Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-23925

Potential use-after-free when WSM is refetched after snapshot id changes in UpdateStage and DeleteStage

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 3.3.6
    • Affects Version/s: 3.3.4
    • Component/s: Querying, Write Ops
    • None
    • Fully Compatible
    • ALL
    • Query 14 (05/13/16)
    • 0

      MongoRocks tests have been failing for a while with weird errors. I just ran an ASAN test and I think I discovered the root cause. I don't think it's specific to RocksDB storage engine, so I'm surprised that it's not failing in the WiredTiger case.

      Here's the stack trace of use-after-free: https://gist.github.com/igorcanadi/76235761eb90f1e1a23b2f35b1627b90

      Bear with me:

      1. Let's start in update.cpp (https://github.com/mongodb/mongo/blob/r3.3.5/src/mongo/db/exec/update.cpp#L867-L868). A call to ensureStillMatches() causes member to point to the invalid buffer.
      2. ...Because ensureStillMatches() calls into WorkingSetCommon::fetch() with unique_ptr<Cursor> that gets destroyed at the end of the function (https://github.com/mongodb/mongo/blob/r3.3.5/src/mongo/db/exec/write_stage_common.cpp#L53)
      3. WorkingSetCommon::fetch() sets member->obj to point to the cursor's buffer with function releaseToBson(), which doesn't copy data out of an unowned buffer (https://github.com/mongodb/mongo/blob/r3.3.5/src/mongo/db/exec/working_set_common.cpp#L107)

      I believe that the offending commit may be https://github.com/mongodb/mongo/commit/178e241b81882f85a58deda960d80607a77e1c3a (based on 'git blame', I haven't actually bisected it)

      Does this make sense?

            Assignee:
            max.hirschhorn@mongodb.com Max Hirschhorn
            Reporter:
            igor Igor Canadi
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: