[SERVER-51444] BSONElement's buffer in IndexEntryInfo used for validation is unowned and unsafe to access after cursor advances Created: 08/Oct/20  Updated: 29/Oct/23  Resolved: 09/Oct/20

Status: Closed
Project: Core Server
Component/s: Storage
Affects Version/s: None
Fix Version/s: 4.9.0

Type: Bug Priority: Major - P3
Reporter: Gregory Wlodarek Assignee: Gregory Wlodarek
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.4
Sprint: Execution Team 2020-10-19
Participants:
Linked BF Score: 89

 Description   

The second phase of validation saves a BSONElement that uses a shared buffer which is unsafe to use once the underlying memory is free after the cursor is repositioned.



 Comments   
Comment by Daniel Gottlieb (Inactive) [ 09/Oct/20 ]

Ah nice, the BF was generated only a few days after the commit which exposed the bug. That's reasonable to me!

Comment by Gregory Wlodarek [ 09/Oct/20 ]

daniel.gottlieb this regression was introduced not too long ago in the master branch only (I declined the backport after realizing this) by SERVER-49103. When SERVER-47681 went in it made background validation yield its cursors, in addition to refreshing its storage snapshot. I believe a combination of those two exposed this issue. In addition, this affects the second phase of validation only, which is a harder code path to get to as you need to have corruption present

Comment by Daniel Gottlieb (Inactive) [ 09/Oct/20 ]

gregory.wlodarek do you know when this bug was introduced? We took some measures a while back to better catch use-after-free errors specifically for when MDB is referencing memory pinned by a WT cursor. If this bug has been around for a long while, I'm curious if we know why this wasn't caught sooner. There may be a gap in the guard rails we put in.

Comment by Githook User [ 08/Oct/20 ]

Author:

{'name': 'Gregory Wlodarek', 'email': 'gregory.wlodarek@mongodb.com', 'username': 'GWlodarek'}

Message: SERVER-51444 BSONElement's buffer in IndexEntryInfo used for validation is unowned and unsafe to access after cursor advances
Branch: master
https://github.com/mongodb/mongo/commit/5f15abcb11e7abddd49e58616fe16e992c5c81d9

Generated at Thu Feb 08 05:25:30 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.