[SERVER-42744] Fix transaction history iterator to not return unowned BSON that may be left dangling Created: 09/Aug/19  Updated: 29/Oct/23  Resolved: 09/Aug/19

Status: Closed
Project: Core Server
Component/s: Querying
Affects Version/s: None
Fix Version/s: 4.2.1, 4.3.1

Type: Bug Priority: Critical - P2
Reporter: Jacob Evans Assignee: Jacob Evans
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.2
Participants:
Linked BF Score: 14

 Description   
Issue Status as of Oct 21, 2019

ISSUE SUMMARY

A memory management bug in code that tracks updates to documents can cause undefined behavior; including failed operations, process crashes, and in-memory corruption of data that may be persisted to disk.

The code returns an un-owned object, which can be freed and re-used even though the object is still referenced. If this memory is accessed after it is re-used, the contents may cause a MongoDB server to incorrectly write to any memory used by the mongod process.

USER IMPACT

Even though serious impact is unlikely, all MongoDB 4.2.0 replica sets are considered vulnerable.

The most likely impact is failed operations with BSONElement: bad type error message in the mongod logs or in responses to clients. Another common failure mode is a process crash with BSONElement: bad type or Invalid access errors in the mongod logs. However, in-memory and on-disk corruption of documents are technically possible.

The risk of triggering the bug in an impactful way goes up with the use of features that rely on the bugged code and in scenarios that require freeing and reusing memory frequently. This includes:

  • the use of retryable writes, transactions, and change streams
  • sharded collection chunk migrations
  • high cache pressure (as measured by cache in/out and cache page eviction metrics)
  • frequent replica set failovers during periods of replication lag

WORKAROUNDS

Upgrading to 4.2.1 corrects the bug. It is possible to reduce risk by addressing the risk factors described above, but because of the potential impact we strongly recommend upgrading from 4.2.0 to 4.2.1 immediately.

AFFECTED VERSIONS

MongoDB 4.2.0. Earlier versions of MongoDB are not affected.

FIX VERSION

MongoDB 4.2.1

original description

TransactionHistoryIterator::next() retrieves an unowned BSONObj from the call to PlanExecutor::getNext(). This is problematic because callers may save the resulting object and call next() several times without taking ownership (making a copy) first. This results in a bugs where an unowned BSONObj can point to freed or overwritten memory.



 Comments   
Comment by Githook User [ 07/Oct/19 ]

Author:

{'name': 'Louis Williams', 'username': 'louiswilliams', 'email': 'louis.williams@mongodb.com'}

Message: SERVER-42744 Fix transation history iterator to not return potentially-dangling BSON

(cherry picked from commit 9da0de4279f88cf0113957434606abaa430f3227)
Branch: v4.2
https://github.com/mongodb/mongo/commit/5e4b02164d39679d181154258d1db2506a783e5f

Comment by Githook User [ 09/Aug/19 ]

Author:

{'name': 'Jacob Evans', 'email': 'jacob.evans@10gen.com'}

Message: SERVER-42744 Fix transation history iterator to not return potentially-dangling BSON
Branch: master
https://github.com/mongodb/mongo/commit/9da0de4279f88cf0113957434606abaa430f3227

Generated at Thu Feb 08 05:01:18 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.