[SERVER-47846] CollMod (_collModInternal) unsafely accesses an IndexCatalogEntry that is destructed in an onRollback handler Created: 29/Apr/20  Updated: 29/Oct/23  Resolved: 06/May/20

Status: Closed
Project: Core Server
Component/s: Storage
Affects Version/s: None
Fix Version/s: 4.4.0-rc5, 4.7.0

Type: Bug Priority: Major - P3
Reporter: Dianna Hohensee (Inactive) Assignee: Eric Milkie
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Problem/Incident
is caused by SERVER-9306 Ability to temporarily forbid query o... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.4
Sprint: Execution Team 2020-05-18
Participants:
Linked BF Score: 88

 Description   

_collModInternal has a cmrNew variable that is used in a writeConflictRetry loop, but initialized before the loop begins. Usage of cmrNew must be very careful not to access memory that can become invalid (freed) after an onRollback call caused by a WriteConflictException. After SERVER-9306, we try to access cmrNew.idx (the unsafe pointer) before initializing it again in the writeConflictRetry loop. The old code, prior to SERVER-9306, did not make this mistake: the access used to be after initializing the pointer, so the pointer was safe for use at that point.



 Comments   
Comment by Githook User [ 06/May/20 ]

Author:

{'name': 'Eric Milkie', 'email': 'milkie@10gen.com', 'username': 'milkie'}

Message: SERVER-47846 fix use-after-free coding error in collMod hidden indexes

(cherry picked from commit 951a6c5f089fdb1c5e2cae1641a6ca20d8c2662c)
Branch: v4.4
https://github.com/mongodb/mongo/commit/af53817b7963ed7b19e4d0383867e59fb86a0c6e

Comment by Githook User [ 06/May/20 ]

Author:

{'name': 'Eric Milkie', 'email': 'milkie@10gen.com', 'username': 'milkie'}

Message: SERVER-47846 fix use-after-free coding error in collMod hidden indexes
Branch: master
https://github.com/mongodb/mongo/commit/951a6c5f089fdb1c5e2cae1641a6ca20d8c2662c

Generated at Thu Feb 08 05:15:24 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.