[SERVER-48989] Fix use-after-free issue in document_diff_serialization_test.cpp Created: 19/Jun/20 Updated: 29/Oct/23 Resolved: 19/Jun/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 4.7.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Arun Banala | Assignee: | Arun Banala |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Backwards Compatibility: | Fully Compatible | ||||
| Operating System: | ALL | ||||
| Participants: | |||||
| Linked BF Score: | 45 | ||||
| Description |
|
ArrayDiffBuilder::addUpdate() does not take ownership of the data passed as BSONElement, which means that the temporary objects here gets freed after executing the line. When ArrayDiffBuilder tries to serialize, it expects the object to be still valid. We should also change all the other functions which pass a BSONElement, and not depend on the implementation of the DiffBuilders. |
| Comments |
| Comment by Arun Banala [ 19/Jun/20 ] |
|
acm Yes, ASAN builder did catch this. I've linked the related BF. |
| Comment by Andrew Morrow (Inactive) [ 19/Jun/20 ] |
|
arun.banala - Did the ASAN builder catch this? If not, do we have a theory as to why not? |
| Comment by Githook User [ 19/Jun/20 ] |
|
Author: {'name': 'Arun Banala', 'email': 'arun.banala@mongodb.com', 'username': 'banarun'}Message: |