Re: BUG #18598: AddressSanitizer detects use after free inside json_unique_hash_match()

From: Junwang Zhao <zhjwpku(at)gmail(dot)com>
To: Tomas Vondra <tomas(at)vondra(dot)me>
Cc: exclusion(at)gmail(dot)com, pgsql-bugs(at)lists(dot)postgresql(dot)org, PG Bug reporting form <noreply(at)postgresql(dot)org>
Subject: Re: BUG #18598: AddressSanitizer detects use after free inside json_unique_hash_match()
Date: 2024-09-04 12:24:12
Message-ID: CAEG8a3KFG6570C3gr2O1GmKBdsEfeGzudq-hcDu3KKzag-tF4Q@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs pgsql-hackers

On Wed, Sep 4, 2024 at 7:54 PM Tomas Vondra <tomas(at)vondra(dot)me> wrote:
>
> On 9/4/24 11:55, Junwang Zhao wrote:
> > ...
> >
> > ISTM that the JsonUniqueHashEntry.key point to an address later got
> > invalidated by enlargeStringInfo, we can resolve this by explicitly
> > pstrdup the key in the same MemoryContext of JsonAggState, like:
>
> Yes, this fixes the issue (at least per valgrind).
>
> > @@ -1009,6 +1009,7 @@ json_object_agg_transfn_worker(FunctionCallInfo fcinfo,
> > Datum arg;
> > bool skip;
> > int key_offset;
> > + const char *key;
> >
> > if (!AggCheckCallContext(fcinfo, &aggcontext))
> > {
> > @@ -1111,7 +1112,9 @@ json_object_agg_transfn_worker(FunctionCallInfo fcinfo,
> >
> > if (unique_keys)
> > {
> > - const char *key = &out->data[key_offset];
> > + oldcontext = MemoryContextSwitchTo(aggcontext);
> > + key = pstrdup(&out->data[key_offset]);
> > + MemoryContextSwitchTo(oldcontext);
> >
>
> I think you don't need the new key declaration (there's already a local
> one), and you can simply do just
>
> const char *key = MemoryContextStrdup(aggcontext,
> &out->data[key_offset]);
>

Sure, I will file a patch later.

> I wonder if the other json_unique_check_key() call might have a similar
> issue. I've not succeeded in constructing a broken query, but perhaps
> you could give it a try too?

Sure, I will give it a try, thanks for the comment.
>
>
> Thanks!
>
> --
> Tomas Vondra

--
Regards
Junwang Zhao

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message François Jourdain 2024-09-04 14:13:26 bug when using special caracter in password for folder.
Previous Message Tomas Vondra 2024-09-04 11:54:56 Re: BUG #18598: AddressSanitizer detects use after free inside json_unique_hash_match()

Browse pgsql-hackers by date

  From Date Subject
Next Message Guillaume Lelarge 2024-09-04 12:51:51 Re: Add parallel columns for seq scan and index scan on pg_stat_all_tables and _indexes
Previous Message Tomas Vondra 2024-09-04 11:54:56 Re: BUG #18598: AddressSanitizer detects use after free inside json_unique_hash_match()