[SERVER-42455] ReplicaSetChangeNotifier::onConfirmedSet is unsafe during shutdown - MongoDB

XML

Word

Printable

Details

Type: Bug
Status: Open
Priority: Major - P3
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: 4.3 Desired
Component/s: Internal Code
Labels:
- service-architecture-wfbf

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Linked BF Score:
0

Description

The replica set change notifier makes a copy of _listeners under a lock, but then invokes onConfirmedSet on those listeners outside the lock. During shutdown, those pointers can be dead, which can cause us to use after free and crash.

See replica_set_change_notifier.cpp#L116-L120

    auto listeners = _listeners;

    lk.unlock();

    for (auto listener : listeners) {

        listener->onConfirmedSet(state);

};

Attachments

Activity

People

Assignee:

Backlog - Service Architecture

Reporter:

Jason Carey

Participants:

Backlog - Service Architecture, Jason Carey

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

Jul 26 2019 06:59:30 PM UTC

Updated:

Jul 29 2019 03:26:03 PM UTC