[SERVER-62146] [SBE] Fix use-after-free bug with $arrayElemAt, $first, and $last Created: 17/Dec/21 Updated: 29/Oct/23 Resolved: 27/Dec/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | 5.1.1, 5.2.0-rc1 |
| Fix Version/s: | 5.3.0, 5.1.2, 5.2.0-rc4 |
| Type: | Bug | Priority: | Critical - P2 |
| Reporter: | Eric Cox (Inactive) | Assignee: | Drew Paroski |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Operating System: | ALL | ||||||||
| Backport Requested: |
v5.2, v5.1
|
||||||||
| Sprint: | QE 2021-12-27, QE 2022-01-10 | ||||||||
| Participants: | |||||||||
| Linked BF Score: | 160 | ||||||||
| Description |
|
A bug picked up by the agg wildcard fuzzer here. This bug can crash the server or cause a BufBuilder to hit the 64 MB memory limit. The investigator should look into the interplay between doing an $arrayElemAt where the input array is computed from a $setUnion and the index is a NumberDecimal or simply -1. I observed the server crash when using the NumberDecimal and the -1 caused the BufBuilder to run out of memory. |
| Comments |
| Comment by Githook User [ 28/Dec/21 ] |
|
Author: {'name': 'Drew Paroski', 'email': 'drew.paroski@mongodb.com', 'username': 'paroski'}Message: (cherry picked from commit 168086cae37581eeaa7513bfa3976cf554ffc79a) |
| Comment by Githook User [ 28/Dec/21 ] |
|
Author: {'name': 'Drew Paroski', 'email': 'drew.paroski@mongodb.com', 'username': 'paroski'}Message: (cherry picked from commit 168086cae37581eeaa7513bfa3976cf554ffc79a) |
| Comment by Githook User [ 27/Dec/21 ] |
|
Author: {'name': 'Drew Paroski', 'email': 'drew.paroski@mongodb.com', 'username': 'paroski'}Message: |