Participants
Stas Kelvich
Stas Kelvich
Michael Paquier
Michael Paquier
Andres Freund
Andres Freund
Attachments
Thread Outline
#1Stas KelvichStas Kelvich
Jan 31, 2019
#2Michael PaquierMichael Paquierto Stas Kelvich (#1)
Feb 01, 2019
#3Andres FreundAndres Freundto Michael Paquier (#2)
Feb 09, 2019

XLogInsert() of dangling pointer while logging replica identity

Started by Stas Kelvichalmost 7 years ago3 messages
#1Stas Kelvich
Stas Kelvich
s.kelvich@postgrespro.ru
1 attachment(s)

Hi, hackers.

It seems that heapam.c:3082 calls XLogRegisterData() with an argument
allocated on stack, but following call to XLogInsert() happens after
end of context for that variable.
Issue spotted by clang's AddressSanitizer. Fix attached.

--
Stas Kelvich
Postgres Professional: http://www.postgrespro.com
The Russian Postgres Company

Attachments:

0001-Fix-use-after-scope.patchapplication/octet-stream; name=0001-Fix-use-after-scope.patch; x-unix-mode=0644Download
From e8ffd7b65974055c5b680e43c845595138b32976 Mon Sep 17 00:00:00 2001
From: Stas Kelvich <stanconn@gmail.com>
Date: Thu, 31 Jan 2019 23:18:17 +0300
Subject: [PATCH] Fix use of stack variable after end of the scope in
 heap_delete().

---
 src/backend/access/heap/heapam.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/backend/access/heap/heapam.c b/src/backend/access/heap/heapam.c
index 4406a69ef2..dc3499349b 100644
--- a/src/backend/access/heap/heapam.c
+++ b/src/backend/access/heap/heapam.c
@@ -3039,6 +3039,7 @@ l1:
 	if (RelationNeedsWAL(relation))
 	{
 		xl_heap_delete xlrec;
+		xl_heap_header xlhdr;
 		XLogRecPtr	recptr;
 
 		/* For logical decode we need combocids to properly decode the catalog */
@@ -3073,8 +3074,6 @@ l1:
 		 */
 		if (old_key_tuple != NULL)
 		{
-			xl_heap_header xlhdr;
-
 			xlhdr.t_infomask2 = old_key_tuple->t_data->t_infomask2;
 			xlhdr.t_infomask = old_key_tuple->t_data->t_infomask;
 			xlhdr.t_hoff = old_key_tuple->t_data->t_hoff;
-- 
2.16.2
#2Michael Paquier
Michael Paquier
michael@paquier.xyz
In reply to: Stas Kelvich (#1)
Re: XLogInsert() of dangling pointer while logging replica identity

On Thu, Jan 31, 2019 at 11:51:36PM +0300, Stas Kelvich wrote:

It seems that heapam.c:3082 calls XLogRegisterData() with an argument
allocated on stack, but following call to XLogInsert() happens after
end of context for that variable.
Issue spotted by clang's AddressSanitizer. Fix attached.

Oh, good catch. Committed and back-patched down to 9.4.
--
Michael

#3Andres Freund
Andres Freund
andres@anarazel.de
In reply to: Michael Paquier (#2)
Re: XLogInsert() of dangling pointer while logging replica identity

On 2019-02-01 10:38:49 +0900, Michael Paquier wrote:

On Thu, Jan 31, 2019 at 11:51:36PM +0300, Stas Kelvich wrote:

It seems that heapam.c:3082 calls XLogRegisterData() with an argument
allocated on stack, but following call to XLogInsert() happens after
end of context for that variable.
Issue spotted by clang's AddressSanitizer. Fix attached.

Oh, good catch. Committed and back-patched down to 9.4.

Thanks Stas and Michael!

← Back to Topics