NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commitec91ee8

committed

Fix access-to-already-freed-memory issue in plpython's error handling.

PLy_elog() could attempt to access strings that Python had already freed,because the strings that PLy_get_spi_error_data() returns are simplypointers into storage associated with the error "val" PyObject. That'sfine at the instant PLy_get_spi_error_data() returns them, but just afterthat PLy_traceback() intentionally releases the only refcount on thatobject, allowing it to be freed --- so that the strings we pass toereport() are dangling pointers.In principle this could result in garbage output or a coredump. Inpractice, I think the risk is pretty low, because there are no Pythonoperations between where we decrement that refcount and where we use thestrings (and copy them into PG storage), and thus no reason for Pythonto recycle the storage. Still, it's clearly hazardous, and it leads toValgrind complaints when running under a Valgrind that hasn't beenlobotomized to ignore Python memory allocations.The code was a mess anyway: we fetched the error data out of Python(clearing Python's error indicator) with PyErr_Fetch, examined it, pushedit back into Python with PyErr_Restore (re-setting the error indicator),then immediately pulled it back out with another PyErr_Fetch. Just toconfuse matters even more, there were some gratuitous-and-yet-hazardousPyErr_Clear calls in the "examine" step, and we didn't get around to doingPyErr_NormalizeException until after the second PyErr_Fetch, making it evenless clear which object was being manipulated where and whether we stillhad a refcount on it. (If PyErr_NormalizeException did substitute adifferent "val" object, it's possible that the problem could manifest forreal, because then we'd be doing assorted Python stuff with no refcounton the object we have string pointers into.)So, rearrange all that into some semblance of sanity, and don't decrementthe refcount on the Python error objects until the end of PLy_elog().In HEAD, I failed to resist the temptation to reformat some messy bitsfrom5c3c3cd along the way.Back-patch as far as 9.2, because the code is substantially the samethat far back. I believe that 9.1 has the bug as well; but the codearound it is rather different and I don't want to take a chance onbreaking something for what seems a low-probability problem.

