Non-replayable WAL records through overflows and >MaxAllocSize lengths
Matthias van de Meent <boekewurm+postgres@gmail.com>
From: Matthias van de Meent <boekewurm+postgres@gmail.com>
To: PostgreSQL Hackers <pgsql-hackers@postgresql.org>,
Heikki Linnakangas <hlinnaka@iki.fi>
Date: 2022-03-11T15:42:23Z
Lists: pgsql-hackers
Attachments
- v1-0001-Add-protections-in-xlog-record-APIs-against-large.patch (application/x-patch) patch v1-0001
Hi, Xlogreader limits the size of what it considers valid xlog records to MaxAllocSize; but this is not currently enforced in the XLogRecAssemble API. This means it is possible to assemble a record that postgresql cannot replay. Similarly; it is possible to repeatedly call XlogRegisterData() so as to overflow rec->xl_tot_len; resulting in out-of-bounds reads and writes while processing record data; PFA a patch that attempts to fix both of these issues in the insertion API; by checking against overflows and other incorrectly large values in the relevant functions in xloginsert.c. In this patch, I've also added a comment to the XLogRecord spec to document that xl_tot_len should not be larger than 1GB - 1B; and why that limit exists. Kind regards, Matthias van de Meent
Commits
-
Add more protections in WAL record APIs against overflows
- 8fcb32db98ed 16.0 landed
-
Add overflow protection for block-related data in WAL records
- ffd1b6bb6f8a 16.0 landed
-
Change internal RelFileNode references to RelFileNumber or RelFileLocator.
- b0a55e43299c 16.0 cited
-
Revamp the WAL record format.
- 2c03216d8311 9.5.0 cited