Re: [Bug] Heap Use After Free in parallel_vacuum_reset_dead_items Function

On Tue, Nov 26, 2024 at 1:58 AM Vallimaharajan G <
vallimaharajan(dot)gs(at)zohocorp(dot)com> wrote:
>
> Hi Developers,
> We have discovered a bug in the parallel_vacuum_reset_dead_items
function in PG v17.2. Specifically:
>
> TidStoreDestroy(dead_items) frees the dead_items pointer.
> The pointer is reinitialized using TidStoreCreateShared().
> However, the code later accesses the freed pointer instead of the newly
reinitialized pvs->dead_items, as seen in these lines:
>
> pvs->shared->dead_items_dsa_handle =
dsa_get_handle(TidStoreGetDSA(dead_items));
> pvs->shared->dead_items_handle = TidStoreGetHandle(dead_items);

Thanks for the report! I don't see any immediate evidence of deleterious
effects, but it's still sloppy. To reduce risk going forward, I think we
should always access this pointer via the struct rather than a separate
copy, quick attempt attached.

(BTW, it's normally discouraged to cross-post to different lists. Either
one is fine in this case.)

--
John Naylor
Amazon Web Services