Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-42744

Fix transaction history iterator to not return unowned BSON that may be left dangling

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Critical - P2 Critical - P2
    • 4.2.1, 4.3.1
    • Affects Version/s: None
    • Component/s: Querying
    • None
    • Fully Compatible
    • ALL
    • v4.2
    • 14

      Issue Status as of Oct 21, 2019

      ISSUE SUMMARY

      A memory management bug in code that tracks updates to documents can cause undefined behavior; including failed operations, process crashes, and in-memory corruption of data that may be persisted to disk.

      The code returns an un-owned object, which can be freed and re-used even though the object is still referenced. If this memory is accessed after it is re-used, the contents may cause a MongoDB server to incorrectly write to any memory used by the mongod process.

      USER IMPACT

      Even though serious impact is unlikely, all MongoDB 4.2.0 replica sets are considered vulnerable.

      The most likely impact is failed operations with BSONElement: bad type error message in the mongod logs or in responses to clients. Another common failure mode is a process crash with BSONElement: bad type or Invalid access errors in the mongod logs. However, in-memory and on-disk corruption of documents are technically possible.

      The risk of triggering the bug in an impactful way goes up with the use of features that rely on the bugged code and in scenarios that require freeing and reusing memory frequently. This includes:

      • the use of retryable writes, transactions, and change streams
      • sharded collection chunk migrations
      • high cache pressure (as measured by cache in/out and cache page eviction metrics)
      • frequent replica set failovers during periods of replication lag

      WORKAROUNDS

      Upgrading to 4.2.1 corrects the bug. It is possible to reduce risk by addressing the risk factors described above, but because of the potential impact we strongly recommend upgrading from 4.2.0 to 4.2.1 immediately.

      AFFECTED VERSIONS

      MongoDB 4.2.0. Earlier versions of MongoDB are not affected.

      FIX VERSION

      MongoDB 4.2.1

      original description

      TransactionHistoryIterator::next() retrieves an unowned BSONObj from the call to PlanExecutor::getNext(). This is problematic because callers may save the resulting object and call next() several times without taking ownership (making a copy) first. This results in a bugs where an unowned BSONObj can point to freed or overwritten memory.

            Assignee:
            jacob.evans@mongodb.com Jacob Evans
            Reporter:
            jacob.evans@mongodb.com Jacob Evans
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated:
              Resolved: