[SERVER-17109] getmore operation on listIndexes cursor can access invalid BSONObj objdata and crash the server Created: 29/Jan/15  Updated: 18/Sep/15  Resolved: 18/Feb/15

Status: Closed
Project: Core Server
Component/s: Index Maintenance, Storage
Affects Version/s: 3.0.0-rc7
Fix Version/s: 3.0.0-rc9, 3.1.0

Type: Bug Priority: Major - P3
Reporter: Kamran K. Assignee: David Storch
Resolution: Done Votes: 0
Labels: 28qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-14707 listCollections and listIndexes comma... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Completed:
Participants:

 Description   

During a longevity test, I noticed a crash that was triggered by a getmore operation accessing invalid BSONObj objdata. The getmore was happening concurrently with a repair on the same database.

(gdb) bt
#0  __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:166
#1  0x0000000001143b50 in mongo::ConstDataView::readNative<int> (this=0x7ffdd7caef50, t=0x7ffdd7caef0c, offset=0) at src/mongo/base/data_view.h:59
#2  0x00000000011425c7 in mongo::ConstDataView::readNative<int> (this=0x7ffdd7caef50, offset=0) at src/mongo/base/data_view.h:66
#3  0x0000000001140237 in mongo::ConstDataView::readLE<int> (this=0x7ffdd7caef50, offset=0) at src/mongo/base/data_view.h:72
#4  0x000000000113d195 in mongo::BSONObj::objsize (this=0x7ffdd7caf130) at src/mongo/bson/bsonobj.h:318
#5  0x00000000015365ce in mongo::getMore (txn=0x7ffdd7caf7d0, ns=0x4ac8414 "aggdb.$cmd.listIndexes.testGeoUpdate", ntoreturn=0, cursorid=4905077146, curop=..., pass=0, exhaust=@0x7ffdd7caf296: false, 
    isCursorAuthorized=0x7ffdd7caf320, fromDBDirectClient=false) at src/mongo/db/query/find.cpp:341
#6  0x00000000014420fb in mongo::receivedGetMore (txn=0x7ffdd7caf7d0, dbresponse=..., m=..., curop=..., fromDBDirectClient=false) at src/mongo/db/instance.cpp:786
#7  0x000000000143f0e3 in mongo::assembleResponse (txn=0x7ffdd7caf7d0, m=..., dbresponse=..., remote=..., fromDBDirectClient=false) at src/mongo/db/instance.cpp:406
#8  0x000000000113f4f8 in mongo::MyMessageHandler::process (this=0x30b81c0, m=..., port=0xc16fa40, le=0x73d5db0) at src/mongo/db/db.cpp:206
#9  0x00000000018e1118 in mongo::PortMessageServer::handleIncomingMsg (arg=0xc16fa40) at src/mongo/util/net/message_server_port.cpp:229
#10 0x00007ffff7bc4182 in start_thread (arg=0x7ffdd7cb0700) at pthread_create.c:312
#11 0x00007ffff6cc500d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
 
(gdb) f 5
#5  0x00000000015365ce in mongo::getMore (txn=0x7ffdd7caf7d0, ns=0x4ac8414 "aggdb.$cmd.listIndexes.testGeoUpdate", ntoreturn=0, cursorid=4905077146, curop=..., pass=0, exhaust=@0x7ffdd7caf296: false, 
    isCursorAuthorized=0x7ffdd7caf320, fromDBDirectClient=false) at src/mongo/db/query/find.cpp:341
341                     bb.appendBuf((void*)obj.objdata(), obj.objsize());
(gdb) p obj
$57 = {_objdata = 0x7ffacc2d6340 <error: Cannot access memory at address 0x7ffacc2d6340>, _ownedBuffer = {_holder = {px = 0x0}}}


Version: ac9ee2fb80f2afc2737



 Comments   
Comment by Githook User [ 19/Feb/15 ]

Author:

{u'username': u'dstorch', u'name': u'David Storch', u'email': u'david.storch@10gen.com'}

Message: SERVER-17109 fix invalid BSON access in listIndexes command

(cherry picked from commit a6fc69010b65fc064cc529b2063fff83a167cedc)
Branch: v3.0
https://github.com/mongodb/mongo/commit/443c1bbf2b0b48bf38aa385d672964fb14f6b758

Comment by Githook User [ 18/Feb/15 ]

Author:

{u'username': u'dstorch', u'name': u'David Storch', u'email': u'david.storch@10gen.com'}

Message: SERVER-17109 fix invalid BSON access in listIndexes command
Branch: master
https://github.com/mongodb/mongo/commit/a6fc69010b65fc064cc529b2063fff83a167cedc

Generated at Thu Feb 08 03:43:19 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.