-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Major - P3
-
Affects Version/s: 3.2.7
-
Component/s: None
-
None
-
Fully Compatible
-
OpenBSD
-
Hello,
I am running a java application (UBNT unifi) which uses mongodb.
The OS is OpenBSD 6.1 with mongodb 3.2.7
The issue was not present with mongodb 2.x, but appeared with 3.x. It was also there with OpenBSD 6.0 as long as you ran mongodb 3.x with some memory protections.
The issue appears when you enable F or U memory protections in malloc.conf
F “Freeguard”. Enable use after free detection. Unused pages on
the freelist are read and write protected to cause a segmentation
fault upon access. This will also switch off the delayed freeing
of chunks, reducing random behaviour but detecting double free(3)
calls as early as possible.
U “Free unmap”. Enable use after free protection for larger
allocations. Unused pages on the freelist are read and write
protected to cause a segmentation fault upon access.
So this clearly means there is a use after free somewhere in mongodb 3.x
Now, here is the log:
2017-04-11T17:50:24.720+0200 I NETWORK [HostnameCanonicalizationWorker] Starting hostname canonicalization worker
2017-04-11T17:50:25.058+0200 F - [ftdc] Invalid access at address: 0x61818860180
2017-04-11T17:50:25.062+0200 F - [ftdc] Got signal: 11 (Segmentation fault).
0x6160a39d608 0x6160a39c789 0x6160a39cb34 0x6185c1ba002 0x6160998db16 0x61609995145 0x616099952e9 0x61609992995 0x61609a99311 0x61609a89a5d 0x61609a8e66e 0x6
187244f5f0
----- BEGIN BACKTRACE -----
{"backtrace":[{"b":"61609700000","o":"C9D608","s":"_ZN5mongo15printStackTraceERSo"},{"b":"61609700000","o":"C9C789","s":"_ZN5mongo27startSignalProcessingThrea
dEv"},{"b":"61609700000","o":"C9CB34","s":"_ZN5mongo30setupSynchronousSignalHandlersEv"},{"b":"0","o":"6185C1BA002"},{"b":"61609700000","o":"28DB16","s":"_ZNK
5mongo28OpCounterServerStatusSection15generateSectionEPNS_16OperationContextERKNS_11BSONElementE"},{"b":"61609700000","o":"295145","s":"_ZNK5mongo10MetricTree
8appendToERNS_14BSONObjBuilderE"},{"b":"61609700000","o":"2952E9","s":"_ZNK5mongo10MetricTree8appendToERNS_14BSONObjBuilderE"},{"b":"61609700000","o":"292995"
,"s":"_ZN5mongo15CmdServerStatus3runEPNS_16OperationContextERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderE"},{"b":"61609700000","o":"399311","s":"_ZN5mongo10Statu
sWithIN5boost8optionalISt5tupleIINS_14ConstDataRangeENS_14FTDCCompressor15CompressorStateENS_6Date_tEEEEEED2Ev"},{"b":"61609700000","o":"389A5D","s":"_ZN5mong
o23FTDCCollectorCollection7collectEPNS_6ClientE"},{"b":"61609700000","o":"38E66E","s":"_ZN5mongo14FTDCController6doLoopEv"},{"b":"618723E9000","o":"665F0","s"
:"_ZNSt16_Sp_counted_baseILN9__gnu_cxx12_Lock_policyE2EE10_M_releaseEv"}],"processInfo":{ "mongodbVersion" : "3.2.7", "gitVersion" : "4249c1d2b5999ebbf1fdf3bc
0e0e3b3ff5c0aaf2", "compiledModules" : [], "uname" : { "sysname" : "OpenBSD", "release" : "6.1", "version" : "GENERIC.MP#20", "machine" : "amd64" } }}
mongod(_ZN5mongo15printStackTraceERSo+0x38) [0x6160a39d608]
mongod(_ZN5mongo27startSignalProcessingThreadEv+0x5E9) [0x6160a39c789]
mongod(_ZN5mongo30setupSynchronousSignalHandlersEv+0x384) [0x6160a39cb34]
??? [0x6185c1ba002]
mongod(_ZNK5mongo28OpCounterServerStatusSection15generateSectionEPNS_16OperationContextERKNS_11BSONElementE+0x9D6) [0x6160998db16]
mongod(_ZNK5mongo10MetricTree8appendToERNS_14BSONObjBuilderE+0x45) [0x61609995145]
mongod(_ZNK5mongo10MetricTree8appendToERNS_14BSONObjBuilderE+0x1E9) [0x616099952e9]
mongod(_ZN5mongo15CmdServerStatus3runEPNS_16OperationContextERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderE+0x1105) [0x61609992995]
mongod(_ZN5mongo10StatusWithIN5boost8optionalISt5tupleIINS_14ConstDataRangeENS_14FTDCCompressor15CompressorStateENS_6Date_tEEEEEED2Ev+0x9D1) [0x61609a99311]
mongod(_ZN5mongo23FTDCCollectorCollection7collectEPNS_6ClientE+0x39D) [0x61609a89a5d]
mongod(_ZN5mongo14FTDCController6doLoopEv+0x1DE) [0x61609a8e66e]
libestdc++.so.17.0(_ZNSt16_Sp_counted_baseILN9__gnu_cxx12_Lock_policyE2EE10_M_releaseEv+0xA0) [0x6187244f5f0]
----- END BACKTRACE -----
- is duplicated by
-
-
- Closed
-