[SERVER-70379] Coverity analysis defect 128813: Wrapper object use after free Created: 08/Oct/22  Updated: 08/Apr/23  Resolved: 02/Nov/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Coverity Collector User Assignee: Christopher Caplinger
Resolution: Won't Fix Votes: 0
Labels: coverity
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-75831 Coverity analysis defect 137537: Wrap... Closed
Operating System: ALL
Sprint: Server Serverless 2022-10-17, Server Serverless 2022-10-31, Server Serverless 2022-11-14
Participants:

 Description   

Wrapper object use after free

A use after free bug would occur if the internal pointer is used. An internal pointer of a wrapper object remains available after the object is freed
/src/mongo/db/repl/tenant_file_importer_service.cpp:241: WRAPPER_ESCAPE 128813 Calling "get" which extracts wrapped state from local "opCtx".
/src/mongo/db/repl/tenant_file_importer_service.cpp:241: WRAPPER_ESCAPE 128813 The internal representation of local "opCtx" escapes into "this->_opCtx", but is destroyed when it exits scope.



 Comments   
Comment by Christopher Caplinger [ 02/Nov/22 ]

false positive. as written, this can't actually cause a use after free.

Comment by Suganthi Mani [ 10/Oct/22 ]

yes, we conditionally reset. And, I still think it's false positive. We reset the _opCtx only if the _opCtx's getOpID() matches localOpCtx's getOpID()

Comment by Eric Milkie [ 10/Oct/22 ]

I think the problem is that the ON_BLOCK_EXIT you linked does not definitively reset the _opCtx pointer. It conditionally does it.

Comment by Suganthi Mani [ 10/Oct/22 ]

This seems to be a false positive as we have this ON_BLOCK_EXIT() logic which resets the _opCtx before the local opCtx goes out of scope.

Generated at Thu Feb 08 06:16:01 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.