NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitf02b908

committed

Prevent integer overflows in array subscripting calculations.

While we were (mostly) careful about ensuring that the dimensions ofarrays aren't large enough to cause integer overflow, the lower boundvalues were generally not checked. This allows situations wherelower_bound + dimension overflows an integer. It seems that that'sharmless so far as array reading is concerned, except that arrayelements with subscripts notionally exceeding INT_MAX are inaccessible.However, it confuses various array-assignment logic, resulting in apotential for memory stomps.Fix by adding checks that array lower bounds aren't large enough tocause lower_bound + dimension to overflow. (Note: this results indisallowing cases where the last subscript position would be exactlyINT_MAX. In principle we could probably allow that, but there's a lotof code that computes lower_bound + dimension and would need adjustment.It seems doubtful that it's worth the trouble/risk to allow it.)Somewhat independently of that, array_set_element() was carelessabout possible overflow when checking the subscript of a fixed-lengtharray, creating a different route to memory stomps. Fix that too.Security:CVE-2021-32027

1 parent6206454 commitf02b908Copy full SHA for f02b908

File tree

5 files changed

+61

-16

lines changed

src
- backend
  - executor
    - execExprInterp.c
  - utils/adt
- include/utils
  - array.h

5 files changed

+61

-16

lines changed

`‎src/backend/executor/execExprInterp.c`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2828,6 +2828,10 @@ ExecEvalArrayExpr(ExprState state, ExprEvalStep op)`
`2828`	`2828`	`lbs[i]=elem_lbs[i-1];`
`2829`	`2829`	`}`
`2830`	`2830`
	`2831`	`+/* check for subscript overflow */`
	`2832`	`+(void)ArrayGetNItems(ndims,dims);`
	`2833`	`+ArrayCheckBounds(ndims,dims,lbs);`
	`2834`	`+`
`2831`	`2835`	`if (havenulls)`
`2832`	`2836`	`{`
`2833`	`2837`	`dataoffset=ARR_OVERHEAD_WITHNULLS(ndims,nitems);`

`‎src/backend/utils/adt/array_userfuncs.c`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -411,6 +411,7 @@ array_cat(PG_FUNCTION_ARGS)`
`411`	`411`
`412`	`412`	`/* Do this mainly for overflow checking */`
`413`	`413`	`nitems=ArrayGetNItems(ndims,dims);`
	`414`	`+ArrayCheckBounds(ndims,dims,lbs);`
`414`	`415`
`415`	`416`	`/* build the result array */`
`416`	`417`	`ndatabytes=ndatabytes1+ndatabytes2;`

`‎src/backend/utils/adt/arrayfuncs.c`

Lines changed: 24 additions & 16 deletions

Original file line number	Diff line number	Diff line change
`@@ -372,6 +372,8 @@ array_in(PG_FUNCTION_ARGS)`
`372`	`372`
`373`	`373`	`/* This checks for overflow of the array dimensions */`
`374`	`374`	`nitems=ArrayGetNItems(ndim,dim);`
	`375`	`+ArrayCheckBounds(ndim,dim,lBound);`
	`376`	`+`
`375`	`377`	`/* Empty array? */`
`376`	`378`	`if (nitems==0)`
`377`	`379`	`PG_RETURN_ARRAYTYPE_P(construct_empty_array(element_type));`
`@@ -1342,24 +1344,11 @@ array_recv(PG_FUNCTION_ARGS)`
`1342`	`1344`	`{`
`1343`	`1345`	`dim[i]=pq_getmsgint(buf,4);`
`1344`	`1346`	`lBound[i]=pq_getmsgint(buf,4);`
`1345`		`-`
`1346`		`-/*`
`1347`		`- * Check overflow of upper bound. (ArrayGetNItems() below checks that`
`1348`		`- * dim[i] >= 0)`
`1349`		`- */`
`1350`		`-if (dim[i]!=0)`
`1351`		`-{`
`1352`		`-intub=lBound[i]+dim[i]-1;`
`1353`		`-`
`1354`		`-if (lBound[i]>ub)`
`1355`		`-ereport(ERROR,`
`1356`		`-(errcode(ERRCODE_NUMERIC_VALUE_OUT_OF_RANGE),`
`1357`		`-errmsg("integer out of range")));`
`1358`		`-}`
`1359`	`1347`	`}`
`1360`	`1348`
`1361`	`1349`	`/* This checks for overflow of array dimensions */`
`1362`	`1350`	`nitems=ArrayGetNItems(ndim,dim);`
	`1351`	`+ArrayCheckBounds(ndim,dim,lBound);`
`1363`	`1352`
`1364`	`1353`	`/*`
`1365`	`1354`	`* We arrange to look up info about element type, including its receive`
`@@ -2265,7 +2254,7 @@ array_set_element(Datum arraydatum,`
`2265`	`2254`	`(errcode(ERRCODE_ARRAY_SUBSCRIPT_ERROR),`
`2266`	`2255`	`errmsg("wrong number of array subscripts")));`
`2267`	`2256`
`2268`		`-if (indx[0]<0\|\|indx[0]*elmlen>=arraytyplen)`
	`2257`	`+if (indx[0]<0\|\|indx[0] >=arraytyplen /elmlen)`
`2269`	`2258`	`ereport(ERROR,`
`2270`	`2259`	`(errcode(ERRCODE_ARRAY_SUBSCRIPT_ERROR),`
`2271`	`2260`	`errmsg("array subscript out of range")));`
`@@ -2380,10 +2369,13 @@ array_set_element(Datum arraydatum,`
`2380`	`2369`	`}`
`2381`	`2370`	`}`
`2382`	`2371`
	`2372`	`+/* This checks for overflow of the array dimensions */`
	`2373`	`+newnitems=ArrayGetNItems(ndim,dim);`
	`2374`	`+ArrayCheckBounds(ndim,dim,lb);`
	`2375`	`+`
`2383`	`2376`	`/*`
`2384`	`2377`	`* Compute sizes of items and areas to copy`
`2385`	`2378`	`*/`
`2386`		`-newnitems=ArrayGetNItems(ndim,dim);`
`2387`	`2379`	`if (newhasnulls)`
`2388`	`2380`	`overheadlen=ARR_OVERHEAD_WITHNULLS(ndim,newnitems);`
`2389`	`2381`	`else`
`@@ -2641,6 +2633,13 @@ array_set_element_expanded(Datum arraydatum,`
`2641`	`2633`	`}`
`2642`	`2634`	`}`
`2643`	`2635`
	`2636`	`+/* Check for overflow of the array dimensions */`
	`2637`	`+if (dimschanged)`
	`2638`	`+{`
	`2639`	`+(void)ArrayGetNItems(ndim,dim);`
	`2640`	`+ArrayCheckBounds(ndim,dim,lb);`
	`2641`	`+}`
	`2642`	`+`
`2644`	`2643`	`/* Now we can calculate linear offset of target item in array */`
`2645`	`2644`	`offset=ArrayGetOffset(nSubscripts,dim,lb,indx);`
`2646`	`2645`
`@@ -2960,6 +2959,7 @@ array_set_slice(Datum arraydatum,`
`2960`	`2959`
`2961`	`2960`	`/* Do this mainly to check for overflow */`
`2962`	`2961`	`nitems=ArrayGetNItems(ndim,dim);`
	`2962`	`+ArrayCheckBounds(ndim,dim,lb);`
`2963`	`2963`
`2964`	`2964`	`/*`
`2965`	`2965`	`* Make sure source array has enough entries. Note we ignore the shape of`
`@@ -3374,7 +3374,9 @@ construct_md_array(Datum *elems,`
`3374`	`3374`	`errmsg("number of array dimensions (%d) exceeds the maximum allowed (%d)",`
`3375`	`3375`	`ndims,MAXDIM)));`
`3376`	`3376`
	`3377`	`+/* This checks for overflow of the array dimensions */`
`3377`	`3378`	`nelems=ArrayGetNItems(ndims,dims);`
	`3379`	`+ArrayCheckBounds(ndims,dims,lbs);`
`3378`	`3380`
`3379`	`3381`	`/* if ndims <= 0 or any dims[i] == 0, return empty array */`
`3380`	`3382`	`if (nelems <=0)`
`@@ -5449,6 +5451,10 @@ makeArrayResultArr(ArrayBuildStateArr *astate,`
`5449`	`5451`	`intdataoffset,`
`5450`	`5452`	`nbytes;`
`5451`	`5453`
	`5454`	`+/* Check for overflow of the array dimensions */`
	`5455`	`+(void)ArrayGetNItems(astate->ndims,astate->dims);`
	`5456`	`+ArrayCheckBounds(astate->ndims,astate->dims,astate->lbs);`
	`5457`	`+`
`5452`	`5458`	`/* Compute required space */`
`5453`	`5459`	`nbytes=astate->nbytes;`
`5454`	`5460`	`if (astate->nullbitmap!=NULL)`
`@@ -5878,7 +5884,9 @@ array_fill_internal(ArrayType dims, ArrayType lbs,`
`5878`	`5884`	`lbsv=deflbs;`
`5879`	`5885`	`}`
`5880`	`5886`
	`5887`	`+/* This checks for overflow of the array dimensions */`
`5881`	`5888`	`nitems=ArrayGetNItems(ndims,dimv);`
	`5889`	`+ArrayCheckBounds(ndims,dimv,lbsv);`
`5882`	`5890`
`5883`	`5891`	`/* fast track for empty array */`
`5884`	`5892`	`if (nitems <=0)`

`‎src/backend/utils/adt/arrayutils.c`

Lines changed: 31 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@`
`16`	`16`	`#include"postgres.h"`
`17`	`17`
`18`	`18`	`#include"catalog/pg_type.h"`
	`19`	`+#include"common/int.h"`
`19`	`20`	`#include"utils/array.h"`
`20`	`21`	`#include"utils/builtins.h"`
`21`	`22`	`#include"utils/memutils.h"`
`@@ -111,6 +112,36 @@ ArrayGetNItems(int ndim, const int *dims)`
`111`	`112`	`return (int)ret;`
`112`	`113`	`}`
`113`	`114`
	`115`	`+/*`
	`116`	`+ * Verify sanity of proposed lower-bound values for an array`
	`117`	`+ *`
	`118`	`+ * The lower-bound values must not be so large as to cause overflow when`
	`119`	`+ * calculating subscripts, e.g. lower bound 2147483640 with length 10`
	`120`	`+ * must be disallowed. We actually insist that dims[i] + lb[i] be`
	`121`	`+ * computable without overflow, meaning that an array with last subscript`
	`122`	`+ * equal to INT_MAX will be disallowed.`
	`123`	`+ *`
	`124`	`+ * It is assumed that the caller already called ArrayGetNItems, so that`
	`125`	`+ * overflowed (negative) dims[] values have been eliminated.`
	`126`	`+ */`
	`127`	`+void`
	`128`	`+ArrayCheckBounds(intndim,constintdims,constintlb)`
	`129`	`+{`
	`130`	`+inti;`
	`131`	`+`
	`132`	`+for (i=0;i<ndim;i++)`
	`133`	`+{`
	`134`	`+/* PG_USED_FOR_ASSERTS_ONLY prevents variable-isn't-read warnings */`
	`135`	`+int32sumPG_USED_FOR_ASSERTS_ONLY;`
	`136`	`+`
	`137`	`+if (pg_add_s32_overflow(dims[i],lb[i],&sum))`
	`138`	`+ereport(ERROR,`
	`139`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`140`	`+errmsg("array lower bound is too large: %d",`
	`141`	`+lb[i])));`
	`142`	`+}`
	`143`	`+}`
	`144`	`+`
`114`	`145`	`/*`
`115`	`146`	`* Compute ranges (sub-array dimensions) for an array slice`
`116`	`147`	`*`

`‎src/include/utils/array.h`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -443,6 +443,7 @@ extern void array_free_iterator(ArrayIterator iterator);`
`443`	`443`	`externintArrayGetOffset(intn,constintdim,constintlb,constint*indx);`
`444`	`444`	`externintArrayGetOffset0(intn,constinttup,constintscale);`
`445`	`445`	`externintArrayGetNItems(intndim,constint*dims);`
	`446`	`+externvoidArrayCheckBounds(intndim,constintdims,constintlb);`
`446`	`447`	`externvoidmda_get_range(intn,intspan,constintst,constint*endp);`
`447`	`448`	`externvoidmda_get_prod(intn,constintrange,intprod);`
`448`	`449`	`externvoidmda_get_offset_values(intn,intdist,constintprod,constint*span);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf02b908

File tree

5 files changed

5 files changed

`‎src/backend/executor/execExprInterp.c`

`‎src/backend/utils/adt/array_userfuncs.c`

`‎src/backend/utils/adt/arrayfuncs.c`

`‎src/backend/utils/adt/arrayutils.c`

`‎src/include/utils/array.h`

0 commit comments