| From: | Aleksander Alekseev <aleksander(at)timescale(dot)com> |
|---|---|
| To: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Cc: | Sven Klemm <sven(at)timescale(dot)com> |
| Subject: | [PATCH] Fix memory corruption in pg_shdepend.c |
| Date: | 2021-10-20 10:01:31 |
| Message-ID: | CAJ7c6TP0AowkUgNL6zcAK-s5HYsVHVBRWfu69FRubPpfwZGM9A@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi hackers,
One of our test runs under the memory sanitizer cathed [1] the
following stacktrace:
```
heaptuple.c:1044:13: runtime error: load of value 111, which is not a
valid value for type '_Bool'
#0 0x55fbb5e0857b in heap_form_tuple
/home/runner/pgbuild/src/backend/access/common/heaptuple.c:1044
#1 0x55fbb679f62d in tts_heap_materialize
/home/runner/pgbuild/src/backend/executor/execTuples.c:381
#2 0x55fbb67addcf in ExecFetchSlotHeapTuple
/home/runner/pgbuild/src/backend/executor/execTuples.c:1654
#3 0x55fbb5f8127d in heap_multi_insert
/home/runner/pgbuild/src/backend/access/heap/heapam.c:2330
#4 0x55fbb6261b50 in CatalogTuplesMultiInsertWithInfo
/home/runner/pgbuild/src/backend/catalog/indexing.c:268
#5 0x55fbb62ce5aa in copyTemplateDependencies
/home/runner/pgbuild/src/backend/catalog/pg_shdepend.c:933
#6 0x55fbb650eb98 in createdb
/home/runner/pgbuild/src/backend/commands/dbcommands.c:590
#7 0x55fbb7062b30 in standard_ProcessUtility
/home/runner/pgbuild/src/backend/tcop/utility.c:773
#8 0x7fa942a63c13 in loader_process_utility_hook
/home/runner/work/timescaledb/timescaledb/src/loader/loader.c:522
#9 0x55fbb7063807 in ProcessUtility
/home/runner/pgbuild/src/backend/tcop/utility.c:523
#10 0x55fbb705bac3 in PortalRunUtility
/home/runner/pgbuild/src/backend/tcop/pquery.c:1147
#11 0x55fbb705c6fe in PortalRunMulti
/home/runner/pgbuild/src/backend/tcop/pquery.c:1304
#12 0x55fbb705d485 in PortalRun
/home/runner/pgbuild/src/backend/tcop/pquery.c:786
#13 0x55fbb704f613 in exec_simple_query
/home/runner/pgbuild/src/backend/tcop/postgres.c:1214
#14 0x55fbb7054b30 in PostgresMain
/home/runner/pgbuild/src/backend/tcop/postgres.c:4486
#15 0x55fbb6d78551 in BackendRun
/home/runner/pgbuild/src/backend/postmaster/postmaster.c:4506
#16 0x55fbb6d8334c in BackendStartup
/home/runner/pgbuild/src/backend/postmaster/postmaster.c:4228
#17 0x55fbb6d840cd in ServerLoop
/home/runner/pgbuild/src/backend/postmaster/postmaster.c:1745
#18 0x55fbb6d86611 in PostmasterMain
/home/runner/pgbuild/src/backend/postmaster/postmaster.c:1417
#19 0x55fbb6970b9b in main /home/runner/pgbuild/src/backend/main/main.c:209
```
It seems to be a bug in the PostgreSQL core. The memory corruption
happens @ pg_shdepend.c:914:
```
slot[slot_stored_count]->tts_values[Anum_pg_shdepend_refobjid
] = shdep->refobjid;
slot[slot_stored_count]->tts_values[Anum_pg_shdepend_deptype]
= shdep->deptype; <--- HERE
ExecStoreVirtualTuple(slot[slot_stored_count]);
```
The shdep->deptype value gets written to slot[0]->tts_isnull:
```
(lldb) p shdep->deptype
(char) $0 = 'o'
(lldb) p ((uint8_t*)slot[0]->tts_isnull)[0]
(uint8_t) $2 = 'o'
(lldb) p/d 'o'
(char) $4 = 111
```
I checked the rest of the PostgreSQL code and apparently, it should
have been tts_values[Anum_pg_shdepend_FOO - 1].
The patch is attached. The problem was first reported offlist by Sven
Klemm. Investigated and fixed by me.
[1]: https://github.com/timescale/timescaledb/actions/runs/1343346998
--
Best regards,
Aleksander Alekseev
| Attachment | Content-Type | Size |
|---|---|---|
| v1-0001-memory-corruption-fix.patch | application/octet-stream | 1.6 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Masahiro Ikeda | 2021-10-20 10:16:20 | Re: LogicalChanges* and LogicalSubxact* wait events are never reported |
| Previous Message | Ronan Dunklau | 2021-10-20 09:40:18 | Re: pg_receivewal starting position |