Re: Is MinMaxExpr really leakproof?

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Isaac Morland <isaac.morland@gmail.com>
Cc: Noah Misch <noah@leadboat.com>, PostgreSQL Developers <pgsql-hackers@lists.postgresql.org>, Stephen Frost <sfrost@snowman.net>
Date: 2018-12-31T18:08:08Z
Lists: pgsql-hackers
Isaac Morland <isaac.morland@gmail.com> writes:
> On Mon, 31 Dec 2018 at 12:26, Noah Misch <noah@leadboat.com> wrote:
>> bttextcmp() and other varstr_cmp() callers fall afoul of the same
>> restriction with their "could not convert string to UTF-16" errors

> I'm confused. What characters cannot be represented in UTF-16?

What's actually being reported there is failure of Windows'
MultiByteToWideChar function.  Probable causes could include
invalid data (not valid UTF8), or conditions such as out-of-memory
which might have nothing at all to do with the input.

There are similar, equally nonspecific, error messages in the
non-Windows code path.

In principle, an attacker might be able to find out the existence
of extremely long strings in a column by noting out-of-memory
failures in this code, but that doesn't seem like a particularly
interesting information leak ...

			regards, tom lane


Commits

  1. Don't believe MinMaxExpr is leakproof without checking.

  2. Update leakproofness markings on some btree comparison functions.