[SERVER-78168] Investigate possible use-after-free errors using WorkingSetMember Created: 16/Jun/23  Updated: 29/Oct/23  Resolved: 22/Jun/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 6.3.0, 7.0.0-rc0
Fix Version/s: 7.1.0-rc0, 7.0.0-rc6

Type: Bug Priority: Major - P3
Reporter: Yujin Kang Park Assignee: Yujin Kang Park
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Related
is related to SERVER-73018 Refactor write stages to share "_preW... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v7.0, v6.3
Sprint: Execution EMEA Team 2023-06-26
Participants:
Linked BF Score: 117

 Description   

We have discovered an instance where we might be using a WorkingSetMember's underlaying document after it has been freed. We should investigate if there are other locations where this might happen.

The sequence of events is:

  • WorkingSetCommon::fetch returns a RecordData with unowned buffer pointing to a WT_CURSOR's returned WT_ITEM data.
  • We reset the WorkingSetMember document to the above, using RecordData::releaseToBson(), which also returns a BSONObj with unowned pointer. (See assignment)
  • ensureStillMatches will make an owned copy of the document only if the document still matches.
  • In BatchedDeleteStage::_commitBatch, there's a usage of the underlaying member document without checking if (docStillMatches = ensureStillMatches(...)) is true. Meaning we might not have ensured the member has an owned copy.
  • This combines with the fact that the (cached) cursor is freed immediately due to the config fuzzer settingĀ 
    wiredTigerCursorCacheSize: 0
  • Freeing the cursor or performing other operations on it invalidates the memory owned by the WT_CURSOR


 Comments   
Comment by Githook User [ 23/Jun/23 ]

Author:

{'name': 'Yu Jin Kang Park', 'email': 'yujin.kang@mongodb.com', 'username': 'ykangpark'}

Message: SERVER-78168 Fix use-after-free in BatchedDeleteStage
Branch: v7.0
https://github.com/mongodb/mongo/commit/c87deb2828eea1dddf5eca02cb28d4497991b885

Comment by Githook User [ 22/Jun/23 ]

Author:

{'name': 'Yu Jin Kang Park', 'email': 'yujin.kang@mongodb.com', 'username': 'ykangpark'}

Message: SERVER-78168 Fix use-after-free in BatchedDeleteStage
Branch: master
https://github.com/mongodb/mongo/commit/b4c3a4abafb648bb6f4647fd3110b844c6a9e1e9

Generated at Thu Feb 08 06:37:38 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.