[SERVER-14538] use-after-free in mongo::profile Created: 12/Jul/14  Updated: 05/Sep/14  Resolved: 14/Jul/14

Status: Closed
Project: Core Server
Component/s: Internal Code
Affects Version/s: 2.7.3
Fix Version/s: 2.7.4

Type: Bug Priority: Critical - P2
Reporter: Andrew Morrow (Inactive) Assignee: J Rassi
Resolution: Done Votes: 0
Labels: address-sanitizer, stringdata-use-after-free
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
Operating System: ALL
Steps To Reproduce:

On an OS X machine with clang-3.4 installed via macports, so change flags as needed:

scons --cache --mute --osx-version-min=10.9 --opt=on --dbg=on -j10 --cc=/opt/local/bin/clang --cxx=/opt/local/bin/clang++ --allocator=system --sanitize=address ./mongod ./mongos && ASAN_SYMBOLIZER_PATH=/opt/local/bin/llvm-symbolizer-mp-3.4 ./buildscripts/smoke.py jstests/auth/profile.js

Participants:
Linked BF Score: 0

 Description   

Detected by the ASAN build:

https://mci.10gen.com/ui/build/mongodb_mongo_master_sanitize_ubuntu1404_debug_asan_de724781deb23468c909acc73d98961b9c8e53c5_14_07_11_18_13_28

in the auth suite:

http://buildlogs.mongodb.org/mci_0.9_ubuntu1404-debug-asan/builds/9069/test/auth_0/auth1.js

The ASAN output looks like:

 m27000| =================================================================
 m27000| ==60123==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300003c130 at pc 0x10811dd54 bp 0x11450b270 sp 0x11450b238
 m27000| READ of size 9 at 0x60300003c130 thread T11
 m27000|     #0 0x10811dd53 in wrap_memcmp (/opt/local/libexec/llvm-3.4/lib/clang/3.4/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x16d53)
 m27000|     #1 0x103dc96a7 in mongo::(anonymous namespace)::_appendUserInfo(mongo::CurOp const&, mongo::BSONObjBuilder&, mongo::AuthorizationSession*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b0c6a7)
 m27000|     #2 0x103dc4a10 in mongo::profile(mongo::OperationContext*, mongo::Client const&, int, mongo::CurOp&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b07a10)
 m27000|     #3 0x103da049c in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100ae349c)
 m27000|     #4 0x1032eed45 in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*, mongo::LastError*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100031d45)
 m27000|     #5 0x10504ecca in mongo::PortMessageServer::handleIncomingMsg(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d91cca)
 m27000|     #6 0x10525bd6d in boost::(anonymous namespace)::thread_proxy(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101f9ed6d)
 m27000|     #7 0x7fff8a25d898 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x1898)
 m27000|     #8 0x7fff8a25d729 in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x1729)
 m27000|     #9 0x7fff8a261fc8 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x5fc8)
 m27000|
 m27000| 0x60300003c130 is located 0 bytes inside of 32-byte region [0x60300003c130,0x60300003c150)
 m27000| freed by thread T11 here:
 m27000|     #0 0x10812462e in wrap__ZdlPv (/opt/local/libexec/llvm-3.4/lib/clang/3.4/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x1d62e)
 m27000|     #1 0x103dc8928 in mongo::(anonymous namespace)::_appendUserInfo(mongo::CurOp const&, mongo::BSONObjBuilder&, mongo::AuthorizationSession*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b0b928)
 m27000|     #2 0x103dc4a10 in mongo::profile(mongo::OperationContext*, mongo::Client const&, int, mongo::CurOp&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b07a10)
 m27000|     #3 0x103da049c in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100ae349c)
 m27000|     #4 0x1032eed45 in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*, mongo::LastError*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100031d45)
 m27000|     #5 0x10504ecca in mongo::PortMessageServer::handleIncomingMsg(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d91cca)
 m27000|     #6 0x10525bd6d in boost::(anonymous namespace)::thread_proxy(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101f9ed6d)
 m27000|     #7 0x7fff8a25d898 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x1898)
 m27000|     #8 0x7fff8a25d729 in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x1729)
 m27000|     #9 0x7fff8a261fc8 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x5fc8)
 m27000|
 m27000| previously allocated by thread T11 here:
 m27000|     #0 0x10812432e in wrap__Znwm (/opt/local/libexec/llvm-3.4/lib/clang/3.4/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x1d32e)
 m27000|     #1 0x103dc86db in mongo::(anonymous namespace)::_appendUserInfo(mongo::CurOp const&, mongo::BSONObjBuilder&, mongo::AuthorizationSession*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b0b6db)
 m27000|     #2 0x103dc4a10 in mongo::profile(mongo::OperationContext*, mongo::Client const&, int, mongo::CurOp&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100b07a10)
 m27000|     #3 0x103da049c in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100ae349c)
 m27000|     #4 0x1032eed45 in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*, mongo::LastError*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100031d45)
 m27000|     #5 0x10504ecca in mongo::PortMessageServer::handleIncomingMsg(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d91cca)
 m27000|     #6 0x10525bd6d in boost::(anonymous namespace)::thread_proxy(void*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101f9ed6d)
 m27000|     #7 0x7fff8a25d898 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x1898)
 m27000|     #8 0x7fff8a25d729 in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x1729)
 m27000|     #9 0x7fff8a261fc8 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x5fc8)
 m27000|
 m27000| Thread T11 created by T0 here:
 m27000|     #0 0x10811d8a2 in wrap_pthread_create (/opt/local/libexec/llvm-3.4/lib/clang/3.4/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x168a2)
 m27000|     #1 0x10525b837 in boost::thread::start_thread() (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101f9e837)
 m27000|     #2 0x105050df2 in boost::thread::thread<std::__1::__bind<void* (*)(void*), mongo::PortMessageServer::HandleIncomingMsgParam*&> >(std::__1::__bind<void* (*)(void*), mongo::PortMessageServer::HandleIncomingMsgParam*&>&&) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d93df2)
 m27000|     #3 0x10504cd76 in mongo::PortMessageServer::acceptedMP(mongo::MessagingPort*) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d8fd76)
 m27000|     #4 0x105041414 in mongo::Listener::accepted(boost::shared_ptr<mongo::Socket>, long long) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d84414)
 m27000|     #5 0x10503f9b4 in mongo::Listener::initAndListen() (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x101d829b4)
 m27000|     #6 0x1032ca873 in mongo::_initAndListen(int) (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x10000d873)
 m27000|     #7 0x1032c0b9d in main (/Users/andrew/Documents/10gen/dev/src/mongodb/mongod+0x100003b9d)
 m27000|     #8 0x7fff895e35fc in start (/usr/lib/system/libdyld.dylib+0x35fc)
 m27000|     #9 0xb
 m27000|
 m27000| SUMMARY: AddressSanitizer: heap-use-after-free ??:0 wrap_memcmp
 m27000| Shadow bytes around the buggy address:
 m27000|   0x1c06000077d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 m27000|   0x1c06000077e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 m27000|   0x1c06000077f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 m27000|   0x1c0600007800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 m27000|   0x1c0600007810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 m27000| =>0x1c0600007820: fa fa fa fa fa fa[fd]fd fd fd fa fa 00 00 00 fa
 m27000|   0x1c0600007830: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa fd fd
 m27000|   0x1c0600007840: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
 m27000|   0x1c0600007850: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa
 m27000|   0x1c0600007860: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
 m27000|   0x1c0600007870: fd fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
 m27000| Shadow byte legend (one shadow byte represents 8 application bytes):
 m27000|   Addressable:           00
 m27000|   Partially addressable: 01 02 03 04 05 06 07
 m27000|   Heap left redzone:     fa
 m27000|   Heap right redzone:    fb
 m27000|   Freed heap region:     fd
 m27000|   Stack left redzone:    f1
 m27000|   Stack mid redzone:     f2
 m27000|   Stack right redzone:   f3
 m27000|   Stack partial redzone: f4
 m27000|   Stack after return:    f5
 m27000|   Stack use after scope: f8
 m27000|   Global redzone:        f9
 m27000|   Global init order:     f6
 m27000|   Poisoned by user:      f7
 m27000|   ASan internal:         fe
 m27000| ==60123==ABORTING

This test was green on the asan run last week, and is red now. The relevant commit range is

7fb52123c945b85866258fdb491c683c5aa54651..de724781deb23468c909acc73d98961b9c8e53c5

git bisect says "de724781deb23468c909acc73d98961b9c8e53c5 is the first bad commit"



 Comments   
Comment by Githook User [ 14/Jul/14 ]

Author:

{u'username': u'jrassi', u'name': u'Jason Rassi', u'email': u'rassi@10gen.com'}

Message: SERVER-14538 _appendUserInfo: don't save addr pointing to temporary

Before de724781, the return value of CurOp::getNS() had a lifetime of
the CurOp object. As of de724781, CurOp::getNS() returns a
temporary.

_appendUserInfo() initialized a StringData from the result of
CurOp::getNS(), which was poor style but technically valid before
de724781. As of de724781, the buffer being pointed to by the
StringData is destroyed along with the temporary, creating a
use-after-free at introspect.cpp:70 when the StringData is read.
Branch: master
https://github.com/mongodb/mongo/commit/6100641c26da87cfcc8a2655feec10a42f1eb753

Generated at Thu Feb 08 03:35:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.