Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-17109

getmore operation on listIndexes cursor can access invalid BSONObj objdata and crash the server

XMLWordPrintableJSON

    • Fully Compatible
    • ALL

      During a longevity test, I noticed a crash that was triggered by a getmore operation accessing invalid BSONObj objdata. The getmore was happening concurrently with a repair on the same database.

      (gdb) bt
#0  __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:166
#1  0x0000000001143b50 in mongo::ConstDataView::readNative<int> (this=0x7ffdd7caef50, t=0x7ffdd7caef0c, offset=0) at src/mongo/base/data_view.h:59
#2  0x00000000011425c7 in mongo::ConstDataView::readNative<int> (this=0x7ffdd7caef50, offset=0) at src/mongo/base/data_view.h:66
#3  0x0000000001140237 in mongo::ConstDataView::readLE<int> (this=0x7ffdd7caef50, offset=0) at src/mongo/base/data_view.h:72
#4  0x000000000113d195 in mongo::BSONObj::objsize (this=0x7ffdd7caf130) at src/mongo/bson/bsonobj.h:318
#5  0x00000000015365ce in mongo::getMore (txn=0x7ffdd7caf7d0, ns=0x4ac8414 "aggdb.$cmd.listIndexes.testGeoUpdate", ntoreturn=0, cursorid=4905077146, curop=..., pass=0, exhaust=@0x7ffdd7caf296: false, 
    isCursorAuthorized=0x7ffdd7caf320, fromDBDirectClient=false) at src/mongo/db/query/find.cpp:341
#6  0x00000000014420fb in mongo::receivedGetMore (txn=0x7ffdd7caf7d0, dbresponse=..., m=..., curop=..., fromDBDirectClient=false) at src/mongo/db/instance.cpp:786
#7  0x000000000143f0e3 in mongo::assembleResponse (txn=0x7ffdd7caf7d0, m=..., dbresponse=..., remote=..., fromDBDirectClient=false) at src/mongo/db/instance.cpp:406
#8  0x000000000113f4f8 in mongo::MyMessageHandler::process (this=0x30b81c0, m=..., port=0xc16fa40, le=0x73d5db0) at src/mongo/db/db.cpp:206
#9  0x00000000018e1118 in mongo::PortMessageServer::handleIncomingMsg (arg=0xc16fa40) at src/mongo/util/net/message_server_port.cpp:229
#10 0x00007ffff7bc4182 in start_thread (arg=0x7ffdd7cb0700) at pthread_create.c:312
#11 0x00007ffff6cc500d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

(gdb) f 5
#5  0x00000000015365ce in mongo::getMore (txn=0x7ffdd7caf7d0, ns=0x4ac8414 "aggdb.$cmd.listIndexes.testGeoUpdate", ntoreturn=0, cursorid=4905077146, curop=..., pass=0, exhaust=@0x7ffdd7caf296: false, 
    isCursorAuthorized=0x7ffdd7caf320, fromDBDirectClient=false) at src/mongo/db/query/find.cpp:341
341                     bb.appendBuf((void*)obj.objdata(), obj.objsize());
(gdb) p obj
$57 = {_objdata = 0x7ffacc2d6340 <error: Cannot access memory at address 0x7ffacc2d6340>, _ownedBuffer = {_holder = {px = 0x0}}}

      Version: ac9ee2fb80f2afc2737

            Assignee:
            david.storch@mongodb.com David Storch
            Reporter:
            kamran.khan Kamran K.
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: