Re: BUG #17477: A crash bug in transformValuesClause()

Hi,

On Mon, May 9, 2022 at 7:37 PM PG Bug reporting form
<noreply(at)postgresql(dot)org> wrote:
>
> The following bug has been logged on the website:
>
> Bug reference: 17477
> Logged by: Wang Ke
> Email address: krking(at)zju(dot)edu(dot)cn
> PostgreSQL version: 14.2
> Operating system: Ubuntu 20.04.4 LTS x86_64
> Description:
>
> Hello, I found a security bug recently in the latest release version of
> Postgresql server(14.2) which causes a segmentation fault caused by a READ
> memory access, the detail is as follow:
>
> Reported by:
> Wang Ke of Zhejiang University
>
> OS version and name:
> Linux ubuntu 5.13.0-40-generic #45~20.04.1-Ubuntu SMP Mon Apr 4 09:38:31 UTC
> 2022 x86_64 x86_64 x86_64 GNU/Linux
>
>
> PoC:

Thank you for reporting the issue! I've confirmed that this can happen
also on HEAD.

>
> CREATE VIEW v0 AS SELECT ;
> SELECT INTO GLOBAL TEMP TABLE v0 FROM v0 v1 ;
> SET SESSION AUTHORIZATION 'x' ;
> CREATE TEMP TABLE v1 ( v2 ) ON COMMIT DELETE ROWS AS VALUES ( 'x' ) , ( 'x'
> ) , ( 'x' ) ;
> SELECT v2 , v2 FROM v0 AS v2 GROUP BY DISTINCT CUBE ( ( VALUES ( ( v2 . * )
> ) FOR READ ONLY ) ) ;

"SELECT INTO GLOBAL TEMP TABLE" seems an extension that is not
supported in community PostgreSQL. Here is another reproducible step:

create table v0();
select * from v0 group by ((values (v0.*)));

Without table creation, SEGV happens also with the following query:

select (values (foo.*)) from (select from pg_class) as foo;

It seems like transformValuesClause() cannot handle properly the value
clause having a relation that has an empty column. Should we raise an
error in this case?

Regards,

--
Masahiko Sawada
EDB: https://www.enterprisedb.com/