBSAN_OPTIONS= "print_stacktrace=1:external_symbolizer_path=/opt/mongodbtoolchain/v4/bin/llvm-symbolizer" LSAN_OPTIONS= "suppressions=etc/lsan.suppressions:report_objects=1" ASAN_OPTIONS= "detect_leaks=1:check_initialization_order= true :strict_init_order= true :abort_on_error=1:disable_coredump=0:handle_abort=1:strict_string_checks= true :detect_invalid_pointer_pairs=1:external_symbolizer_path=/opt/mongodbtoolchain/v4/bin/llvm-symbolizer" buildscripts/resmoke.py run --suites=core '--mongodSetParameters={featureFlagSbeFull: true }' jstests/core/query/BF-34931.js It should be sufficient to trigger the undefined behaviour
    • QE 2024-09-16
    • 200

      substr_utils::getSubstringCP() returns an empty StringData when the start index is greater than the input data which initialises an empty string_view. This will later end up as a nullptr in a memcpy call. We can instead return ""_sd which would correctly be interpreted as a string with 0 characters. For additional safety we could also add an invariant that the second argument of memcpy is not a null pointer. 

            Assignee:
            catalin.sumanaru@mongodb.com Catalin Sumanaru
            Reporter:
            catalin.sumanaru@mongodb.com Catalin Sumanaru
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: