Participants
Lucas Jeffrey
Lucas Jeffrey
Attachments
Download Latest Patchset
+199-3
Show all attachments
Thread Outline
#1Lucas JeffreyLucas Jeffrey
May 20, 13:14

[PATCH] Add reentrancy guards in ri_triggers.c

Started by Lucas Jeffrey17 days ago1 messageshackers
Jump to latest
#1Lucas Jeffrey
Lucas Jeffrey
lucas.jeffrey@anachronics.com

Hi hackers,

We found a bug where executing a DELETE on a self-referential table that
fires triggers can cause a segmentation fault. This is due to a
*use-after-free* of a Postgres plan generated by the referential integrity
module (ri_triggers.c, RI_FKey_cascade_del). The crash occurs if the
Postgres plancache is invalidated (ResetPlanCache) during the execution of
a reentrant RI trigger.

A reentrant RI_FKey_cascade_del can occur if a table is self-referential
(i.e., it has a foreign key referencing its own primary key) and has BEFORE
DELETE triggers that delete rows from that same table.

-

*The first patch* adds a test case that reproduces the segmentation
fault. The crash itself happens in _SPI_execute_plan, but the root cause
is that the plan being executed was prematurely freed by the RI module.
-

*The second patch* fixes ri_triggers.c by introducing reentrancy guards,
which maintain a reference count of plans in execution to prevent them from
being freed while active.

Feedback and reviews are welcome.

Best regards,

Lucas Jeffrey

Attachments:

0002-Fix-crash-in-RI-triggers-by-refcounting-active-plans.patchtext/x-patch; charset=US-ASCII; name=0002-Fix-crash-in-RI-triggers-by-refcounting-active-plans.patchDownload+85-2
0001-Add-isolation-test-case-for-RI-plan-invalidation-cra.patchtext/x-patch; charset=US-ASCII; name=0001-Add-isolation-test-case-for-RI-plan-invalidation-cra.patchDownload+114-1
← Back to Topics