Re: Unsafe access BufferDescriptors array in BufferGetLSNAtomic()

Xuneng Zhou <xunengzhou@gmail.com>

From: Xuneng Zhou <xunengzhou@gmail.com>
To: pgsql-hackers@lists.postgresql.org
Cc: Tender Wang <tndrwang@gmail.com>
Date: 2025-01-08T05:34:48Z
Lists: pgsql-hackers
Hi Tender,

I’ve looked through the patch, and I believe there is a potential issue. The default size for BufferDescriptors appears to be 16,384. Passing and casting a negative buffer ID to a large unsigned integer in GetBufferDescriptor, and then using it as an array subscript, could potentially lead to an overflow.

void
BufferManagerShmemInit(void)
{
	bool		foundBufs,
				foundDescs,
				foundIOCV,
				foundBufCkpt;

	/* Align descriptors to a cacheline boundary. */
	BufferDescriptors = (BufferDescPadded *)
		ShmemInitStruct("Buffer Descriptors",
						NBuffers * sizeof(BufferDescPadded),
						&foundDescs);

int			NBuffers = 16384;

The changes proposed in the patch seem reasonable to me, but it might be helpful to include an explanation of the error case and how it’s handled.

Best regards,
[Xuneng]

The new status of this patch is: Waiting on Author

Commits

  1. Fix unsafe access to BufferDescriptors