Re: Unsafe access BufferDescriptors array in BufferGetLSNAtomic()
Xuneng Zhou <xunengzhou@gmail.com>
From: Xuneng Zhou <xunengzhou@gmail.com>
To: pgsql-hackers@lists.postgresql.org
Cc: Tender Wang <tndrwang@gmail.com>
Date: 2025-01-08T05:34:48Z
Lists: pgsql-hackers
Hi Tender,
I’ve looked through the patch, and I believe there is a potential issue. The default size for BufferDescriptors appears to be 16,384. Passing and casting a negative buffer ID to a large unsigned integer in GetBufferDescriptor, and then using it as an array subscript, could potentially lead to an overflow.
void
BufferManagerShmemInit(void)
{
bool foundBufs,
foundDescs,
foundIOCV,
foundBufCkpt;
/* Align descriptors to a cacheline boundary. */
BufferDescriptors = (BufferDescPadded *)
ShmemInitStruct("Buffer Descriptors",
NBuffers * sizeof(BufferDescPadded),
&foundDescs);
int NBuffers = 16384;
The changes proposed in the patch seem reasonable to me, but it might be helpful to include an explanation of the error case and how it’s handled.
Best regards,
[Xuneng]
The new status of this patch is: Waiting on Author
Commits
-
Fix unsafe access to BufferDescriptors
- a38a7ad51ec8 13.21 landed
- 07a55093cd2e 14.18 landed
- 24a74986a096 15.13 landed
- 4c6b5dd5f5cf 16.9 landed
- 49a450892a3e 17.5 landed
- 71d02dc478d5 18.0 landed