Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-78168

Investigate possible use-after-free errors using WorkingSetMember

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 7.1.0-rc0, 7.0.0-rc6
    • Affects Version/s: 6.3.0, 7.0.0-rc0
    • Component/s: None
    • None
    • Fully Compatible
    • ALL
    • v7.0, v6.3
    • Execution EMEA Team 2023-06-26
    • 117

      We have discovered an instance where we might be using a WorkingSetMember's underlaying document after it has been freed. We should investigate if there are other locations where this might happen.

      The sequence of events is:

      • WorkingSetCommon::fetch returns a RecordData with unowned buffer pointing to a WT_CURSOR's returned WT_ITEM data.
      • We reset the WorkingSetMember document to the above, using RecordData::releaseToBson(), which also returns a BSONObj with unowned pointer. (See assignment)
      • ensureStillMatches will make an owned copy of the document only if the document still matches.
      • In BatchedDeleteStage::_commitBatch, there's a usage of the underlaying member document without checking if (docStillMatches = ensureStillMatches(...)) is true. Meaning we might not have ensured the member has an owned copy.
      • This combines with the fact that the (cached) cursor is freed immediately due to the config fuzzer settingĀ 
        wiredTigerCursorCacheSize: 0
      • Freeing the cursor or performing other operations on it invalidates the memory owned by the WT_CURSOR

            Assignee:
            yujin.kang@mongodb.com Yujin Kang Park
            Reporter:
            yujin.kang@mongodb.com Yujin Kang Park
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: