Re: BUG #16082: TOAST's pglz_decompress access to uninitialized data, if the database is corrupted.

On Wed, Oct 30, 2019 at 05:30:14PM -0300, Alvaro Herrera wrote:
>On 2019-Oct-26, Tomas Vondra wrote:
>
>> On Sat, Oct 26, 2019 at 07:46:25AM +0000, PG Bug reporting form wrote:
>
>> > There is two case that they are valid for invalid data. In the case 1, it
>> > reads an uninitialized data in the dest. In the case 2, it reads
>> > uninitialized or out-of-bound data in the dest. They are invalid.
>
>> Well, failure like this after reading corrupted data from disk is not
>> really surprising and it's hardly a bug. It's kinda intended to work
>> that way, really.
>
>There's some weight to the argument that the server should just crash
>but instead report an ERRCODE_DATA_CORRUPTED message, such as what
>happens with (say) invalid page headers. It would probably require a
>lot more branches in the detoasting code that might decrease
>performance, though. A patch would help to see how bad that would be,
>though offhand I would expect it to be very bad.
>

That's true. I have to admit it wan't really clear to me the current
behavior is a crash.

If there's a reasonably simple and low-overhead way to detect these
issues and report a data corruption, then sure - let's do that. OTOH
this is interenal data, and I'm sure there are countless places where a
bit of data corruption can cause issues. Checksums seem like a fairly
reasonable solution, IMHO.

regards

--
Tomas Vondra http://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services