[SERVER-15586] Potential use-after-free in replication rollback Created: 09/Oct/14  Updated: 25/Oct/14  Resolved: 09/Oct/14

Status: Closed
Project: Core Server
Component/s: Replication
Affects Version/s: None
Fix Version/s: 2.7.8

Type: Bug Priority: Major - P3
Reporter: David Percy Assignee: David Percy
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Participants:

 Description   

The rollback code creates and stores pointers to memory that is not guaranteed to still be alive here: https://github.com/mongodb/mongo/blob/master/src/mongo/db/repl/rs_rollback.cpp#L242

At that call to insert, fixUpInfo can potentially outlive the data that doc points to. doc points to data from a query, which happens to always be alive in MMAPv1, but that might not be true for other storage engines.



 Comments   
Comment by Githook User [ 09/Oct/14 ]

Author:

{u'username': u'dpercy', u'name': u'David Percy', u'email': u'david.percy@mongodb.com'}

Message: SERVER-15586 Potential use-after-free in rollback

Signed-off-by: Matt Kangas <matt.kangas@mongodb.com>
Closes #821
Branch: master
https://github.com/mongodb/mongo/commit/aa7c6f168bb33ce2be2b00591a7030f3fcece9d0

Generated at Thu Feb 08 03:38:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.