Participants
Tatsuo Ishii
Tatsuo Ishii
Noname
Noname
Tatsuo Ishii
Tatsuo Ishii
Tom Lane
Tom Lane
Attachments

No attachments in this thread

Thread Outline
#1NonameNoname
Dec 26, 2006
#2...#5
Tatsuo IshiiTom LaneTatsuo Ishii
to Noname (#1)
Jan 18, 2007
#2Tatsuo IshiiTatsuo Ishiito Noname (#1)
Jan 18, 2007
#4Tom LaneTom Laneto Tatsuo Ishii (#2)
Jan 18, 2007
#5Tatsuo IshiiTatsuo Ishiito Tom Lane (#4)
Jan 18, 2007
#3Tatsuo IshiiTatsuo Ishiito Noname (#1)
Jan 18, 2007

pgsql: Fix failure due to accessing an already-freed tuple descriptor in

Started by Nonameabout 19 years ago5 messages
#1Noname
Noname
tgl@postgresql.org

Log Message:
-----------
Fix failure due to accessing an already-freed tuple descriptor in a plan
involving HashAggregate over SubqueryScan (this is the known case, there
may well be more). The bug is only latent in releases before 8.2 since they
didn't try to access tupletable slots' descriptors during ExecDropTupleTable.
The least bogus fix seems to be to make subqueries share the parent query's
memory context, so that tupdescs they create will have the same lifespan as
those of the parent query. There are comments in the code envisioning going
even further by not having a separate child EState at all, but that will
require rethinking executor access to range tables, which I don't want to
tackle right now. Per bug report from Jean-Pierre Pelletier.

Tags:
----
REL8_2_STABLE

Modified Files:
--------------
pgsql/src/backend/executor:
execMain.c (r1.280 -> r1.280.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execMain.c.diff?r1=1.280&r2=1.280.2.1)
execUtils.c (r1.140 -> r1.140.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execUtils.c.diff?r1=1.140&r2=1.140.2.1)
nodeSubplan.c (r1.80 -> r1.80.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeSubplan.c.diff?r1=1.80&r2=1.80.2.1)
nodeSubqueryscan.c (r1.32.2.1 -> r1.32.2.2)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeSubqueryscan.c.diff?r1=1.32.2.1&r2=1.32.2.2)
pgsql/src/include/executor:
executor.h (r1.130 -> r1.130.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/executor/executor.h.diff?r1=1.130&r2=1.130.2.1)
pgsql/src/include/nodes:
execnodes.h (r1.161 -> r1.161.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/nodes/execnodes.h.diff?r1=1.161&r2=1.161.2.1)

#2Tatsuo Ishii
Tatsuo Ishii
ishii@sraoss.co.jp
In reply to: Noname (#1)
Re: [COMMITTERS] pgsql: Fix failure due to accessing an

Tom,

Is this a fix for security hole/vulnerability?
One of our engineer claimed that double free bug itself is a
vulnerability, thus 8.2.1 release should be called as "security
release".
--
Tatsuo Ishii
SRA OSS, Inc. Japan

Show quoted text

Log Message:
-----------
Fix failure due to accessing an already-freed tuple descriptor in a plan
involving HashAggregate over SubqueryScan (this is the known case, there
may well be more). The bug is only latent in releases before 8.2 since they
didn't try to access tupletable slots' descriptors during ExecDropTupleTable.
The least bogus fix seems to be to make subqueries share the parent query's
memory context, so that tupdescs they create will have the same lifespan as
those of the parent query. There are comments in the code envisioning going
even further by not having a separate child EState at all, but that will
require rethinking executor access to range tables, which I don't want to
tackle right now. Per bug report from Jean-Pierre Pelletier.

Tags:
----
REL8_2_STABLE

Modified Files:
--------------
pgsql/src/backend/executor:
execMain.c (r1.280 -> r1.280.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execMain.c.diff?r1=1.280&r2=1.280.2.1)
execUtils.c (r1.140 -> r1.140.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execUtils.c.diff?r1=1.140&r2=1.140.2.1)
nodeSubplan.c (r1.80 -> r1.80.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeSubplan.c.diff?r1=1.80&r2=1.80.2.1)
nodeSubqueryscan.c (r1.32.2.1 -> r1.32.2.2)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeSubqueryscan.c.diff?r1=1.32.2.1&r2=1.32.2.2)
pgsql/src/include/executor:
executor.h (r1.130 -> r1.130.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/executor/executor.h.diff?r1=1.130&r2=1.130.2.1)
pgsql/src/include/nodes:
execnodes.h (r1.161 -> r1.161.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/nodes/execnodes.h.diff?r1=1.161&r2=1.161.2.1)

---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?

http://archives.postgresql.org

#3Tatsuo Ishii
Tatsuo Ishii
ishii@postgresql.org
In reply to: Noname (#1)
Re: pgsql: Fix failure due to accessing an

Tom,

Is this a fix for security hole/vulnerability?
One of our engineer claimed that double free bug itself is a
vulnerability, thus 8.2.1 release should be called as "security
release".
--
Tatsuo Ishii
SRA OSS, Inc. Japan

Show quoted text

Log Message:
-----------
Fix failure due to accessing an already-freed tuple descriptor in a plan
involving HashAggregate over SubqueryScan (this is the known case, there
may well be more). The bug is only latent in releases before 8.2 since they
didn't try to access tupletable slots' descriptors during ExecDropTupleTable.
The least bogus fix seems to be to make subqueries share the parent query's
memory context, so that tupdescs they create will have the same lifespan as
those of the parent query. There are comments in the code envisioning going
even further by not having a separate child EState at all, but that will
require rethinking executor access to range tables, which I don't want to
tackle right now. Per bug report from Jean-Pierre Pelletier.

Tags:
----
REL8_2_STABLE

Modified Files:
--------------
pgsql/src/backend/executor:
execMain.c (r1.280 -> r1.280.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execMain.c.diff?r1=1.280&r2=1.280.2.1)
execUtils.c (r1.140 -> r1.140.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execUtils.c.diff?r1=1.140&r2=1.140.2.1)
nodeSubplan.c (r1.80 -> r1.80.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeSubplan.c.diff?r1=1.80&r2=1.80.2.1)
nodeSubqueryscan.c (r1.32.2.1 -> r1.32.2.2)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeSubqueryscan.c.diff?r1=1.32.2.1&r2=1.32.2.2)
pgsql/src/include/executor:
executor.h (r1.130 -> r1.130.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/executor/executor.h.diff?r1=1.130&r2=1.130.2.1)
pgsql/src/include/nodes:
execnodes.h (r1.161 -> r1.161.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/nodes/execnodes.h.diff?r1=1.161&r2=1.161.2.1)

---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?

http://archives.postgresql.org

#4Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Tatsuo Ishii (#2)
Re: [COMMITTERS] pgsql: Fix failure due to accessing an

Tatsuo Ishii <ishii@sraoss.co.jp> writes:

One of our engineer claimed that double free bug itself is a
vulnerability, thus 8.2.1 release should be called as "security
release".

[ shrug... ] AFAICS the crashing bugs we fixed in 8.2.1 can't be
exploited for anything beyond crashing the backend, and only by an
attacker who can issue arbitrary SQL commands. There are plenty of
other ways to cause momentary DOS if you can do that, so it doesn't
strike me as a big security vulnerability. But if you want to call
it one, you can.

regards, tom lane

#5Tatsuo Ishii
Tatsuo Ishii
ishii@postgresql.org
In reply to: Tom Lane (#4)
Re: [COMMITTERS] pgsql: Fix failure due to accessing an

Ok, understood.
--
Tatsuo Ishii
SRA OSS, Inc. Japan

Show quoted text

Tatsuo Ishii <ishii@sraoss.co.jp> writes:

One of our engineer claimed that double free bug itself is a
vulnerability, thus 8.2.1 release should be called as "security
release".

[ shrug... ] AFAICS the crashing bugs we fixed in 8.2.1 can't be
exploited for anything beyond crashing the backend, and only by an
attacker who can issue arbitrary SQL commands. There are plenty of
other ways to cause momentary DOS if you can do that, so it doesn't
strike me as a big security vulnerability. But if you want to call
it one, you can.

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly

← Back to Topics