Participants
David Zhang
David Zhang
Tom Lane
Tom Lane
Attachments
Download Latest Patchset
+2-3
Show all attachments
Thread Outline
#1David ZhangDavid Zhang
Sep 25, 2020
#2Tom LaneTom Laneto David Zhang (#1)
Sep 26, 2020

a potential size overflow issue

Started by David Zhangover 5 years ago2 messageshackers
Jump to latest
#1David Zhang
David Zhang
david.zhang@highgo.ca

Hi hackers,

"InitBufTable" is the function used to initialize the buffer lookup
table for buffer manager. With the memory size increasing nowadays,
there is a potential overflow issue for the parameter "int size" used by
"InitBufTable". This function is invoked in freelist.c as below:
    InitBufTable(NBuffers + NUM_BUFFER_PARTITIONS);

The number of buffer block “NBuffers” is also defined as "int", and
"NUM_BUFFER_PARTITIONS" has a default value 128. In theory, it may get
the chance to overflow the "size" parameter in "InitBufTable". The
"size" parameter is later used by "ShmemInitHash" as "init_size" and
"max_size", which are all defined as "long".

    SharedBufHash = ShmemInitHash("Shared Buffer Lookup Table",
                                  size, size,
                                  &info,
                                  HASH_ELEM | HASH_BLOBS | HASH_PARTITION);

Therefore, it would be better to change "InitBufTable(int size)" to
"InitBufTable(long size)".

A simple patch is attached and it passed the “make installcheck-world” test.

--

David

Software Engineer
Highgo Software Inc. (Canada)
www.highgo.ca

Attachments:

fix-a-potential-overflow-issue-for-InitBufTable.patchtext/plain; charset=UTF-8; name=fix-a-potential-overflow-issue-for-InitBufTable.patch; x-mac-creator=0; x-mac-type=0Download+2-3
#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: David Zhang (#1)
Re: a potential size overflow issue

David Zhang <david.zhang@highgo.ca> writes:

"InitBufTable" is the function used to initialize the buffer lookup
table for buffer manager. With the memory size increasing nowadays,
there is a potential overflow issue for the parameter "int size" used by
"InitBufTable". This function is invoked in freelist.c as below:
    InitBufTable(NBuffers + NUM_BUFFER_PARTITIONS);

The number of buffer block “NBuffers” is also defined as "int", and
"NUM_BUFFER_PARTITIONS" has a default value 128. In theory, it may get
the chance to overflow the "size" parameter in "InitBufTable".

No, because guc.c limits NBuffers to INT_MAX/2.

Therefore, it would be better to change "InitBufTable(int size)" to
"InitBufTable(long size)".

If I was worried about this, that wouldn't be much of a fix, since
on many platforms "long" is not any wider than "int". (We really
oughta try to move away from relying on "long", because its size
is so poorly standardized.)

regards, tom lane

← Back to Topics