Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commita034418

Browse files
committed
Fix choice of comparison operators for cross-type hashed subplans.
Commitbf6c614 rearranged the lookup of the comparison operatorsneeded in a hashed subplan, and in so doing, broke the cross-typecase: it caused the original LHS-vs-RHS operator to be used to comparehash table entries too (which of course are all of the RHS type).This leads to C functions being passed a Datum that is not of thetype they expect, with the usual hazards of crashes and unauthorizedserver memory disclosure.For the set of hashable cross-type operators present in v11 corePostgres, this bug is nearly harmless on 64-bit machines, whichmay explain why it escaped earlier detection. But it is a livesecurity hazard on 32-bit machines; and of course there may beextensions that add more hashable cross-type operators, whichwould increase the risk.Reported by Andreas Seltenreich. Back-patch to v11 where theproblem came in.Security:CVE-2019-10209
1 parent21f94c5 commita034418

File tree

3 files changed

+44
-5
lines changed

3 files changed

+44
-5
lines changed

‎src/backend/executor/nodeSubplan.c‎

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -855,6 +855,7 @@ ExecInitSubPlan(SubPlan *subplan, PlanState *parent)
855855
i;
856856
TupleDesctupDescLeft;
857857
TupleDesctupDescRight;
858+
Oid*cross_eq_funcoids;
858859
TupleTableSlot*slot;
859860
List*oplist,
860861
*lefttlist,
@@ -917,6 +918,9 @@ ExecInitSubPlan(SubPlan *subplan, PlanState *parent)
917918
sstate->tab_eq_funcs= (FmgrInfo*)palloc(ncols*sizeof(FmgrInfo));
918919
sstate->lhs_hash_funcs= (FmgrInfo*)palloc(ncols*sizeof(FmgrInfo));
919920
sstate->cur_eq_funcs= (FmgrInfo*)palloc(ncols*sizeof(FmgrInfo));
921+
/* we'll need the cross-type equality fns below, but not in sstate */
922+
cross_eq_funcoids= (Oid*)palloc(ncols*sizeof(Oid));
923+
920924
i=1;
921925
foreach(l,oplist)
922926
{
@@ -946,7 +950,7 @@ ExecInitSubPlan(SubPlan *subplan, PlanState *parent)
946950
righttlist=lappend(righttlist,tle);
947951

948952
/* Lookup the equality function (potentially cross-type) */
949-
sstate->tab_eq_funcoids[i-1]=opexpr->opfuncid;
953+
cross_eq_funcoids[i-1]=opexpr->opfuncid;
950954
fmgr_info(opexpr->opfuncid,&sstate->cur_eq_funcs[i-1]);
951955
fmgr_info_set_expr((Node*)opexpr,&sstate->cur_eq_funcs[i-1]);
952956

@@ -955,7 +959,9 @@ ExecInitSubPlan(SubPlan *subplan, PlanState *parent)
955959
NULL,&rhs_eq_oper))
956960
elog(ERROR,"could not find compatible hash operator for operator %u",
957961
opexpr->opno);
958-
fmgr_info(get_opcode(rhs_eq_oper),&sstate->tab_eq_funcs[i-1]);
962+
sstate->tab_eq_funcoids[i-1]=get_opcode(rhs_eq_oper);
963+
fmgr_info(sstate->tab_eq_funcoids[i-1],
964+
&sstate->tab_eq_funcs[i-1]);
959965

960966
/* Lookup the associated hash functions */
961967
if (!get_op_hash_functions(opexpr->opno,
@@ -994,14 +1000,13 @@ ExecInitSubPlan(SubPlan *subplan, PlanState *parent)
9941000

9951001
/*
9961002
* Create comparator for lookups of rows in the table (potentially
997-
*across-typecomparison).
1003+
*cross-typecomparisons).
9981004
*/
9991005
sstate->cur_eq_comp=ExecBuildGroupingEqual(tupDescLeft,tupDescRight,
10001006
ncols,
10011007
sstate->keyColIdx,
1002-
sstate->tab_eq_funcoids,
1008+
cross_eq_funcoids,
10031009
parent);
1004-
10051010
}
10061011

10071012
returnsstate;

‎src/test/regress/expected/subselect.out‎

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -745,6 +745,30 @@ select * from outer_7597 where (f1, f2) not in (select * from inner_7597);
745745
1 |
746746
(2 rows)
747747

748+
--
749+
-- Another test case for cross-type hashed subplans: comparison of
750+
-- inner-side values must be done with appropriate operator
751+
--
752+
explain (verbose, costs off)
753+
select 'foo'::text in (select 'bar'::name union all select 'bar'::name);
754+
QUERY PLAN
755+
-------------------------------------
756+
Result
757+
Output: (hashed SubPlan 1)
758+
SubPlan 1
759+
-> Append
760+
-> Result
761+
Output: 'bar'::name
762+
-> Result
763+
Output: 'bar'::name
764+
(8 rows)
765+
766+
select 'foo'::text in (select 'bar'::name union all select 'bar'::name);
767+
?column?
768+
----------
769+
f
770+
(1 row)
771+
748772
--
749773
-- Test case for premature memory release during hashing of subplan output
750774
--

‎src/test/regress/sql/subselect.sql‎

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -435,6 +435,16 @@ insert into inner_7597 values(0, null);
435435

436436
select*from outer_7597where (f1, f2) notin (select*from inner_7597);
437437

438+
--
439+
-- Another test case for cross-type hashed subplans: comparison of
440+
-- inner-side values must be done with appropriate operator
441+
--
442+
443+
explain (verbose, costs off)
444+
select'foo'::textin (select'bar'::nameunion allselect'bar'::name);
445+
446+
select'foo'::textin (select'bar'::nameunion allselect'bar'::name);
447+
438448
--
439449
-- Test case for premature memory release during hashing of subplan output
440450
--

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp