[SERVER-42744] Fix transaction history iterator to not return unowned BSON that may be left dangling Created: 09/Aug/19 Updated: 29/Oct/23 Resolved: 09/Aug/19 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Querying |
| Affects Version/s: | None |
| Fix Version/s: | 4.2.1, 4.3.1 |
| Type: | Bug | Priority: | Critical - P2 |
| Reporter: | Jacob Evans | Assignee: | Jacob Evans |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Operating System: | ALL | ||||||||||||
| Backport Requested: |
v4.2
|
||||||||||||
| Participants: | |||||||||||||
| Linked BF Score: | 14 | ||||||||||||
| Description |
|
Issue Status as of Oct 21, 2019 ISSUE SUMMARY A memory management bug in code that tracks updates to documents can cause undefined behavior; including failed operations, process crashes, and in-memory corruption of data that may be persisted to disk. The code returns an un-owned object, which can be freed and re-used even though the object is still referenced. If this memory is accessed after it is re-used, the contents may cause a MongoDB server to incorrectly write to any memory used by the mongod process. USER IMPACT Even though serious impact is unlikely, all MongoDB 4.2.0 replica sets are considered vulnerable. The most likely impact is failed operations with BSONElement: bad type error message in the mongod logs or in responses to clients. Another common failure mode is a process crash with BSONElement: bad type or Invalid access errors in the mongod logs. However, in-memory and on-disk corruption of documents are technically possible. The risk of triggering the bug in an impactful way goes up with the use of features that rely on the bugged code and in scenarios that require freeing and reusing memory frequently. This includes:
WORKAROUNDS Upgrading to 4.2.1 corrects the bug. It is possible to reduce risk by addressing the risk factors described above, but because of the potential impact we strongly recommend upgrading from 4.2.0 to 4.2.1 immediately. AFFECTED VERSIONS MongoDB 4.2.0. Earlier versions of MongoDB are not affected. FIX VERSION MongoDB 4.2.1 original descriptionTransactionHistoryIterator::next() retrieves an unowned BSONObj from the call to PlanExecutor::getNext(). This is problematic because callers may save the resulting object and call next() several times without taking ownership (making a copy) first. This results in a bugs where an unowned BSONObj can point to freed or overwritten memory. |
| Comments |
| Comment by Githook User [ 07/Oct/19 ] |
|
Author: {'name': 'Louis Williams', 'username': 'louiswilliams', 'email': 'louis.williams@mongodb.com'}Message: (cherry picked from commit 9da0de4279f88cf0113957434606abaa430f3227) |
| Comment by Githook User [ 09/Aug/19 ] |
|
Author: {'name': 'Jacob Evans', 'email': 'jacob.evans@10gen.com'}Message: |