Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 8.3.0-rc0
Affects Version/s: 8.3.0-rc0
Component/s: None
Labels:
None

Assigned Teams:

Catalog and Routing
Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Sprint:
N&O 2025-11-10, CAR Team 2025-11-24, CAR Team 2025-12-08
Linked BF Score:
200
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

There is use-after-free bug in AsyncRPCRunnerImpl::_sendCommand.

The lambda captures the raw
opCtx pointer
but the OperationContext can be destroyed before the async lambda executes.

This is especially true in ShardingDDLCoordinators, where we create a new OperationContext for every phase.
When the lambda runs and creates a RemoteCommandRequest , it calls _updateTimeoutFromOpCtxDeadline() with the invalid pointer, causing a segfault when calling opCtx->getRemainingMaxTimeMillis().

Note that in spite have already a check here it has been still observed a SEGFAULT in the mentioned call. This suggest the opCtx can become invalid at any moment once the request runs asynchrnously, even right after the check.

A solution could probably be to have these values copied when calling the _sendCommand, where we still have the guarantee for the opCtx to be valid

Assignee:: Enrico Golfieri
Reporter:: Enrico Golfieri
Participants:: Enrico Golfieri, Githook User
Votes:: 0 Vote for this issue
Watchers:: 6 Start watching this issue

Created:: Oct 15 2025 11:29:51 AM UTC
Updated:: Dec 01 2025 08:48:21 AM UTC
Resolved:: Dec 01 2025 08:48:22 AM UTC

Details

Description

Attachments

Activity

People

Dates