Re: Unsafe access BufferDescriptors array in BufferGetLSNAtomic()
Tender Wang <tndrwang@gmail.com>
From: Tender Wang <tndrwang@gmail.com>
To: Xuneng Zhou <xunengzhou@gmail.com>
Cc: pgsql-hackers@lists.postgresql.org
Date: 2025-02-03T14:28:59Z
Lists: pgsql-hackers
Xuneng Zhou <xunengzhou@gmail.com> 于2025年1月8日周三 13:35写道:
> Hi Tender,
>
> I’ve looked through the patch, and I believe there is a potential issue.
> The default size for BufferDescriptors appears to be 16,384. Passing and
> casting a negative buffer ID to a large unsigned integer in
> GetBufferDescriptor, and then using it as an array subscript, could
> potentially lead to an overflow.
>
> void
> BufferManagerShmemInit(void)
> {
> bool foundBufs,
> foundDescs,
> foundIOCV,
> foundBufCkpt;
>
> /* Align descriptors to a cacheline boundary. */
> BufferDescriptors = (BufferDescPadded *)
> ShmemInitStruct("Buffer Descriptors",
> NBuffers *
> sizeof(BufferDescPadded),
> &foundDescs);
>
> int NBuffers = 16384;
>
> The changes proposed in the patch seem reasonable to me, but it might be
> helpful to include an explanation of the error case and how it’s handled.
>
Thanks for reviewing.
The BufferGetLSNAtomic() with this patch looks not complex. I think no
need more explanation here.
> Best regards,
> [Xuneng]
>
> The new status of this patch is: Waiting on Author
>
I change the status to Ready for commiter
--
Thanks,
Tender Wang
Commits
-
Fix unsafe access to BufferDescriptors
- a38a7ad51ec8 13.21 landed
- 07a55093cd2e 14.18 landed
- 24a74986a096 15.13 landed
- 4c6b5dd5f5cf 16.9 landed
- 49a450892a3e 17.5 landed
- 71d02dc478d5 18.0 landed