use-after-free in mongo::profile

XMLWordPrintableJSON

    • ALL
    • Hide

      On an OS X machine with clang-3.4 installed via macports, so change flags as needed:

      scons --cache --mute --osx-version-min=10.9 --opt=on --dbg=on -j10 --cc=/opt/local/bin/clang --cxx=/opt/local/bin/clang++ --allocator=system --sanitize=address ./mongod ./mongos && ASAN_SYMBOLIZER_PATH=/opt/local/bin/llvm-symbolizer-mp-3.4 ./buildscripts/smoke.py jstests/auth/profile.js

      Show
      On an OS X machine with clang-3.4 installed via macports, so change flags as needed: scons --cache --mute --osx-version-min=10.9 --opt=on --dbg=on -j10 --cc=/opt/local/bin/clang --cxx=/opt/local/bin/clang++ --allocator=system --sanitize=address ./mongod ./mongos && ASAN_SYMBOLIZER_PATH=/opt/local/bin/llvm-symbolizer-mp-3.4 ./buildscripts/smoke.py jstests/auth/profile.js
    • 0
    • None
    • 0
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Detected by the ASAN build:

      https://mci.10gen.com/ui/build/mongodb_mongo_master_sanitize_ubuntu1404_debug_asan_de724781deb23468c909acc73d98961b9c8e53c5_14_07_11_18_13_28

      in the auth suite:

      http://buildlogs.mongodb.org/mci_0.9_ubuntu1404-debug-asan/builds/9069/test/auth_0/auth1.js

      The ASAN output looks like:

       m27000| =================================================================
 m27000| ==60123==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300003c130 at pc 0x10811dd54 bp 0x11450b270 sp 0x11450b238
 m27000| READ of size 9 at 0x60300003c130 thread T11
 m27000|     #0 0x10811dd53 in wrap_memcmp (/opt/local/libexec/llvm-3.4/lib/clang/3.4/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x16d53)
 m27000|     #1 0x103dc96a7 in mongo::(anonymous namespace)::_appendUserInfo(mongo::CurOp const&, mongo::BSONObjBuilder&, mongo::AuthorizationSession*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b0c6a7)
 m27000|     #2 0x103dc4a10 in mongo::profile(mongo::OperationContext*, mongo::Client const&, int, mongo::CurOp&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b07a10)
 m27000|     #3 0x103da049c in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100ae349c)
 m27000|     #4 0x1032eed45 in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*, mongo::LastError*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100031d45)
 m27000|     #5 0x10504ecca in mongo::PortMessageServer::handleIncomingMsg(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d91cca)
 m27000|     #6 0x10525bd6d in boost::(anonymous namespace)::thread_proxy(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101f9ed6d)
 m27000|     #7 0x7fff8a25d898 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x1898)
 m27000|     #8 0x7fff8a25d729 in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x1729)
 m27000|     #9 0x7fff8a261fc8 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x5fc8)
 m27000|
 m27000| 0x60300003c130 is located 0 bytes inside of 32-byte region [0x60300003c130,0x60300003c150)
 m27000| freed by thread T11 here:
 m27000|     #0 0x10812462e in wrap__ZdlPv (/opt/local/libexec/llvm-3.4/lib/clang/3.4/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x1d62e)
 m27000|     #1 0x103dc8928 in mongo::(anonymous namespace)::_appendUserInfo(mongo::CurOp const&, mongo::BSONObjBuilder&, mongo::AuthorizationSession*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b0b928)
 m27000|     #2 0x103dc4a10 in mongo::profile(mongo::OperationContext*, mongo::Client const&, int, mongo::CurOp&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b07a10)
 m27000|     #3 0x103da049c in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100ae349c)
 m27000|     #4 0x1032eed45 in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*, mongo::LastError*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100031d45)
 m27000|     #5 0x10504ecca in mongo::PortMessageServer::handleIncomingMsg(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d91cca)
 m27000|     #6 0x10525bd6d in boost::(anonymous namespace)::thread_proxy(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101f9ed6d)
 m27000|     #7 0x7fff8a25d898 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x1898)
 m27000|     #8 0x7fff8a25d729 in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x1729)
 m27000|     #9 0x7fff8a261fc8 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x5fc8)
 m27000|
 m27000| previously allocated by thread T11 here:
 m27000|     #0 0x10812432e in wrap__Znwm (/opt/local/libexec/llvm-3.4/lib/clang/3.4/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x1d32e)
 m27000|     #1 0x103dc86db in mongo::(anonymous namespace)::_appendUserInfo(mongo::CurOp const&, mongo::BSONObjBuilder&, mongo::AuthorizationSession*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b0b6db)
 m27000|     #2 0x103dc4a10 in mongo::profile(mongo::OperationContext*, mongo::Client const&, int, mongo::CurOp&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b07a10)
 m27000|     #3 0x103da049c in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100ae349c)
 m27000|     #4 0x1032eed45 in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*, mongo::LastError*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100031d45)
 m27000|     #5 0x10504ecca in mongo::PortMessageServer::handleIncomingMsg(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d91cca)
 m27000|     #6 0x10525bd6d in boost::(anonymous namespace)::thread_proxy(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101f9ed6d)
 m27000|     #7 0x7fff8a25d898 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x1898)
 m27000|     #8 0x7fff8a25d729 in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x1729)
 m27000|     #9 0x7fff8a261fc8 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x5fc8)
 m27000|
 m27000| Thread T11 created by T0 here:
 m27000|     #0 0x10811d8a2 in wrap_pthread_create (/opt/local/libexec/llvm-3.4/lib/clang/3.4/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x168a2)
 m27000|     #1 0x10525b837 in boost::thread::start_thread() (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101f9e837)
 m27000|     #2 0x105050df2 in boost::thread::thread<std::__1::__bind<void* (*)(void*), mongo::PortMessageServer::HandleIncomingMsgParam*&> >(std::__1::__bind<void* (*)(void*), mongo::PortMessageServer::HandleIncomingMsgParam*&>&&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d93df2)
 m27000|     #3 0x10504cd76 in mongo::PortMessageServer::acceptedMP(mongo::MessagingPort*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d8fd76)
 m27000|     #4 0x105041414 in mongo::Listener::accepted(boost::shared_ptr<mongo::Socket>, long long) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d84414)
 m27000|     #5 0x10503f9b4 in mongo::Listener::initAndListen() (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d829b4)
 m27000|     #6 0x1032ca873 in mongo::_initAndListen(int) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x10000d873)
 m27000|     #7 0x1032c0b9d in main (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100003b9d)
 m27000|     #8 0x7fff895e35fc in start (/usr/lib/system/libdyld.dylib+0x35fc)
 m27000|     #9 0xb
 m27000|
 m27000| SUMMARY: AddressSanitizer: heap-use-after-free ??:0 wrap_memcmp
 m27000| Shadow bytes around the buggy address:
 m27000|   0x1c06000077d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 m27000|   0x1c06000077e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 m27000|   0x1c06000077f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 m27000|   0x1c0600007800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 m27000|   0x1c0600007810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 m27000| =>0x1c0600007820: fa fa fa fa fa fa[fd]fd fd fd fa fa 00 00 00 fa
 m27000|   0x1c0600007830: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa fd fd
 m27000|   0x1c0600007840: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
 m27000|   0x1c0600007850: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa
 m27000|   0x1c0600007860: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
 m27000|   0x1c0600007870: fd fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
 m27000| Shadow byte legend (one shadow byte represents 8 application bytes):
 m27000|   Addressable:           00
 m27000|   Partially addressable: 01 02 03 04 05 06 07
 m27000|   Heap left redzone:     fa
 m27000|   Heap right redzone:    fb
 m27000|   Freed heap region:     fd
 m27000|   Stack left redzone:    f1
 m27000|   Stack mid redzone:     f2
 m27000|   Stack right redzone:   f3
 m27000|   Stack partial redzone: f4
 m27000|   Stack after return:    f5
 m27000|   Stack use after scope: f8
 m27000|   Global redzone:        f9
 m27000|   Global init order:     f6
 m27000|   Poisoned by user:      f7
 m27000|   ASan internal:         fe
 m27000| ==60123==ABORTING

      This test was green on the asan run last week, and is red now. The relevant commit range is

      7fb52123c945b85866258fdb491c683c5aa54651..de724781deb23468c909acc73d98961b9c8e53c5

      git bisect says "de724781deb23468c909acc73d98961b9c8e53c5 is the first bad commit"

              Assignee:
              J Rassi (Inactive)
              Reporter:
              Andrew Morrow (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: