[SERVER-15586] Potential use-after-free in replication rollback Created: 09/Oct/14 Updated: 25/Oct/14 Resolved: 09/Oct/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Replication |
| Affects Version/s: | None |
| Fix Version/s: | 2.7.8 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | David Percy | Assignee: | David Percy |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible |
| Operating System: | ALL |
| Participants: |
| Description |
|
The rollback code creates and stores pointers to memory that is not guaranteed to still be alive here: https://github.com/mongodb/mongo/blob/master/src/mongo/db/repl/rs_rollback.cpp#L242 At that call to insert, fixUpInfo can potentially outlive the data that doc points to. doc points to data from a query, which happens to always be alive in MMAPv1, but that might not be true for other storage engines. |
| Comments |
| Comment by Githook User [ 09/Oct/14 ] |
|
Author: {u'username': u'dpercy', u'name': u'David Percy', u'email': u'david.percy@mongodb.com'}Message: Signed-off-by: Matt Kangas <matt.kangas@mongodb.com> |