| From: | Nikita Glukhov <n(dot)gluhov(at)postgrespro(dot)ru> |
|---|---|
| To: | PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Fix freeing of dangling IndexScanDesc.xs_hitup in GiST |
| Date: | 2017-05-04 18:46:09 |
| Message-ID: | cf5ed49c-c4d2-f086-0b44-db49ed6e70c0@postgrespro.ru |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hello, hackers!
The last query in the following script crashes Postgres:
create table t (id serial, amount int);
insert into t (amount) select random() * 1000 from generate_series(1, 100);
create extension btree_gist;
create index t_gist_idx on t using gist(id, amount);
select p.id, p.amount, s.nearest
from t as p left join lateral
(
select p.id, array_agg(l.id) as nearest from (
select id from t order by amount <-> p.amount limit 10
) l
) s using(id);
In gistrescan() IndexScanDesc.xs_hitup is not reset after MemoryContextReset() of
so->queueCxt in which xs_hitup was allocated, then getNextNearest() tries to pfree()
dangling xs_hitup, which results in the reuse of this pointer and the subsequent crash.
Attached patches fix this bug introduced in commit
d04c8ed9044eccebce043143a930617e3998c005 "Add support for index-only scans in GiST".
The bug is present in v9.5, v9.6, v10.0.
--
Nikita Glukhov
Postgres Professional:http://www.postgrespro.com
The Russian Postgres Company
| Attachment | Content-Type | Size |
|---|---|---|
| fix-freeing-of-dangling-IndexScanDesc.xs_hitup-in-GiST-9.6-v01.patch | text/x-diff | 568 bytes |
| fix-freeing-of-dangling-IndexScanDesc.xs_hitup-in-GiST-10.0-v01.patch | text/x-diff | 570 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2017-05-04 18:48:33 | Re: WITH clause in CREATE STATISTICS |
| Previous Message | Joshua D. Drake | 2017-05-04 18:44:30 | Potential issue with alter system |