<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 04:40:54 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-35769] Pointer to freed OperationContext is passed to Pipeline::dispose()</title>
                <link>https://jira.mongodb.org/browse/SERVER-35769</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;ClusterClientCursors have a ClusterClientCursorParams:&lt;/p&gt;

&lt;p&gt;Which has a PipelineDeleter:&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://github.com/mongodb/mongo/blob/f9f33683b6ec5995091ee214c81d75c0ab163fe4/src/mongo/s/query/cluster_client_cursor_params.h#L126-L127&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/blob/f9f33683b6ec5995091ee214c81d75c0ab163fe4/src/mongo/s/query/cluster_client_cursor_params.h#L126-L127&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Which has an OperationContext&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/blob/f9f33683b6ec5995091ee214c81d75c0ab163fe4/src/mongo/db/pipeline/pipeline.h#L428&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/blob/f9f33683b6ec5995091ee214c81d75c0ab163fe4/src/mongo/db/pipeline/pipeline.h#L428&lt;/a&gt;&lt;/p&gt;


&lt;p&gt;The _opCtx is not updated when the ClusterClientCursor is detached or reattached to an operation context.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://github.com/mongodb/mongo/blob/f9f33683b6ec5995091ee214c81d75c0ab163fe4/src/mongo/s/query/cluster_client_cursor_impl.cpp#L124-L132&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/blob/f9f33683b6ec5995091ee214c81d75c0ab163fe4/src/mongo/s/query/cluster_client_cursor_impl.cpp#L124-L132&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This could definitely be a use-after-free bug.&lt;/p&gt;</description>
                <environment></environment>
        <key id="563250">SERVER-35769</key>
            <summary>Pointer to freed OperationContext is passed to Pipeline::dispose()</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13203">Gone away</resolution>
                                        <assignee username="anton.korshunov@mongodb.com">Anton Korshunov</assignee>
                                    <reporter username="ian.boros@mongodb.com">Ian Boros</reporter>
                        <labels>
                    </labels>
                <created>Sat, 23 Jun 2018 01:46:26 +0000</created>
                <updated>Fri, 27 Oct 2023 20:43:22 +0000</updated>
                            <resolved>Fri, 15 Feb 2019 10:24:15 +0000</resolved>
                                                                    <component>Querying</component>
                                        <votes>0</votes>
                                    <watches>6</watches>
                                                                                                                <comments>
                            <comment id="2152770" author="anton.korshunov" created="Fri, 15 Feb 2019 10:23:35 +0000"  >&lt;p&gt;Given that:&lt;/p&gt;
&lt;ol&gt;
	&lt;li&gt;The original problem has gone away after the merge pipeline was removed from ClusterClientCursorParams in &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-33323&quot; title=&quot;Refactor $mergeCursors stage to allow it to be used to merge cursors on mongos&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-33323&quot;&gt;&lt;del&gt;SERVER-33323&lt;/del&gt;&lt;/a&gt;.&lt;/li&gt;
	&lt;li&gt;Access to the dangling pointer is protected by the dismissed flag, when the dismiss disposal mechanism is correctly used.&lt;/li&gt;
&lt;/ol&gt;


&lt;p&gt;The consensus was that the problem does not require a fix.&lt;/p&gt;</comment>
                            <comment id="2148716" author="anton.korshunov" created="Thu, 14 Feb 2019 11:10:45 +0000"  >&lt;p&gt;Since&#160; &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-37453&quot; title=&quot;Delete PlanStage::dispose()&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-37453&quot;&gt;&lt;del&gt;SERVER-37453&lt;/del&gt;&lt;/a&gt;&#160;was closed as &quot;Won&apos;t fix&quot;, we need to fix this issue with a dangling pointer, which is really a minor one.&lt;/p&gt;

&lt;p&gt;We would never use this dangling pointer as it can only become a dangling one when we do a dismiss disposal on the deleter. However, in this case the dismissed flag would be set to true and we would never enter the block where the opCtx is passed to Pipeline::dispose(). The only potential issue is that we would have an invariant on a dangling pointer, but it would have no impact on the dispose logic (the invariant is before the &lt;em&gt;if (_dismissed)&lt;/em&gt; block).&lt;/p&gt;

&lt;p&gt;If the deleter is not dismissed, then the operation context cannot be changed in this codepath and we should be ok in this case.&lt;/p&gt;

&lt;p&gt;That said, it does make sense to set the opCtx back to null whenever we dismiss disposal, to correctly maintain the invariant of the deleter.&lt;/p&gt;

&lt;p&gt;Also be advised that the deleter has gone from&#160;ClusterClientCursorParams, as the mergePipeline field has been removed from the struct.&lt;/p&gt;</comment>
                            <comment id="2140556" author="david.storch" created="Thu, 7 Feb 2019 00:21:08 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=anton.korshunov&quot; class=&quot;user-hover&quot; rel=&quot;anton.korshunov&quot;&gt;anton.korshunov&lt;/a&gt;, I believe that this issue will go away after your work for&#160;&lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-37453&quot; title=&quot;Delete PlanStage::dispose()&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-37453&quot;&gt;&lt;del&gt;SERVER-37453&lt;/del&gt;&lt;/a&gt;. If so, then please close this ticket as &quot;Gone Away&quot; once the changes for&#160;&lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-37453&quot; title=&quot;Delete PlanStage::dispose()&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-37453&quot;&gt;&lt;del&gt;SERVER-37453&lt;/del&gt;&lt;/a&gt; land in master.&lt;/p&gt;</comment>
                            <comment id="1931011" author="ian.boros" created="Mon, 25 Jun 2018 19:35:49 +0000"  >&lt;p&gt;After looking into this some more, it seems like dispose() when called on mongos does not seem to actually &lt;em&gt;use&lt;/em&gt; the OperationContext. We&apos;re passing around a pointer to garbage, but don&apos;t seem to be accessing it. This is way less urgent than I thought!&lt;/p&gt;</comment>
                            <comment id="1930627" author="ian.boros" created="Mon, 25 Jun 2018 15:52:02 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=david.storch&quot; class=&quot;user-hover&quot; rel=&quot;david.storch&quot;&gt;david.storch&lt;/a&gt; Looks like it affects 3.6 and 4.0, as they both store a pipeline in the ClusterClientCursorParams.&lt;/p&gt;</comment>
                            <comment id="1930269" author="david.storch" created="Mon, 25 Jun 2018 12:57:59 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=ian.boros&quot; class=&quot;user-hover&quot; rel=&quot;ian.boros&quot;&gt;ian.boros&lt;/a&gt; what versions does this affect? Was this introduced during 4.0 development?&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="613549">SERVER-37453</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>6.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18555" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname># of Sprints</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 25 Jun 2018 12:57:59 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        4 years, 51 weeks, 5 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10857" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>PM-1081</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>luke.bonanomi@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            4 years, 51 weeks, 5 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10026"><![CDATA[ALL]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>anton.korshunov@mongodb.com</customfieldvalue>
            <customfieldvalue>david.storch@mongodb.com</customfieldvalue>
            <customfieldvalue>ian.boros@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hu19r3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hr7ldr:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="2788">Query 2019-02-25</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hu0w0f:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>