1 parentbf73016 commitec91ee8Copy full SHA for ec91ee8

File tree

1 file changed

+21

-21

lines changed

src/pl/plpython
- plpy_elog.c

1 file changed

+21

-21

lines changed

`‎src/pl/plpython/plpy_elog.c`

Lines changed: 21 additions & 21 deletions

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,8 @@ PyObject *PLy_exc_fatal = NULL;`
`21`	`21`	`PyObject*PLy_exc_spi_error=NULL;`
`22`	`22`
`23`	`23`
`24`		`-staticvoidPLy_traceback(charxmsg,chartbmsg,int*tb_depth);`
	`24`	`+staticvoidPLy_traceback(PyObjecte,PyObjectv,PyObject*tb,`
	`25`	`+charxmsg,chartbmsg,int*tb_depth);`
`25`	`26`	`staticvoidPLy_get_spi_error_data(PyObjectexc,intsqlerrcode,char**detail,`
`26`	`27`	`charhint,charquery,int*position);`
`27`	`28`	`staticcharget_source_line(constcharsrc,intlineno);`
`@@ -53,16 +54,20 @@ PLy_elog(int elevel, const char *fmt,...)`
`53`	`54`	`intposition=0;`
`54`	`55`
`55`	`56`	`PyErr_Fetch(&exc,&val,&tb);`
	`57`	`+`
`56`	`58`	`if (exc!=NULL)`
`57`	`59`	`{`
	`60`	`+PyErr_NormalizeException(&exc,&val,&tb);`
	`61`	`+`
`58`	`62`	`if (PyErr_GivenExceptionMatches(val,PLy_exc_spi_error))`
`59`	`63`	`PLy_get_spi_error_data(val,&sqlerrcode,&detail,&hint,&query,&position);`
`60`	`64`	`elseif (PyErr_GivenExceptionMatches(val,PLy_exc_fatal))`
`61`	`65`	`elevel=FATAL;`
`62`	`66`	`}`
`63`		`-PyErr_Restore(exc,val,tb);`
`64`	`67`
`65`		`-PLy_traceback(&xmsg,&tbmsg,&tb_depth);`
	`68`	`+/* this releases our refcount on tb! */`
	`69`	`+PLy_traceback(exc,val,tb,`
	`70`	`+&xmsg,&tbmsg,&tb_depth);`
`66`	`71`
`67`	`72`	`if (fmt)`
`68`	`73`	`{`
`@@ -113,6 +118,9 @@ PLy_elog(int elevel, const char *fmt,...)`
`113`	`118`	`pfree(xmsg);`
`114`	`119`	`if (tbmsg)`
`115`	`120`	`pfree(tbmsg);`
	`121`	`+Py_XDECREF(exc);`
	`122`	`+Py_XDECREF(val);`
	`123`	`+`
`116`	`124`	`PG_RE_THROW();`
`117`	`125`	`}`
`118`	`126`	`PG_END_TRY();`
`@@ -123,21 +131,24 @@ PLy_elog(int elevel, const char *fmt,...)`
`123`	`131`	`pfree(xmsg);`
`124`	`132`	`if (tbmsg)`
`125`	`133`	`pfree(tbmsg);`
	`134`	`+Py_XDECREF(exc);`
	`135`	`+Py_XDECREF(val);`
`126`	`136`	`}`
`127`	`137`
`128`	`138`	`/*`
`129`		`- * Extract a Python traceback from thecurrent exception.`
	`139`	`+ * Extract a Python traceback from thegiven exception data.`
`130`	`140`	`*`
`131`	`141`	`* The exception error message is returned in xmsg, the traceback in`
`132`	`142`	`* tbmsg (both as palloc'd strings) and the traceback depth in`
`133`	`143`	`* tb_depth.`
	`144`	`+ *`
	`145`	`+ * We release refcounts on all the Python objects in the traceback stack,`
	`146`	`+ * but not on e or v.`
`134`	`147`	`*/`
`135`	`148`	`staticvoid`
`136`		`-PLy_traceback(charxmsg,chartbmsg,int*tb_depth)`
	`149`	`+PLy_traceback(PyObjecte,PyObjectv,PyObject*tb,`
	`150`	`+charxmsg,chartbmsg,int*tb_depth)`
`137`	`151`	`{`
`138`		`-PyObject*e,`
`139`		`-*v,`
`140`		`-*tb;`
`141`	`152`	`PyObject*e_type_o;`
`142`	`153`	`PyObject*e_module_o;`
`143`	`154`	`char*e_type_s=NULL;`
`@@ -148,12 +159,7 @@ PLy_traceback(char xmsg, char tbmsg, int *tb_depth)`
`148`	`159`	`StringInfoDatatbstr;`
`149`	`160`
`150`	`161`	`/*`
`151`		`- * get the current exception`
`152`		`- */`
`153`		`-PyErr_Fetch(&e,&v,&tb);`
`154`		`-`
`155`		`-/*`
`156`		`- * oops, no exception, return`
	`162`	`+ * if no exception, return nulls`
`157`	`163`	`*/`
`158`	`164`	`if (e==NULL)`
`159`	`165`	`{`
`@@ -164,8 +170,6 @@ PLy_traceback(char xmsg, char tbmsg, int *tb_depth)`
`164`	`170`	`return;`
`165`	`171`	`}`
`166`	`172`
`167`		`-PyErr_NormalizeException(&e,&v,&tb);`
`168`		`-`
`169`	`173`	`/*`
`170`	`174`	`* Format the exception and its value and put it in xmsg.`
`171`	`175`	`*/`
`@@ -332,8 +336,6 @@ PLy_traceback(char xmsg, char tbmsg, int *tb_depth)`
`332`	`336`	`Py_XDECREF(e_type_o);`
`333`	`337`	`Py_XDECREF(e_module_o);`
`334`	`338`	`Py_XDECREF(vob);`
`335`		`-Py_XDECREF(v);`
`336`		`-Py_DECREF(e);`
`337`	`339`	`}`
`338`	`340`
`339`	`341`	`/*`
`@@ -367,7 +369,7 @@ PLy_get_spi_sqlerrcode(PyObject exc, int sqlerrcode)`
`367`	`369`	`staticvoid`
`368`	`370`	`PLy_get_spi_error_data(PyObjectexc,intsqlerrcode,chardetail,charhint,char*query,intposition)`
`369`	`371`	`{`
`370`		`-PyObject*spidata=NULL;`
	`372`	`+PyObject*spidata;`
`371`	`373`
`372`	`374`	`spidata=PyObject_GetAttrString(exc,"spidata");`
`373`	`375`
`@@ -384,8 +386,6 @@ PLy_get_spi_error_data(PyObject exc, int sqlerrcode, char detail, char hin`
`384`	`386`	`PLy_get_spi_sqlerrcode(exc,sqlerrcode);`
`385`	`387`	`}`
`386`	`388`
`387`		`-PyErr_Clear();`
`388`		`-/* no elog here, we simply won't report the errhint, errposition etc */`
`389`	`389`	`Py_XDECREF(spidata);`
`390`	`390`	`}`
`391`	`391`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitec91ee8

File tree

1 file changed

1 file changed

`‎src/pl/plpython/plpy_elog.c`

0 commit comments