Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitf0c7b78

Browse files
committed
Fix two errors with nested CASE/WHEN constructs.
ExecEvalCase() tried to save a cycle or two by passing&econtext->caseValue_isNull as the isNull argument to its sub-evaluation ofthe CASE value expression. If that subexpression itself contained a CASE,then *isNull was an alias for econtext->caseValue_isNull within therecursive call of ExecEvalCase(), leading to confusion about whether theinner call's caseValue was null or not. In the worst case this could leadto a core dump due to dereferencing a null pointer. Fix by not assigningto the global variable until control comes back from the subexpression.Also, avoid using the passed-in isNull pointer transiently for evaluationof WHEN expressions. (Either one of these changes would have beensufficient to fix the known misbehavior, but it's clear now that each ofthese choices was in itself dangerous coding practice and best avoided.There do not seem to be any similar hazards elsewhere in execQual.c.)Also, it was possible for inlining of a SQL function that implements theequality operator used for a CASE comparison to result in one CASEexpression's CaseTestExpr node being inserted inside another CASEexpression. This would certainly result in wrong answers since theimproperly nested CaseTestExpr would be caused to return the inner CASE'scomparison value not the outer's. If the CASE values were of differentdata types, a crash might result; moreover such situations could be abusedto allow disclosure of portions of server memory. To fix, teachinline_function to check for "bare" CaseTestExpr nodes in the arguments ofa function to be inlined, and avoid inlining if there are any.Heikki Linnakangas, Michael Paquier, Tom LaneReport:https://github.com/greenplum-db/gpdb/pull/327Report: <4DDCEEB8.50602@enterprisedb.com>Security:CVE-2016-5423
1 parentfcd15f1 commitf0c7b78

File tree

4 files changed

+185
-5
lines changed

4 files changed

+185
-5
lines changed

‎src/backend/executor/execQual.c

Lines changed: 17 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2970,19 +2970,30 @@ ExecEvalCase(CaseExprState *caseExpr, ExprContext *econtext,
29702970

29712971
/*
29722972
* If there's a test expression, we have to evaluate it and save the value
2973-
* where the CaseTestExpr placeholders can find it. We must save and
2973+
* where the CaseTestExpr placeholders can find it.We must save and
29742974
* restore prior setting of econtext's caseValue fields, in case this node
2975-
* is itself within a larger CASE.
2975+
* is itself within a larger CASE. Furthermore, don't assign to the
2976+
* econtext fields until after returning from evaluation of the test
2977+
* expression. We used to pass &econtext->caseValue_isNull to the
2978+
* recursive call, but that leads to aliasing that variable within said
2979+
* call, which can (and did) produce bugs when the test expression itself
2980+
* contains a CASE.
2981+
*
2982+
* If there's no test expression, we don't actually need to save and
2983+
* restore these fields; but it's less code to just do so unconditionally.
29762984
*/
29772985
save_datum=econtext->caseValue_datum;
29782986
save_isNull=econtext->caseValue_isNull;
29792987

29802988
if (caseExpr->arg)
29812989
{
2990+
boolarg_isNull;
2991+
29822992
econtext->caseValue_datum=ExecEvalExpr(caseExpr->arg,
29832993
econtext,
2984-
&econtext->caseValue_isNull,
2994+
&arg_isNull,
29852995
NULL);
2996+
econtext->caseValue_isNull=arg_isNull;
29862997
}
29872998

29882999
/*
@@ -2994,18 +3005,19 @@ ExecEvalCase(CaseExprState *caseExpr, ExprContext *econtext,
29943005
{
29953006
CaseWhenState*wclause=lfirst(clause);
29963007
Datumclause_value;
3008+
boolclause_isNull;
29973009

29983010
clause_value=ExecEvalExpr(wclause->expr,
29993011
econtext,
3000-
isNull,
3012+
&clause_isNull,
30013013
NULL);
30023014

30033015
/*
30043016
* if we have a true test, then we return the result, since the case
30053017
* statement is satisfied. A NULL result from the test is not
30063018
* considered true.
30073019
*/
3008-
if (DatumGetBool(clause_value)&& !*isNull)
3020+
if (DatumGetBool(clause_value)&& !clause_isNull)
30093021
{
30103022
econtext->caseValue_datum=save_datum;
30113023
econtext->caseValue_isNull=save_isNull;

‎src/backend/optimizer/util/clauses.c

Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,8 @@ static bool contain_volatile_functions_not_nextval_walker(Node *node, void *cont
106106
staticboolhas_parallel_hazard_walker(Node*node,
107107
has_parallel_hazard_arg*context);
108108
staticboolcontain_nonstrict_functions_walker(Node*node,void*context);
109+
staticboolcontain_context_dependent_node(Node*clause);
110+
staticboolcontain_context_dependent_node_walker(Node*node,int*flags);
109111
staticboolcontain_leaked_vars_walker(Node*node,void*context);
110112
staticRelidsfind_nonnullable_rels_walker(Node*node,booltop_level);
111113
staticList*find_nonnullable_vars_walker(Node*node,booltop_level);
@@ -1334,6 +1336,76 @@ contain_nonstrict_functions_walker(Node *node, void *context)
13341336
context);
13351337
}
13361338

1339+
/*****************************************************************************
1340+
*Check clauses for context-dependent nodes
1341+
*****************************************************************************/
1342+
1343+
/*
1344+
* contain_context_dependent_node
1345+
* Recursively search for context-dependent nodes within a clause.
1346+
*
1347+
* CaseTestExpr nodes must appear directly within the corresponding CaseExpr,
1348+
* not nested within another one, or they'll see the wrong test value. If one
1349+
* appears "bare" in the arguments of a SQL function, then we can't inline the
1350+
* SQL function for fear of creating such a situation.
1351+
*
1352+
* CoerceToDomainValue would have the same issue if domain CHECK expressions
1353+
* could get inlined into larger expressions, but presently that's impossible.
1354+
* Still, it might be allowed in future, or other node types with similar
1355+
* issues might get invented. So give this function a generic name, and set
1356+
* up the recursion state to allow multiple flag bits.
1357+
*/
1358+
staticbool
1359+
contain_context_dependent_node(Node*clause)
1360+
{
1361+
intflags=0;
1362+
1363+
returncontain_context_dependent_node_walker(clause,&flags);
1364+
}
1365+
1366+
#defineCCDN_IN_CASEEXPR0x0001/* CaseTestExpr okay here? */
1367+
1368+
staticbool
1369+
contain_context_dependent_node_walker(Node*node,int*flags)
1370+
{
1371+
if (node==NULL)
1372+
return false;
1373+
if (IsA(node,CaseTestExpr))
1374+
return !(*flags&CCDN_IN_CASEEXPR);
1375+
if (IsA(node,CaseExpr))
1376+
{
1377+
CaseExpr*caseexpr= (CaseExpr*)node;
1378+
1379+
/*
1380+
* If this CASE doesn't have a test expression, then it doesn't create
1381+
* a context in which CaseTestExprs should appear, so just fall
1382+
* through and treat it as a generic expression node.
1383+
*/
1384+
if (caseexpr->arg)
1385+
{
1386+
intsave_flags=*flags;
1387+
boolres;
1388+
1389+
/*
1390+
* Note: in principle, we could distinguish the various sub-parts
1391+
* of a CASE construct and set the flag bit only for some of them,
1392+
* since we are only expecting CaseTestExprs to appear in the
1393+
* "expr" subtree of the CaseWhen nodes. But it doesn't really
1394+
* seem worth any extra code. If there are any bare CaseTestExprs
1395+
* elsewhere in the CASE, something's wrong already.
1396+
*/
1397+
*flags |=CCDN_IN_CASEEXPR;
1398+
res=expression_tree_walker(node,
1399+
contain_context_dependent_node_walker,
1400+
(void*)flags);
1401+
*flags=save_flags;
1402+
returnres;
1403+
}
1404+
}
1405+
returnexpression_tree_walker(node,contain_context_dependent_node_walker,
1406+
(void*)flags);
1407+
}
1408+
13371409
/*****************************************************************************
13381410
* Check clauses for Vars passed to non-leakproof functions
13391411
*****************************************************************************/
@@ -4178,6 +4250,8 @@ evaluate_function(Oid funcid, Oid result_type, int32 result_typmod,
41784250
* doesn't work in the general case because it discards information such
41794251
* as OUT-parameter declarations.
41804252
*
4253+
* Also, context-dependent expression nodes in the argument list are trouble.
4254+
*
41814255
* Returns a simplified expression if successful, or NULL if cannot
41824256
* simplify the function.
41834257
*/
@@ -4372,6 +4446,13 @@ inline_function(Oid funcid, Oid result_type, Oid result_collid,
43724446
contain_nonstrict_functions(newexpr))
43734447
gotofail;
43744448

4449+
/*
4450+
* If any parameter expression contains a context-dependent node, we can't
4451+
* inline, for fear of putting such a node into the wrong context.
4452+
*/
4453+
if (contain_context_dependent_node((Node*)args))
4454+
gotofail;
4455+
43754456
/*
43764457
* We may be able to do it; there are still checks on parameter usage to
43774458
* make, but those are most easily done in combination with the actual

‎src/test/regress/expected/case.out

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -296,8 +296,52 @@ SELECT * FROM CASE_TBL;
296296
-8 | 10.1
297297
(4 rows)
298298

299+
--
300+
-- Nested CASE expressions
301+
--
302+
-- This test exercises a bug caused by aliasing econtext->caseValue_isNull
303+
-- with the isNull argument of the inner CASE's ExecEvalCase() call. After
304+
-- evaluating the vol(null) expression in the inner CASE's second WHEN-clause,
305+
-- the isNull flag for the case test value incorrectly became true, causing
306+
-- the third WHEN-clause not to match. The volatile function calls are needed
307+
-- to prevent constant-folding in the planner, which would hide the bug.
308+
CREATE FUNCTION vol(text) returns text as
309+
'begin return $1; end' language plpgsql volatile;
310+
SELECT CASE
311+
(CASE vol('bar')
312+
WHEN 'foo' THEN 'it was foo!'
313+
WHEN vol(null) THEN 'null input'
314+
WHEN 'bar' THEN 'it was bar!' END
315+
)
316+
WHEN 'it was foo!' THEN 'foo recognized'
317+
WHEN 'it was bar!' THEN 'bar recognized'
318+
ELSE 'unrecognized' END;
319+
case
320+
----------------
321+
bar recognized
322+
(1 row)
323+
324+
-- In this case, we can't inline the SQL function without confusing things.
325+
CREATE DOMAIN foodomain AS text;
326+
CREATE FUNCTION volfoo(text) returns foodomain as
327+
'begin return $1::foodomain; end' language plpgsql volatile;
328+
CREATE FUNCTION inline_eq(foodomain, foodomain) returns boolean as
329+
'SELECT CASE $2::text WHEN $1::text THEN true ELSE false END' language sql;
330+
CREATE OPERATOR = (procedure = inline_eq,
331+
leftarg = foodomain, rightarg = foodomain);
332+
SELECT CASE volfoo('bar') WHEN 'foo'::foodomain THEN 'is foo' ELSE 'is not foo' END;
333+
case
334+
------------
335+
is not foo
336+
(1 row)
337+
299338
--
300339
-- Clean up
301340
--
302341
DROP TABLE CASE_TBL;
303342
DROP TABLE CASE2_TBL;
343+
DROP OPERATOR = (foodomain, foodomain);
344+
DROP FUNCTION inline_eq(foodomain, foodomain);
345+
DROP FUNCTION volfoo(text);
346+
DROP DOMAIN foodomain;
347+
DROP FUNCTION vol(text);

‎src/test/regress/sql/case.sql

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -156,9 +156,52 @@ UPDATE CASE_TBL
156156

157157
SELECT*FROM CASE_TBL;
158158

159+
--
160+
-- Nested CASE expressions
161+
--
162+
163+
-- This test exercises a bug caused by aliasing econtext->caseValue_isNull
164+
-- with the isNull argument of the inner CASE's ExecEvalCase() call. After
165+
-- evaluating the vol(null) expression in the inner CASE's second WHEN-clause,
166+
-- the isNull flag for the case test value incorrectly became true, causing
167+
-- the third WHEN-clause not to match. The volatile function calls are needed
168+
-- to prevent constant-folding in the planner, which would hide the bug.
169+
170+
CREATEFUNCTIONvol(text) returnstextas
171+
'begin return $1; end' language plpgsql volatile;
172+
173+
SELECT CASE
174+
(CASE vol('bar')
175+
WHEN'foo' THEN'it was foo!'
176+
WHEN vol(null) THEN'null input'
177+
WHEN'bar' THEN'it was bar!' END
178+
)
179+
WHEN'it was foo!' THEN'foo recognized'
180+
WHEN'it was bar!' THEN'bar recognized'
181+
ELSE'unrecognized' END;
182+
183+
-- In this case, we can't inline the SQL function without confusing things.
184+
CREATEDOMAINfoodomainAStext;
185+
186+
CREATEFUNCTIONvolfoo(text) returns foodomainas
187+
'begin return $1::foodomain; end' language plpgsql volatile;
188+
189+
CREATEFUNCTIONinline_eq(foodomain, foodomain) returnsbooleanas
190+
'SELECT CASE $2::text WHEN $1::text THEN true ELSE false END' language sql;
191+
192+
CREATE OPERATOR= (procedure= inline_eq,
193+
leftarg= foodomain, rightarg= foodomain);
194+
195+
SELECT CASE volfoo('bar') WHEN'foo'::foodomain THEN'is foo' ELSE'is not foo' END;
196+
159197
--
160198
-- Clean up
161199
--
162200

163201
DROPTABLE CASE_TBL;
164202
DROPTABLE CASE2_TBL;
203+
DROPOPERATOR= (foodomain, foodomain);
204+
DROPFUNCTION inline_eq(foodomain, foodomain);
205+
DROPFUNCTION volfoo(text);
206+
DROPDOMAIN foodomain;
207+
DROPFUNCTION vol(text);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp