a potential size overflow issue
Hi hackers,
"InitBufTable" is the function used to initialize the buffer lookup
table for buffer manager. With the memory size increasing nowadays,
there is a potential overflow issue for the parameter "int size" used by
"InitBufTable". This function is invoked in freelist.c as below:
InitBufTable(NBuffers + NUM_BUFFER_PARTITIONS);
The number of buffer block “NBuffers” is also defined as "int", and
"NUM_BUFFER_PARTITIONS" has a default value 128. In theory, it may get
the chance to overflow the "size" parameter in "InitBufTable". The
"size" parameter is later used by "ShmemInitHash" as "init_size" and
"max_size", which are all defined as "long".
SharedBufHash = ShmemInitHash("Shared Buffer Lookup Table",
size, size,
&info,
HASH_ELEM | HASH_BLOBS | HASH_PARTITION);
Therefore, it would be better to change "InitBufTable(int size)" to
"InitBufTable(long size)".
A simple patch is attached and it passed the “make installcheck-world” test.
--
David
Software Engineer
Highgo Software Inc. (Canada)
www.highgo.ca
Attachments:
fix-a-potential-overflow-issue-for-InitBufTable.patchtext/plain; charset=UTF-8; name=fix-a-potential-overflow-issue-for-InitBufTable.patch; x-mac-creator=0; x-mac-type=0Download
From 7df445121d3cf2aa7c0c22c831a8a920bc818d6e Mon Sep 17 00:00:00 2001
From: David Zhang <idrawone@gmail.com>
Date: Fri, 25 Sep 2020 15:39:24 -0700
Subject: [PATCH] fix a potential overflow issue for InitBufTable
---
src/backend/storage/buffer/buf_table.c | 2 +-
src/include/storage/buf_internals.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/backend/storage/buffer/buf_table.c b/src/backend/storage/buffer/buf_table.c
index 4953ae9f82..d4f58c1ce0 100644
--- a/src/backend/storage/buffer/buf_table.c
+++ b/src/backend/storage/buffer/buf_table.c
@@ -49,7 +49,7 @@ BufTableShmemSize(int size)
* size is the desired hash table size (possibly more than NBuffers)
*/
void
-InitBufTable(int size)
+InitBufTable(long size)
{
HASHCTL info;
diff --git a/src/include/storage/buf_internals.h b/src/include/storage/buf_internals.h
index 3377fa5676..25e1db6854 100644
--- a/src/include/storage/buf_internals.h
+++ b/src/include/storage/buf_internals.h
@@ -320,7 +320,7 @@ extern bool have_free_buffer(void);
/* buf_table.c */
extern Size BufTableShmemSize(int size);
-extern void InitBufTable(int size);
+extern void InitBufTable(long size);
extern uint32 BufTableHashCode(BufferTag *tagPtr);
extern int BufTableLookup(BufferTag *tagPtr, uint32 hashcode);
extern int BufTableInsert(BufferTag *tagPtr, uint32 hashcode, int buf_id);
--
2.21.1 (Apple Git-122.3)
David Zhang <david.zhang@highgo.ca> writes:
"InitBufTable" is the function used to initialize the buffer lookup
table for buffer manager. With the memory size increasing nowadays,
there is a potential overflow issue for the parameter "int size" used by
"InitBufTable". This function is invoked in freelist.c as below:
InitBufTable(NBuffers + NUM_BUFFER_PARTITIONS);
The number of buffer block “NBuffers” is also defined as "int", and
"NUM_BUFFER_PARTITIONS" has a default value 128. In theory, it may get
the chance to overflow the "size" parameter in "InitBufTable".
No, because guc.c limits NBuffers to INT_MAX/2.
Therefore, it would be better to change "InitBufTable(int size)" to
"InitBufTable(long size)".
If I was worried about this, that wouldn't be much of a fix, since
on many platforms "long" is not any wider than "int". (We really
oughta try to move away from relying on "long", because its size
is so poorly standardized.)
regards, tom lane