[SERVER-14538] use-after-free in mongo::profile - MongoDB Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical - P2
Resolution: Fixed
Affects Version/s: 2.7.3
Fix Version/s: 2.7.4
Component/s: Internal Code
Labels:
- address-sanitizer
- stringdata-use-after-free

Operating System:
ALL
Steps To Reproduce:

Hide

On an OS X machine with clang-3.4 installed via macports, so change flags as needed:

scons --cache --mute --osx-version-min=10.9 --opt=on --dbg=on -j10 --cc=/opt/local/bin/clang --cxx=/opt/local/bin/clang++ --allocator=system --sanitize=address ./mongod ./mongos && ASAN_SYMBOLIZER_PATH=/opt/local/bin/llvm-symbolizer-mp-3.4 ./buildscripts/smoke.py jstests/auth/profile.js

Show
On an OS X machine with clang-3.4 installed via macports, so change flags as needed: scons --cache --mute --osx-version-min=10.9 --opt=on --dbg=on -j10 --cc=/opt/local/bin/clang --cxx=/opt/local/bin/clang++ --allocator=system --sanitize=address ./mongod ./mongos && ASAN_SYMBOLIZER_PATH=/opt/local/bin/llvm-symbolizer-mp-3.4 ./buildscripts/smoke.py jstests/auth/profile.js
Linked BF Score:
0

Description

Detected by the ASAN build:

https://mci.10gen.com/ui/build/mongodb_mongo_master_sanitize_ubuntu1404_debug_asan_de724781deb23468c909acc73d98961b9c8e53c5_14_07_11_18_13_28

in the auth suite:

http://buildlogs.mongodb.org/mci_0.9_ubuntu1404-debug-asan/builds/9069/test/auth_0/auth1.js

The ASAN output looks like:

 m27000| =================================================================

 m27000| ==60123==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300003c130 at pc 0x10811dd54 bp 0x11450b270 sp 0x11450b238

 m27000| READ of size 9 at 0x60300003c130 thread T11

 m27000|     #0 0x10811dd53 in wrap_memcmp (/opt/local/libexec/llvm-3.4/lib/clang/3.4/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x16d53)

 m27000|     #1 0x103dc96a7 in mongo::(anonymous namespace)::_appendUserInfo(mongo::CurOp const&, mongo::BSONObjBuilder&, mongo::AuthorizationSession*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b0c6a7)

 m27000|     #2 0x103dc4a10 in mongo::profile(mongo::OperationContext*, mongo::Client const&, int, mongo::CurOp&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b07a10)

 m27000|     #3 0x103da049c in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100ae349c)

 m27000|     #4 0x1032eed45 in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*, mongo::LastError*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100031d45)

 m27000|     #5 0x10504ecca in mongo::PortMessageServer::handleIncomingMsg(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d91cca)

 m27000|     #6 0x10525bd6d in boost::(anonymous namespace)::thread_proxy(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101f9ed6d)

 m27000|     #7 0x7fff8a25d898 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x1898)

 m27000|     #8 0x7fff8a25d729 in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x1729)

 m27000|     #9 0x7fff8a261fc8 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x5fc8)

 m27000|

 m27000| 0x60300003c130 is located 0 bytes inside of 32-byte region [0x60300003c130,0x60300003c150)

 m27000| freed by thread T11 here:

 m27000|     #0 0x10812462e in wrap__ZdlPv (/opt/local/libexec/llvm-3.4/lib/clang/3.4/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x1d62e)

 m27000|     #1 0x103dc8928 in mongo::(anonymous namespace)::_appendUserInfo(mongo::CurOp const&, mongo::BSONObjBuilder&, mongo::AuthorizationSession*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b0b928)

 m27000|     #2 0x103dc4a10 in mongo::profile(mongo::OperationContext*, mongo::Client const&, int, mongo::CurOp&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b07a10)

 m27000|     #3 0x103da049c in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100ae349c)

 m27000|     #4 0x1032eed45 in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*, mongo::LastError*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100031d45)

 m27000|     #5 0x10504ecca in mongo::PortMessageServer::handleIncomingMsg(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d91cca)

 m27000|     #6 0x10525bd6d in boost::(anonymous namespace)::thread_proxy(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101f9ed6d)

 m27000|     #7 0x7fff8a25d898 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x1898)

 m27000|     #8 0x7fff8a25d729 in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x1729)

 m27000|     #9 0x7fff8a261fc8 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x5fc8)

 m27000|

 m27000| previously allocated by thread T11 here:

