Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-15586

Potential use-after-free in replication rollback

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.7.8
    • Affects Version/s: None
    • Component/s: Replication
    • Labels:
      None
    • Fully Compatible
    • ALL

      The rollback code creates and stores pointers to memory that is not guaranteed to still be alive here: https://github.com/mongodb/mongo/blob/master/src/mongo/db/repl/rs_rollback.cpp#L242

      At that call to insert, fixUpInfo can potentially outlive the data that doc points to. doc points to data from a query, which happens to always be alive in MMAPv1, but that might not be true for other storage engines.

            Assignee:
            david.percy@mongodb.com David Percy
            Reporter:
            david.percy@mongodb.com David Percy
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: