Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-91339

$redact may corrupt memory if $$ROOT is used in the expression.

    • Query Execution
    • Fully Compatible
    • ALL
    • v8.0, v7.3, v7.0, v6.0, v5.0
    • Hide

      1. Compile mongod with address sanitizers.
      2. Use attached repro.js

      Show
      1. Compile mongod with address sanitizers. 2. Use attached repro.js
    • 200

      If we $$DESCEND in redact, redact processor will create FieldIterator here:
      https://github.com/mongodb/mongo/blob/04b6560034663dc4627d40015535077d5b89945e/src/mongo/db/pipeline/redact_processor.cpp#L103

      FieldIterator iterates over DocumentStorage cache directly.
      However, if redact expression contains something that will read a lot of fields from $$ROOT (for example {$objectToArray: "$$ROOT"}),
      it will re-allocate cache when executing the expression for sub-document here:
      https://github.com/mongodb/mongo/blob/04b6560034663dc4627d40015535077d5b89945e/src/mongo/db/pipeline/redact_processor.cpp#L87

      This will make FieldIterator read freed memory.

        1. repro.js
          0.4 kB
          Ivan Fefer

            Assignee:
            ivan.fefer@mongodb.com Ivan Fefer
            Reporter:
            ivan.fefer@mongodb.com Ivan Fefer
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: