[SERVER-35929] Possible use-after-free when reloading the view catalog due to an invalidation Created: 01/Jul/18  Updated: 29/Oct/23  Resolved: 10/Jul/18

Status: Closed
Project: Core Server
Component/s: Querying
Affects Version/s: 4.0.0
Fix Version/s: 4.0.1, 4.1.1

Type: Bug Priority: Major - P3
Reporter: Max Hirschhorn Assignee: Kyle Suarez
Resolution: Fixed Votes: 0
Labels: read-only-views
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.0
Sprint: Query 2018-07-16
Participants:
Linked BF Score: 16

 Description   

The resolvedNss = &(view->viewOn()) address refers to memory within ViewCatalog::_viewMap and would have therefore been freed when a subsequent iteration of ViewCatalog::_lookup_inlock() leads to ViewCatalog::_reloadIfNeeded_inlock() being called. This could happen if ViewCatalog::invalidate() is called concurrently while following a chain of view definitions in ViewCatalog::resolveView().

Note: This issue cannot be triggered against MongoDB 3.4 or 3.6 because the parallel-batch writer lock prevents resolving a view definition from overlapping with oplog application.



 Comments   
Comment by Githook User [ 10/Jul/18 ]

Author:

{'username': 'ksuarz', 'name': 'Kyle Suarez', 'email': 'kyle.suarez@mongodb.com'}

Message: SERVER-35929 restart view resolution if catalog is invalidated

(cherry picked from commit e86d684515abe1c4dbf79dbb71741b5db0317039)
Branch: v4.0
https://github.com/mongodb/mongo/commit/8d5d6cf7a21c228f22c472c2779fc650c520fcfa

Comment by Githook User [ 10/Jul/18 ]

Author:

{'username': 'ksuarz', 'name': 'Kyle Suarez', 'email': 'kyle.suarez@mongodb.com'}

Message: SERVER-35929 restart view resolution if catalog is invalidated
Branch: master
https://github.com/mongodb/mongo/commit/e86d684515abe1c4dbf79dbb71741b5db0317039

Comment by Andrew Morrow (Inactive) [ 09/Jul/18 ]

max.hirschhorn - Any thoughts on why this didn't trip the AddressSanitizer builds?

Generated at Thu Feb 08 04:41:30 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.