Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-23925

Potential use-after-free when WSM is refetched after snapshot id changes in UpdateStage and DeleteStage

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 3.3.4
    • Fix Version/s: 3.3.6
    • Component/s: Querying, Write Ops
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Sprint:
      Query 14 (05/13/16)
    • Linked BF Score:
      0

      Description

      MongoRocks tests have been failing for a while with weird errors. I just ran an ASAN test and I think I discovered the root cause. I don't think it's specific to RocksDB storage engine, so I'm surprised that it's not failing in the WiredTiger case.

      Here's the stack trace of use-after-free: https://gist.github.com/igorcanadi/76235761eb90f1e1a23b2f35b1627b90

      Bear with me:

      1. Let's start in update.cpp (https://github.com/mongodb/mongo/blob/r3.3.5/src/mongo/db/exec/update.cpp#L867-L868). A call to ensureStillMatches() causes member to point to the invalid buffer.
      2. ...Because ensureStillMatches() calls into WorkingSetCommon::fetch() with unique_ptr<Cursor> that gets destroyed at the end of the function (https://github.com/mongodb/mongo/blob/r3.3.5/src/mongo/db/exec/write_stage_common.cpp#L53)
      3. WorkingSetCommon::fetch() sets member->obj to point to the cursor's buffer with function releaseToBson(), which doesn't copy data out of an unowned buffer (https://github.com/mongodb/mongo/blob/r3.3.5/src/mongo/db/exec/working_set_common.cpp#L107)

      I believe that the offending commit may be https://github.com/mongodb/mongo/commit/178e241b81882f85a58deda960d80607a77e1c3a (based on 'git blame', I haven't actually bisected it)

      Does this make sense?

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: