[SERVER-35929] Possible use-after-free when reloading the view catalog due to an invalidation Created: 01/Jul/18 Updated: 29/Oct/23 Resolved: 10/Jul/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Querying |
| Affects Version/s: | 4.0.0 |
| Fix Version/s: | 4.0.1, 4.1.1 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Max Hirschhorn | Assignee: | Kyle Suarez |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | read-only-views | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Operating System: | ALL | ||||||||
| Backport Requested: |
v4.0
|
||||||||
| Sprint: | Query 2018-07-16 | ||||||||
| Participants: | |||||||||
| Linked BF Score: | 16 | ||||||||
| Description |
|
The resolvedNss = &(view->viewOn()) address refers to memory within ViewCatalog::_viewMap and would have therefore been freed when a subsequent iteration of ViewCatalog::_lookup_inlock() leads to ViewCatalog::_reloadIfNeeded_inlock() being called. This could happen if ViewCatalog::invalidate() is called concurrently while following a chain of view definitions in ViewCatalog::resolveView(). Note: This issue cannot be triggered against MongoDB 3.4 or 3.6 because the parallel-batch writer lock prevents resolving a view definition from overlapping with oplog application. |
| Comments |
| Comment by Githook User [ 10/Jul/18 ] |
|
Author: {'username': 'ksuarz', 'name': 'Kyle Suarez', 'email': 'kyle.suarez@mongodb.com'}Message: (cherry picked from commit e86d684515abe1c4dbf79dbb71741b5db0317039) |
| Comment by Githook User [ 10/Jul/18 ] |
|
Author: {'username': 'ksuarz', 'name': 'Kyle Suarez', 'email': 'kyle.suarez@mongodb.com'}Message: |
| Comment by Andrew Morrow (Inactive) [ 09/Jul/18 ] |
|
max.hirschhorn - Any thoughts on why this didn't trip the AddressSanitizer builds? |