Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit3492a0a

Browse files
committed
Fix RelationBuildPartitionKey's processing of partition key expressions.
Failure to advance the list pointer while reading partition expressionsfrom a list results in invoking an input function with inappropriate data,possibly leading to crashes or, with carefully crafted input, disclosureof arbitrary backend memory.Bug discovered independently by Álvaro Herrera and David Rowley.This patch is by Álvaro but owes something to David's proposed fix.Back-patch to v10 where the issue was introduced.Security:CVE-2018-1052
1 parent05d0f13 commit3492a0a

File tree

3 files changed

+34
-9
lines changed

3 files changed

+34
-9
lines changed

‎src/backend/utils/cache/relcache.c

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -983,9 +983,14 @@ RelationBuildPartitionKey(Relation relation)
983983
}
984984
else
985985
{
986+
if (partexprs_item==NULL)
987+
elog(ERROR,"wrong number of partition key expressions");
988+
986989
key->parttypid[i]=exprType(lfirst(partexprs_item));
987990
key->parttypmod[i]=exprTypmod(lfirst(partexprs_item));
988991
key->parttypcoll[i]=exprCollation(lfirst(partexprs_item));
992+
993+
partexprs_item=lnext(partexprs_item);
989994
}
990995
get_typlenbyvalalign(key->parttypid[i],
991996
&key->parttyplen[i],

‎src/test/regress/expected/create_table.out

Lines changed: 22 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -419,8 +419,9 @@ DETAIL: table partitioned depends on function plusone(integer)
419419
HINT: Use DROP ... CASCADE to drop the dependent objects too.
420420
-- partitioned table cannot participate in regular inheritance
421421
CREATE TABLE partitioned2 (
422-
a int
423-
) PARTITION BY LIST ((a+1));
422+
a int,
423+
b text
424+
) PARTITION BY RANGE ((a+1), substr(b, 1, 5));
424425
CREATE TABLE fail () INHERITS (partitioned2);
425426
ERROR: cannot inherit from partitioned table "partitioned2"
426427
-- Partition key in describe output
@@ -436,13 +437,27 @@ Partition key: RANGE (a oid_ops, plusone(b), c, d COLLATE "C")
436437
Number of partitions: 0
437438

438439
\d+ partitioned2
439-
Table "public.partitioned2"
440-
Column | Type | Collation | Nullable | Default | Storage | Stats target | Description
441-
--------+---------+-----------+----------+---------+---------+--------------+-------------
442-
a | integer | | | | plain | |
443-
Partition key: LIST (((a + 1)))
440+
Table "public.partitioned2"
441+
Column | Type | Collation | Nullable | Default | Storage | Stats target | Description
442+
--------+---------+-----------+----------+---------+----------+--------------+-------------
443+
a | integer | | | | plain | |
444+
b | text | | | | extended | |
445+
Partition key: RANGE (((a + 1)), substr(b, 1, 5))
444446
Number of partitions: 0
445447

448+
INSERT INTO partitioned2 VALUES (1, 'hello');
449+
ERROR: no partition of relation "partitioned2" found for row
450+
DETAIL: Partition key of the failing row contains ((a + 1), substr(b, 1, 5)) = (2, hello).
451+
CREATE TABLE part2_1 PARTITION OF partitioned2 FOR VALUES FROM (-1, 'aaaaa') TO (100, 'ccccc');
452+
\d+ part2_1
453+
Table "public.part2_1"
454+
Column | Type | Collation | Nullable | Default | Storage | Stats target | Description
455+
--------+---------+-----------+----------+---------+----------+--------------+-------------
456+
a | integer | | | | plain | |
457+
b | text | | | | extended | |
458+
Partition of: partitioned2 FOR VALUES FROM ('-1', 'aaaaa') TO (100, 'ccccc')
459+
Partition constraint: (((a + 1) IS NOT NULL) AND (substr(b, 1, 5) IS NOT NULL) AND (((a + 1) > '-1'::integer) OR (((a + 1) = '-1'::integer) AND (substr(b, 1, 5) >= 'aaaaa'::text))) AND (((a + 1) < 100) OR (((a + 1) = 100) AND (substr(b, 1, 5) < 'ccccc'::text))))
460+
446461
DROP TABLE partitioned, partitioned2;
447462
--
448463
-- Partitions

‎src/test/regress/sql/create_table.sql

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -419,14 +419,19 @@ DROP FUNCTION plusone(int);
419419

420420
-- partitioned table cannot participate in regular inheritance
421421
CREATETABLEpartitioned2 (
422-
aint
423-
) PARTITION BY LIST ((a+1));
422+
aint,
423+
btext
424+
) PARTITION BY RANGE ((a+1), substr(b,1,5));
424425
CREATETABLEfail () INHERITS (partitioned2);
425426

426427
-- Partition key in describe output
427428
\d partitioned
428429
\d+ partitioned2
429430

431+
INSERT INTO partitioned2VALUES (1,'hello');
432+
CREATETABLEpart2_1 PARTITION OF partitioned2 FORVALUESFROM (-1,'aaaaa') TO (100,'ccccc');
433+
\d+ part2_1
434+
430435
DROPTABLE partitioned, partitioned2;
431436

432437
--

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp