NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitf0fc1d4

committed

Add defenses against integer overflow in dynahash numbuckets calculations.

The dynahash code requires the number of buckets in a hash table to fitin an int; but since we calculate the desired hash table size dynamically,there are various scenarios where we might calculate too large a value.The resulting overflow can lead to infinite loops, division-by-zerocrashes, etc. I (tgl) had previously installed some defenses against thatin commit299d171, but that covered only onecall path. Moreover it worked by limiting the request size to work_mem,but in a 64-bit machine it's possible to set work_mem high enough that theproblem appears anyway. So let's fix the problem at the root by installinglimits in the dynahash.c functions themselves.Trouble report and patch by Jeff Davis.

1 parent97a60fa commitf0fc1d4Copy full SHA for f0fc1d4

File tree

2 files changed

+41

-12

lines changed

src/backend
- executor
  - nodeHash.c
- utils/hash
  - dynahash.c

2 files changed

+41

-12

lines changed

`‎src/backend/executor/nodeHash.c`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -501,7 +501,9 @@ ExecChooseHashTableSize(double ntuples, int tupwidth, bool useskew,`
`501`	`501`	`* Both nbuckets and nbatch must be powers of 2 to make`
`502`	`502`	`* ExecHashGetBucketAndBatch fast.We already fixed nbatch; now inflate`
`503`	`503`	`* nbuckets to the next larger power of 2.We also force nbuckets to not`
`504`		`- * be real small, by starting the search at 2^10.`
	`504`	`+ * be real small, by starting the search at 2^10. (Note: above we made`
	`505`	`+ * sure that nbuckets is not more than INT_MAX / 2, so this loop cannot`
	`506`	`+ * overflow, nor can the final shift to recalculate nbuckets.)`
`505`	`507`	`*/`
`506`	`508`	`i=10;`
`507`	`509`	`while ((1 <<i)<nbuckets)`

`‎src/backend/utils/hash/dynahash.c`

Lines changed: 38 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,8 @@`
`63`	`63`
`64`	`64`	`#include"postgres.h"`
`65`	`65`
	`66`	`+#include<limits.h>`
	`67`	`+`
`66`	`68`	`#include"access/xact.h"`
`67`	`69`	`#include"storage/shmem.h"`
`68`	`70`	`#include"storage/spin.h"`
`@@ -200,6 +202,8 @@ static void hdefault(HTAB *hashp);`
`200`	`202`	`staticintchoose_nelem_alloc(Sizeentrysize);`
`201`	`203`	`staticboolinit_htab(HTAB*hashp,longnelem);`
`202`	`204`	`staticvoidhash_corrupted(HTAB*hashp);`
	`205`	`+staticlongnext_pow2_long(longnum);`
	`206`	`+staticintnext_pow2_int(longnum);`
`203`	`207`	`staticvoidregister_seq_scan(HTAB*hashp);`
`204`	`208`	`staticvoidderegister_seq_scan(HTAB*hashp);`
`205`	`209`	`staticboolhas_seq_scans(HTAB*hashp);`
`@@ -374,8 +378,13 @@ hash_create(const char tabname, long nelem, HASHCTL info, int flags)`
`374`	`378`	`{`
`375`	`379`	`/* Doesn't make sense to partition a local hash table */`
`376`	`380`	`Assert(flags&HASH_SHARED_MEM);`
`377`		`-/* # of partitions had better be a power of 2 */`
`378`		`-Assert(info->num_partitions== (1L <<my_log2(info->num_partitions)));`
	`381`	`+`
	`382`	`+/*`
	`383`	`+ * The number of partitions had better be a power of 2. Also, it must`
	`384`	`+ * be less than INT_MAX (see init_htab()), so call the int version of`
	`385`	`+ * next_pow2.`
	`386`	`+ */`
	`387`	`+Assert(info->num_partitions==next_pow2_int(info->num_partitions));`
`379`	`388`
`380`	`389`	`hctl->num_partitions=info->num_partitions;`
`381`	`390`	`}`
`@@ -518,7 +527,6 @@ init_htab(HTAB *hashp, long nelem)`
`518`	`527`	`{`
`519`	`528`	`HASHHDR*hctl=hashp->hctl;`
`520`	`529`	`HASHSEGMENT*segp;`
`521`		`-longlnbuckets;`
`522`	`530`	`intnbuckets;`
`523`	`531`	`intnsegs;`
`524`	`532`
`@@ -533,9 +541,7 @@ init_htab(HTAB *hashp, long nelem)`
`533`	`541`	`* number of buckets. Allocate space for the next greater power of two`
`534`	`542`	`* number of buckets`
`535`	`543`	`*/`
`536`		`-lnbuckets= (nelem-1) /hctl->ffactor+1;`
`537`		`-`
`538`		`-nbuckets=1 <<my_log2(lnbuckets);`
	`544`	`+nbuckets=next_pow2_int((nelem-1) /hctl->ffactor+1);`
`539`	`545`
`540`	`546`	`/*`
`541`	`547`	`* In a partitioned table, nbuckets must be at least equal to`
`@@ -553,7 +559,7 @@ init_htab(HTAB *hashp, long nelem)`
`553`	`559`	`* Figure number of directory segments needed, round up to a power of 2`
`554`	`560`	`*/`
`555`	`561`	`nsegs= (nbuckets-1) /hctl->ssize+1;`
`556`		`-nsegs=1 <<my_log2(nsegs);`
	`562`	`+nsegs=next_pow2_int(nsegs);`
`557`	`563`
`558`	`564`	`/*`
`559`	`565`	`* Make sure directory is big enough. If pre-allocated directory is too`
`@@ -623,9 +629,9 @@ hash_estimate_size(long num_entries, Size entrysize)`
`623`	`629`	`elementAllocCnt;`
`624`	`630`
`625`	`631`	`/* estimate number of buckets wanted */`
`626`		`-nBuckets=1L <<my_log2((num_entries-1) /DEF_FFACTOR+1);`
	`632`	`+nBuckets=next_pow2_long((num_entries-1) /DEF_FFACTOR+1);`
`627`	`633`	`/* # of segments needed for nBuckets */`
`628`		`-nSegments=1L <<my_log2((nBuckets-1) /DEF_SEGSIZE+1);`
	`634`	`+nSegments=next_pow2_long((nBuckets-1) /DEF_SEGSIZE+1);`
`629`	`635`	`/* directory entries */`
`630`	`636`	`nDirEntries=DEF_DIRSIZE;`
`631`	`637`	`while (nDirEntries<nSegments)`
`@@ -666,9 +672,9 @@ hash_select_dirsize(long num_entries)`
`666`	`672`	`nDirEntries;`
`667`	`673`
`668`	`674`	`/* estimate number of buckets wanted */`
`669`		`-nBuckets=1L <<my_log2((num_entries-1) /DEF_FFACTOR+1);`
	`675`	`+nBuckets=next_pow2_long((num_entries-1) /DEF_FFACTOR+1);`
`670`	`676`	`/* # of segments needed for nBuckets */`
`671`		`-nSegments=1L <<my_log2((nBuckets-1) /DEF_SEGSIZE+1);`
	`677`	`+nSegments=next_pow2_long((nBuckets-1) /DEF_SEGSIZE+1);`
`672`	`678`	`/* directory entries */`
`673`	`679`	`nDirEntries=DEF_DIRSIZE;`
`674`	`680`	`while (nDirEntries<nSegments)`
`@@ -1403,11 +1409,32 @@ my_log2(long num)`
`1403`	`1409`	`inti;`
`1404`	`1410`	`longlimit;`
`1405`	`1411`
	`1412`	`+/* guard against too-large input, which would put us into infinite loop */`
	`1413`	`+if (num>LONG_MAX /2)`
	`1414`	`+num=LONG_MAX /2;`
	`1415`	`+`
`1406`	`1416`	`for (i=0,limit=1;limit<num;i++,limit <<=1)`
`1407`	`1417`	`;`
`1408`	`1418`	`returni;`
`1409`	`1419`	`}`
`1410`	`1420`
	`1421`	`+/* calculate first power of 2 >= num, bounded to what will fit in a long */`
	`1422`	`+staticlong`
	`1423`	`+next_pow2_long(longnum)`
	`1424`	`+{`
	`1425`	`+/* my_log2's internal range check is sufficient */`
	`1426`	`+return1L <<my_log2(num);`
	`1427`	`+}`
	`1428`	`+`
	`1429`	`+/* calculate first power of 2 >= num, bounded to what will fit in an int */`
	`1430`	`+staticint`
	`1431`	`+next_pow2_int(longnum)`
	`1432`	`+{`
	`1433`	`+if (num>INT_MAX /2)`
	`1434`	`+num=INT_MAX /2;`
	`1435`	`+return1 <<my_log2(num);`
	`1436`	`+}`
	`1437`	`+`
`1411`	`1438`
`1412`	`1439`	`/*********************** SEQ SCAN TRACKING **********************/`
`1413`	`1440`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf0fc1d4

File tree

2 files changed

2 files changed

`‎src/backend/executor/nodeHash.c`

`‎src/backend/utils/hash/dynahash.c`

0 commit comments