Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-6366

Off-by-one overflow in block-modification bitmaps for incremental backup

    • v4.4, v4.2

      Issue Status as of June 15, 2020

      There is a risk of in-memory corruption on MongoDB 4.2.7 when incremental backup is enabled.

      For this bug to occur:

      • The deployment must be running MongoDB 4.2.7.
      • The deployment is managed by Ops Manager 4.2.13+ or managed in Cloud Manager with MongoDB agent version v10.14.0+.
      • Incremental backups are enabled.
      • The deployment has collection files larger than 2GB on disk.
      • These collections are modified anytime after backups are enabled.

      If these conditions are met (and only if all these conditions are met), there is a chance that MongoDB will improperly overwrite memory. The most likely results of this bug are failed operations or process crashes. It is possible that a document in memory may be corrupted in a way that allows it to be returned to a client or persisted to disk without an explicit failure.

      All users on MongoDB 4.2.7 with incremental backup should upgrade to MongoDB 4.2.8 to avoid encountering this issue. If you have experienced a process crash and your deployment meets the above conditions, it may be advisable to validate the collections on the process to ensure that the data is consistent.

      This issue affects version 4.2.7.

      The fix is included in 4.2.8.

      Original Description

      michael.cahill found an error the code for managing block bitmaps for incremental backups.  Specifically, when touch the bit one past the end of the current map, we fail to extend the bitmap in this case and wind up overflowing the existing bitmap buffer, probably with bad consequences.

      With a default incremental backup granularity of 16MB and a bitmap allocation that starts at 128 bits and grows 64-bits at a time, this would only trigger if somebody modifies a large (> 2GB) file on a GB boundary.  


        1. fix.diff
          1 kB
        2. repro.diff
          5 kB

            keith.smith@mongodb.com Keith Smith
            keith.smith@mongodb.com Keith Smith
            1 Vote for this issue
            25 Start watching this issue