[SERVER-83100] [CQF] Use-after-free in aggregation with parameterization enabled Created: 10/Nov/23  Updated: 27/Nov/23  Resolved: 14/Nov/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.3.0-rc0

Type: Bug Priority: Major - P3
Reporter: Ben Shteinfeld Assignee: Ben Shteinfeld
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-81919 Parameterize supported agg pipelines Closed
is depended on by SERVER-82978 [CQF] jstests/cqf/analyze/ce_sample_r... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: QO 2023-11-13, QO 2023-11-27
Participants:

 Description   

An ASAN run of jstests/cqf/analyze/ce_sample_rate.js reveals a use-after-free with parameterization enabled.

Binding of an SBE plan uses an unowned view into the MatchExpression to populate the value of query parameters for operands of comparison expressions. In the case of creating a PlanExecutor via Bonsai, the pipeline owning the MatchExpression goes out of scope right after constructing the executor, leaving a dangling reference.

The binding should either copy the data to populate the slot or the SBE PlanExecutor constructed by Bonsai needs to extend the lifetime of the MatchExpression which the slot references.



 Comments   
Comment by Githook User [ 14/Nov/23 ]

Author:

{'name': 'Ben Shteinfeld', 'email': 'ben.shteinfeld@mongodb.com', 'username': 'bshteinfeld'}

Message: SERVER-83100: Extend Pipeline lifetime by plumbing it through to SBE PlanExecutor.

This fixes a use-after-free in CQF with parameterization enabled. In the SBE stage builders codepaths for find() and agg() (and Bonsai find() codepath), the SBE PlanExecutor ends up owning the CanonicalQuery containing the MatchExpression used to generate the plan. The binding of constants to global slots for ComparisonMatchExpressions uses an unowned view of the constants. This was safe because the PlanExecutor held the MatchExpression. This is preferable to copying the constants to the slots since they can potentially be large.

When we the SBE PlanExecutor is generated by Bonsai via aggregate, the MatchExpression is destroyed after the PlanExecutor is constructed but before we execute it. This leaves a dangling reference to freed memory in the PlanExecutor. We fix this by transferring ownership of the Pipeline to the PlanExecutor, so that lifetime of the MatchExpression which contains the constants is extended to that of the PlanExecutor.
Branch: master
https://github.com/mongodb/mongo/commit/29a04e25233624d39b17f174c580cb0c588282f4

Generated at Thu Feb 08 06:51:15 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.