 m27000|     #0 0x10812432e in wrap__Znwm (/opt/local/libexec/llvm-3.4/lib/clang/3.4/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x1d32e)

 m27000|     #1 0x103dc86db in mongo::(anonymous namespace)::_appendUserInfo(mongo::CurOp const&, mongo::BSONObjBuilder&, mongo::AuthorizationSession*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b0b6db)

 m27000|     #2 0x103dc4a10 in mongo::profile(mongo::OperationContext*, mongo::Client const&, int, mongo::CurOp&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b07a10)

 m27000|     #3 0x103da049c in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100ae349c)

 m27000|     #4 0x1032eed45 in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*, mongo::LastError*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100031d45)

 m27000|     #5 0x10504ecca in mongo::PortMessageServer::handleIncomingMsg(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d91cca)

 m27000|     #6 0x10525bd6d in boost::(anonymous namespace)::thread_proxy(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101f9ed6d)

 m27000|     #7 0x7fff8a25d898 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x1898)

 m27000|     #8 0x7fff8a25d729 in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x1729)

 m27000|     #9 0x7fff8a261fc8 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x5fc8)

 m27000|

 m27000| Thread T11 created by T0 here:

 m27000|     #0 0x10811d8a2 in wrap_pthread_create (/opt/local/libexec/llvm-3.4/lib/clang/3.4/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x168a2)

 m27000|     #1 0x10525b837 in boost::thread::start_thread() (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101f9e837)

 m27000|     #2 0x105050df2 in boost::thread::thread<std::__1::__bind<void* (*)(void*), mongo::PortMessageServer::HandleIncomingMsgParam*&> >(std::__1::__bind<void* (*)(void*), mongo::PortMessageServer::HandleIncomingMsgParam*&>&&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d93df2)

 m27000|     #3 0x10504cd76 in mongo::PortMessageServer::acceptedMP(mongo::MessagingPort*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d8fd76)

 m27000|     #4 0x105041414 in mongo::Listener::accepted(boost::shared_ptr<mongo::Socket>, long long) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d84414)

 m27000|     #5 0x10503f9b4 in mongo::Listener::initAndListen() (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d829b4)

 m27000|     #6 0x1032ca873 in mongo::_initAndListen(int) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x10000d873)

 m27000|     #7 0x1032c0b9d in main (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100003b9d)

 m27000|     #8 0x7fff895e35fc in start (/usr/lib/system/libdyld.dylib+0x35fc)

 m27000|     #9 0xb

 m27000|

 m27000| SUMMARY: AddressSanitizer: heap-use-after-free ??:0 wrap_memcmp

 m27000| Shadow bytes around the buggy address:

 m27000|   0x1c06000077d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

 m27000|   0x1c06000077e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

 m27000|   0x1c06000077f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

 m27000|   0x1c0600007800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

 m27000|   0x1c0600007810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

 m27000| =>0x1c0600007820: fa fa fa fa fa fa[fd]fd fd fd fa fa 00 00 00 fa

 m27000|   0x1c0600007830: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa fd fd

 m27000|   0x1c0600007840: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa

 m27000|   0x1c0600007850: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa

 m27000|   0x1c0600007860: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd

 m27000|   0x1c0600007870: fd fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa

 m27000| Shadow byte legend (one shadow byte represents 8 application bytes):

 m27000|   Addressable:           00

 m27000|   Partially addressable: 01 02 03 04 05 06 07

 m27000|   Heap left redzone:     fa

 m27000|   Heap right redzone:    fb

 m27000|   Freed heap region:     fd

 m27000|   Stack left redzone:    f1

 m27000|   Stack mid redzone:     f2

 m27000|   Stack right redzone:   f3

 m27000|   Stack partial redzone: f4

 m27000|   Stack after return:    f5

 m27000|   Stack use after scope: f8

 m27000|   Global redzone:        f9

 m27000|   Global init order:     f6

 m27000|   Poisoned by user:      f7

 m27000|   ASan internal:         fe

 m27000| ==60123==ABORTING

This test was green on the asan run last week, and is red now. The relevant commit range is

7fb52123c945b85866258fdb491c683c5aa54651..de724781deb23468c909acc73d98961b9c8e53c5

git bisect says "de724781deb23468c909acc73d98961b9c8e53c5 is the first bad commit"

Attachments

Activity

People

Assignee:: J Rassi

Reporter:: Andrew Morrow

Participants:: Andrew Morrow, Githook User, J Rassi

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: Jul 12 2014 03:02:59 PM UTC

Updated:: Sep 05 2014 07:49:26 PM UTC

Resolved:: Jul 14 2014 06:21:45 PM UTC