<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 03:17:15 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-8369] kill cursor of an internal only ClientCursor used for yielding could cause memory corruption</title>
                <link>https://jira.mongodb.org/browse/SERVER-8369</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;The cursor ids of the internal ClientCursors used when mongo operations yield the mutex should not be exposed externally.  However, if these cursor id values are predictable and a kill cursors is issued against one while it is in use by a mongo operation it will delete the client cursor while in use, potentially leading to memory corruption.&lt;/p&gt;

&lt;p&gt;For example, in distinct.cpp a Cursor is created on line 82.  A ClientCursor based on this Cursor is created on line 113.  This ClientCursor does not exist to facilitate cursor based interaction with a client, but to leverage ClientCursor&apos;s ability to protect a Cursor when the db mutex is yielded.  Using a ClientCursor in this manner is a common pattern in mongod code.&lt;/p&gt;

&lt;p&gt;The ClientCursor will be recorded in the ClientCursor::clientCursorsById registry of client cursors.  If a client issues a killCursors command with the id of this ClientCursor, it will be destroyed and deallocated while still in use by the distinct.cpp implementation.  This can result in distinct.cpp attempting to access invalid memory.&lt;/p&gt;

&lt;p&gt;The id of a ClientCursor created in distinct.cpp should not be explicitly provided to a client (although it can be printed in the server log).  However, if the code for generating a ClientCursor id is predictable a malicious client could guess a ClientCursor&apos;s id and kill it while in use by distinct.cpp.&lt;/p&gt;

&lt;p&gt;The one place where client cursor ids are provided to a client is for use with get more.  In this case, get more &quot;pins&quot; its ClientCursor to prevent deletion while in use.  I believe we could relatively easily ensure that ClientCursors used internally (as in distinct.cpp) are also pinned, per comment in &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-4563&quot; title=&quot;simplify ClientCursor lifecycle&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-4563&quot;&gt;&lt;del&gt;SERVER-4563&lt;/del&gt;&lt;/a&gt;.  Longer term it might make sense to stop using the existing ClientCursor class for use cases unrelated to interaction with a client.&lt;/p&gt;

&lt;p&gt;ClientCursors are used throughout the code to protect a Cursor when the db mutex is yielded.  And the same problem could occur in all of these places.  I just picked distinct.cpp for the example because it is relatively straightforward to see how the Cursor and ClientCursor are used there.&lt;/p&gt;</description>
                <environment></environment>
        <key id="63600">SERVER-8369</key>
            <summary>kill cursor of an internal only ClientCursor used for yielding could cause memory corruption</summary>
                <type id="4" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14710&amp;avatarType=issuetype">Improvement</type>
                                            <priority id="4" iconUrl="https://jira.mongodb.org/images/icons/priorities/minor.svg">Minor - P4</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="3">Duplicate</resolution>
                                        <assignee username="david.storch@mongodb.com">David Storch</assignee>
                                    <reporter username="aaron">Aaron Staple</reporter>
                        <labels>
                    </labels>
                <created>Tue, 29 Jan 2013 04:11:56 +0000</created>
                <updated>Tue, 24 Jan 2017 04:06:50 +0000</updated>
                            <resolved>Tue, 24 Jan 2017 04:05:33 +0000</resolved>
                                                                    <component>Security</component>
                    <component>Stability</component>
                                        <votes>0</votes>
                                    <watches>8</watches>
                                                                                                                <comments>
                            <comment id="1483497" author="david.storch" created="Tue, 24 Jan 2017 04:05:33 +0000"  >&lt;p&gt;This was fixed under &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-27065&quot; title=&quot;Segfault in building an aggregation&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-27065&quot;&gt;&lt;del&gt;SERVER-27065&lt;/del&gt;&lt;/a&gt; by commit &lt;a href=&quot;https://github.com/mongodb/mongo/commit/1e8f34fc476705888f7dec8d06c780de4e556988&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/1e8f34fc476705888f7dec8d06c780de4e556988&lt;/a&gt;. As part of this commit, cursors come into existence pinned. There is no longer a time window in between &lt;tt&gt;ClientCursor&lt;/tt&gt; creation and pinning during which the &lt;tt&gt;ClientCursor&lt;/tt&gt; could be killed out from other the pinning thread. Resolving as a duplicate.&lt;/p&gt;</comment>
                            <comment id="515245" author="dwight_10gen" created="Thu, 13 Mar 2014 15:41:17 +0000"  >&lt;p&gt;does the existence of Runner mean this is resolved?&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10010">
                    <name>Duplicate</name>
                                            <outwardlinks description="duplicates">
                                        <issuelink>
            <issuekey id="332296">SERVER-27065</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="27269">SERVER-4563</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="74554">SERVER-9609</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 26 Feb 2013 18:38:05 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        7 years, 3 weeks, 1 day ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>david.storch@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            7 years, 3 weeks, 1 day ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10000" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Old_Backport</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10000"><![CDATA[No]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>aaron</customfieldvalue>
            <customfieldvalue>david.storch@mongodb.com</customfieldvalue>
            <customfieldvalue>dwight@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrn97z:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hsrtw7:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>3827</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hs6q07:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>