Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-43883

Sanitize unowned BSON and RecordData bugs



    • Type: Improvement
    • Status: Open
    • Priority: Major - P3
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: Backlog
    • Component/s: Internal Code
    • Labels:


      There is a class of bug that results in using unowned BSON or RecordData objects, which reference memory owned by something else, and accessing that memory after it has been freed or overwritten. This has the potential to lead to undefined behavior and in-memory data corruption.

      See SERVER-42744, SERVER-43879, SERVER-43880, and SERVER-43882 for recent examples.

      We should create a build variant or suite that does the following:

      • Before freeing owned BSONObjs, overwrite the memory with garbage. This will blow up when an unowned BSONObjs is used after the owned object has been freed.
      • When returning data from a cursor, copy memory from WiredTiger into a managed buffer, and return that unowned buffer to the caller. When that cursor is invalidated in any way, from an advance, close, or reset, overwrite the buffer with garbage and free the memory immediately. This will blow up in cases where callers use data from cursors after repositioning or yielding. See an example implementation here.


          Issue Links



              • Votes:
                1 Vote for this issue
                8 Start watching this issue


                • Created: