[SERVER-35929] Possible use-after-free when reloading the view catalog due to an invalidation - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: 4.0.0
Fix Version/s: 4.0.1, 4.1.1
Component/s: Querying
Labels:
- read-only-views

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v4.0
Sprint:
Query 2018-07-16
Linked BF Score:
16

Description

The resolvedNss = &(view->viewOn()) address refers to memory within ViewCatalog::_viewMap and would have therefore been freed when a subsequent iteration of ViewCatalog::_lookup_inlock() leads to ViewCatalog::_reloadIfNeeded_inlock() being called. This could happen if ViewCatalog::invalidate() is called concurrently while following a chain of view definitions in ViewCatalog::resolveView().

Note: This issue cannot be triggered against MongoDB 3.4 or 3.6 because the parallel-batch writer lock prevents resolving a view definition from overlapping with oplog application.

Attachments

Activity

People

Assignee:: Kyle Suarez

Reporter:: Max Hirschhorn

Participants:: Andrew Morrow, Githook User, Kyle Suarez, Max Hirschhorn

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: Jul 01 2018 10:07:21 PM UTC

Updated:: Jul 10 2018 10:48:29 AM UTC

Resolved:: Jul 10 2018 09:31:56 AM UTC