| From: | Xuneng Zhou <xunengzhou(at)gmail(dot)com> |
|---|---|
| To: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Cc: | Tender Wang <tndrwang(at)gmail(dot)com> |
| Subject: | Re: Unsafe access BufferDescriptors array in BufferGetLSNAtomic() |
| Date: | 2025-01-08 05:34:48 |
| Message-ID: | 173631448828.4095.11314230672739095465.pgcf@coridan.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi Tender,
I’ve looked through the patch, and I believe there is a potential issue. The default size for BufferDescriptors appears to be 16,384. Passing and casting a negative buffer ID to a large unsigned integer in GetBufferDescriptor, and then using it as an array subscript, could potentially lead to an overflow.
void
BufferManagerShmemInit(void)
{
bool foundBufs,
foundDescs,
foundIOCV,
foundBufCkpt;
/* Align descriptors to a cacheline boundary. */
BufferDescriptors = (BufferDescPadded *)
ShmemInitStruct("Buffer Descriptors",
NBuffers * sizeof(BufferDescPadded),
&foundDescs);
int NBuffers = 16384;
The changes proposed in the patch seem reasonable to me, but it might be helpful to include an explanation of the error case and how it’s handled.
Best regards,
[Xuneng]
The new status of this patch is: Waiting on Author
| From | Date | Subject | |
|---|---|---|---|
| Next Message | jian he | 2025-01-08 06:16:38 | Re: Adding OLD/NEW support to RETURNING |
| Previous Message | Fujii Masao | 2025-01-08 05:24:56 | Re: Add “FOR UPDATE NOWAIT” lock details to the log. |