Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit6675ab5

Browse files
committed
Prevent a double free by not reentering be_tls_close().
Reentering this function with the right timing caused a double free,typically crashing the backend. By synchronizing a disconnection withthe authentication timeout, an unauthenticated attacker could achievethis somewhat consistently. Call be_tls_close() solely from withinproc_exit_prepare(). Back-patch to 9.0 (all supported versions).Benkocs Norbert AttilaSecurity:CVE-2015-3165
1 parentb584e45 commit6675ab5

File tree

3 files changed

+28
-11
lines changed

3 files changed

+28
-11
lines changed

‎src/backend/libpq/be-secure.c‎

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -906,7 +906,6 @@ open_server_SSL(Port *port)
906906
(errcode(ERRCODE_PROTOCOL_VIOLATION),
907907
errmsg("could not initialize SSL connection: %s",
908908
SSLerrmessage())));
909-
close_SSL(port);
910909
return-1;
911910
}
912911
if (!my_SSL_set_fd(port->ssl,port->sock))
@@ -915,7 +914,6 @@ open_server_SSL(Port *port)
915914
(errcode(ERRCODE_PROTOCOL_VIOLATION),
916915
errmsg("could not set SSL socket: %s",
917916
SSLerrmessage())));
918-
close_SSL(port);
919917
return-1;
920918
}
921919

@@ -963,7 +961,6 @@ open_server_SSL(Port *port)
963961
err)));
964962
break;
965963
}
966-
close_SSL(port);
967964
return-1;
968965
}
969966

@@ -992,7 +989,6 @@ open_server_SSL(Port *port)
992989
{
993990
/* shouldn't happen */
994991
pfree(peer_cn);
995-
close_SSL(port);
996992
return-1;
997993
}
998994

@@ -1006,7 +1002,6 @@ open_server_SSL(Port *port)
10061002
(errcode(ERRCODE_PROTOCOL_VIOLATION),
10071003
errmsg("SSL certificate's common name contains embedded null")));
10081004
pfree(peer_cn);
1009-
close_SSL(port);
10101005
return-1;
10111006
}
10121007

‎src/backend/libpq/pqcomm.c‎

Lines changed: 18 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -182,32 +182,45 @@ pq_comm_reset(void)
182182
/* --------------------------------
183183
*pq_close - shutdown libpq at backend exit
184184
*
185-
* Note: in a standalone backend MyProcPort will be null,
186-
* don't crash during exit...
185+
* This is the one pg_on_exit_callback in place during BackendInitialize().
186+
* That function's unusual signal handling constrains that this callback be
187+
* safe to run at any instant.
187188
* --------------------------------
188189
*/
189190
staticvoid
190191
pq_close(intcode,Datumarg)
191192
{
193+
/* Nothing to do in a standalone backend, where MyProcPort is NULL. */
192194
if (MyProcPort!=NULL)
193195
{
194196
#if defined(ENABLE_GSS)|| defined(ENABLE_SSPI)
195197
#ifdefENABLE_GSS
196198
OM_uint32min_s;
197199

198-
/* Shutdown GSSAPI layer */
200+
/*
201+
* Shutdown GSSAPI layer. This section does nothing when interrupting
202+
* BackendInitialize(), because pg_GSS_recvauth() makes first use of
203+
* "ctx" and "cred".
204+
*/
199205
if (MyProcPort->gss->ctx!=GSS_C_NO_CONTEXT)
200206
gss_delete_sec_context(&min_s,&MyProcPort->gss->ctx,NULL);
201207

202208
if (MyProcPort->gss->cred!=GSS_C_NO_CREDENTIAL)
203209
gss_release_cred(&min_s,&MyProcPort->gss->cred);
204210
#endif/* ENABLE_GSS */
205-
/* GSS and SSPI share the port->gss struct */
206211

212+
/*
213+
* GSS and SSPI share the port->gss struct. Since nowhere else does a
214+
* postmaster child free this, doing so is safe when interrupting
215+
* BackendInitialize().
216+
*/
207217
free(MyProcPort->gss);
208218
#endif/* ENABLE_GSS || ENABLE_SSPI */
209219

210-
/* Cleanly shut down SSL layer */
220+
/*
221+
* Cleanly shut down SSL layer. Nowhere else does a postmaster child
222+
* call this, so this is safe when interrupting BackendInitialize().
223+
*/
211224
secure_close(MyProcPort);
212225

213226
/*

‎src/backend/postmaster/postmaster.c‎

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3462,7 +3462,16 @@ BackendInitialize(Port *port)
34623462
* We arrange for a simple exit(1) if we receive SIGTERM or SIGQUIT or
34633463
* timeout while trying to collect the startup packet. Otherwise the
34643464
* postmaster cannot shutdown the database FAST or IMMED cleanly if a
3465-
* buggy client fails to send the packet promptly.
3465+
* buggy client fails to send the packet promptly. XXX it follows that
3466+
* the remainder of this function must tolerate losing control at any
3467+
* instant. Likewise, any pg_on_exit_callback registered before or during
3468+
* this function must be prepared to execute at any instant between here
3469+
* and the end of this function. Furthermore, affected callbacks execute
3470+
* partially or not at all when a second exit-inducing signal arrives
3471+
* after proc_exit_prepare() decrements on_proc_exit_index. (Thanks to
3472+
* that mechanic, callbacks need not anticipate more than one call.) This
3473+
* is fragile; it ought to instead follow the norm of handling interrupts
3474+
* at selected, safe opportunities.
34663475
*/
34673476
pqsignal(SIGTERM,startup_die);
34683477
pqsignal(SIGQUIT,startup_die);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp