Explicit NULL dereference (src/backend/utils/adt/ruleutils.c)
Hi,
Per Coverity.
make_ruledef function can dereference a NULL pointer (actions),
if "ev_qual" is provided and "actions" does not exist.
The comment there is contradictory: " /* these could be nulls */ "
Because if "ev_qual" is not null, "actions" cannot be either.
Solution proposed merely as a learning experience.
regards,
Ranier Vilela
Attachments:
fix_explicit_null_dereference_ruleutils.patchapplication/octet-stream; name=fix_explicit_null_dereference_ruleutils.patchDownload
diff --git a/src/backend/utils/adt/ruleutils.c b/src/backend/utils/adt/ruleutils.c
index 6c656586e8..b64235ef69 100644
--- a/src/backend/utils/adt/ruleutils.c
+++ b/src/backend/utils/adt/ruleutils.c
@@ -4829,6 +4829,12 @@ make_ruledef(StringInfo buf, HeapTuple ruletup, TupleDesc rulettc,
deparse_context context;
deparse_namespace dpns;
+ if (actions == NIL)
+ ereport(ERROR,
+ (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+ errmsg("rule \"%s\" with event qualification \"%s\", need has actions",
+ rulename, ev_qual)));
+
if (prettyFlags & PRETTYFLAG_INDENT)
appendStringInfoString(buf, "\n ");
appendStringInfoString(buf, " WHERE ");
At Sat, 31 Oct 2020 11:49:07 -0300, Ranier Vilela <ranier.vf@gmail.com> wrote in
Per Coverity.
make_ruledef function can dereference a NULL pointer (actions),
if "ev_qual" is provided and "actions" does not exist.The comment there is contradictory: " /* these could be nulls */ "
Because if "ev_qual" is not null, "actions" cannot be either.Solution proposed merely as a learning experience.
We cannot reach there with ev_action == NULL since it comes from a
non-nullable column. Since most of the other columns has an assertion
that !isnull, I think we should do the same thing for ev_action (and
ev_qual). SPI_getvalue() returns C-NULL for SQL-NULL (or for some
other unexpected situations.).
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
Attachments:
ev_qual_and_action_catnnot_be_null.patchtext/x-patch; charset=us-asciiDownload
diff --git a/src/backend/utils/adt/ruleutils.c b/src/backend/utils/adt/ruleutils.c
index 6c656586e8..6ba2b4a5ae 100644
--- a/src/backend/utils/adt/ruleutils.c
+++ b/src/backend/utils/adt/ruleutils.c
@@ -4766,12 +4766,13 @@ make_ruledef(StringInfo buf, HeapTuple ruletup, TupleDesc rulettc,
/* these could be nulls */
fno = SPI_fnumber(rulettc, "ev_qual");
ev_qual = SPI_getvalue(ruletup, rulettc, fno);
+ Assert(ev_qual != NULL);
fno = SPI_fnumber(rulettc, "ev_action");
ev_action = SPI_getvalue(ruletup, rulettc, fno);
- if (ev_action != NULL)
- actions = (List *) stringToNode(ev_action);
-
+ Assert(ev_action != NULL);
+ actions = (List *) stringToNode(ev_action);
+
ev_relation = table_open(ev_class, AccessShareLock);
/*
Kyotaro Horiguchi <horikyota.ntt@gmail.com> writes:
We cannot reach there with ev_action == NULL since it comes from a
non-nullable column. Since most of the other columns has an assertion
that !isnull, I think we should do the same thing for ev_action (and
ev_qual). SPI_getvalue() returns C-NULL for SQL-NULL (or for some
other unexpected situations.).
Isn't the comment just above there wrong?
/* these could be nulls */
I wonder just when that became outdated.
regards, tom lane
At Mon, 02 Nov 2020 10:36:10 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in
At Sat, 31 Oct 2020 11:49:07 -0300, Ranier Vilela <ranier.vf@gmail.com> wrote in
Per Coverity.
make_ruledef function can dereference a NULL pointer (actions),
if "ev_qual" is provided and "actions" does not exist.The comment there is contradictory: " /* these could be nulls */ "
Because if "ev_qual" is not null, "actions" cannot be either.Solution proposed merely as a learning experience.
We cannot reach there with ev_action == NULL since it comes from a
non-nullable column. Since most of the other columns has an assertion
that !isnull, I think we should do the same thing for ev_action (and
ev_qual). SPI_getvalue() returns C-NULL for SQL-NULL (or for some
other unexpected situations.).
The following code is found there, since 1998. (15cb32d93e)
/* If the rule has an event qualification, add it */
if (ev_qual == NULL)
ev_qual = "";
The problem code here was written as the follows.
+ fno = SPI_fnumber(rulettc, "is_instead");
+ is_instead = (bool)SPI_getbinval(ruletup, rulettc, fno, &isnull);
+
+ fno = SPI_fnumber(rulettc, "ev_qual");
+ ev_qual = SPI_getvalue(ruletup, rulettc, fno);
+ if (isnull) ev_qual = NULL;
+
+ fno = SPI_fnumber(rulettc, "ev_action");
+ ev_action = SPI_getvalue(ruletup, rulettc, fno);
+ if (isnull) ev_action = NULL;
+ if (ev_action != NULL) {
+ actions = (List *)stringToNode(ev_action);
+ }I'm not sure what the code means by just reading there but at least it
seems impossible for the current code to return NULL for legit values.
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
Attachments:
ev_qual_and_action_catnnot_be_null_2.patchtext/x-patch; charset=us-asciiDownload
diff --git a/src/backend/utils/adt/ruleutils.c b/src/backend/utils/adt/ruleutils.c
index 6c656586e8..ab4f102e9b 100644
--- a/src/backend/utils/adt/ruleutils.c
+++ b/src/backend/utils/adt/ruleutils.c
@@ -4766,12 +4766,13 @@ make_ruledef(StringInfo buf, HeapTuple ruletup, TupleDesc rulettc,
/* these could be nulls */
fno = SPI_fnumber(rulettc, "ev_qual");
ev_qual = SPI_getvalue(ruletup, rulettc, fno);
+ Assert(ev_qual != NULL);
fno = SPI_fnumber(rulettc, "ev_action");
ev_action = SPI_getvalue(ruletup, rulettc, fno);
- if (ev_action != NULL)
- actions = (List *) stringToNode(ev_action);
-
+ Assert(ev_action != NULL);
+ actions = (List *) stringToNode(ev_action);
+
ev_relation = table_open(ev_class, AccessShareLock);
/*
@@ -4819,9 +4820,6 @@ make_ruledef(StringInfo buf, HeapTuple ruletup, TupleDesc rulettc,
generate_relation_name(ev_class, NIL) :
generate_qualified_relation_name(ev_class));
- /* If the rule has an event qualification, add it */
- if (ev_qual == NULL)
- ev_qual = "";
if (strlen(ev_qual) > 0 && strcmp(ev_qual, "<>") != 0)
{
Node *qual;
At Sun, 01 Nov 2020 21:05:29 -0500, Tom Lane <tgl@sss.pgh.pa.us> wrote in
Kyotaro Horiguchi <horikyota.ntt@gmail.com> writes:
We cannot reach there with ev_action == NULL since it comes from a
non-nullable column. Since most of the other columns has an assertion
that !isnull, I think we should do the same thing for ev_action (and
ev_qual). SPI_getvalue() returns C-NULL for SQL-NULL (or for some
other unexpected situations.).Isn't the comment just above there wrong?
/* these could be nulls */
I wonder just when that became outdated.
Mmm. I investigated that.
At the very beginning of CREATE RULE (d31084e9d1, 1996), InsertRule()
did the following.
template = "INSERT INTO pg_rewrite \
(rulename, ev_type, ev_class, ev_attr, action, ev_qual, is_instead) VALUES \
('%s', %d::char, %d::oid, %d::int2, '%s'::text, '%s'::text, \
'%s'::bool);";
if (strlen(template) + strlen(rulname) + strlen(actionbuf) +
strlen(qualbuf) + 20 /* fudge fac */ > RULE_PLAN_SIZE) {
elog(WARN, "DefineQueryRewrite: rule plan string too big.");
}
sprintf(rulebuf, template,
rulname, evtype, eventrel_oid, evslot_index, actionbuf,
qualbuf, is_instead);
Doesn't seem that ev_qual and ev_action can be NULL. The same
function in the current converts action list to string using
nodeToSTring so NIL is converted into '<>', which is not NULL.
So I think ev_action cannot be null from the beginning of the history
unless the columns is modified manually. ev_qual and ev_action are
marked as non-nullable (9b39b799db, in 2018). They could be null if we
modified that columns nullable then set NULL, but that could happen on
all other columns in pg_rewite catalog, which are Assert(!null)ed.
Although ev_action cannot be a empty list using SQL interface. So we
can get rid of the case list_length(action) == 0, but I'm not sure
it's worth doing (but the attaches does..).
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
Attachments:
ev_qual_and_action_catnnot_be_null_3.patchtext/x-patch; charset=us-asciiDownload
diff --git a/src/backend/utils/adt/ruleutils.c b/src/backend/utils/adt/ruleutils.c
index 6c656586e8..120b8869ea 100644
--- a/src/backend/utils/adt/ruleutils.c
+++ b/src/backend/utils/adt/ruleutils.c
@@ -4763,15 +4763,15 @@ make_ruledef(StringInfo buf, HeapTuple ruletup, TupleDesc rulettc,
Assert(!isnull);
is_instead = DatumGetBool(dat);
- /* these could be nulls */
fno = SPI_fnumber(rulettc, "ev_qual");
ev_qual = SPI_getvalue(ruletup, rulettc, fno);
+ Assert(ev_qual != NULL);
fno = SPI_fnumber(rulettc, "ev_action");
ev_action = SPI_getvalue(ruletup, rulettc, fno);
- if (ev_action != NULL)
- actions = (List *) stringToNode(ev_action);
-
+ Assert(ev_action != NULL);
+ actions = (List *) stringToNode(ev_action);
+
ev_relation = table_open(ev_class, AccessShareLock);
/*
@@ -4819,10 +4819,8 @@ make_ruledef(StringInfo buf, HeapTuple ruletup, TupleDesc rulettc,
generate_relation_name(ev_class, NIL) :
generate_qualified_relation_name(ev_class));
- /* If the rule has an event qualification, add it */
- if (ev_qual == NULL)
- ev_qual = "";
- if (strlen(ev_qual) > 0 && strcmp(ev_qual, "<>") != 0)
+ Assert(strlen(ev_qual) > 0);
+ if (strcmp(ev_qual, "<>") != 0)
{
Node *qual;
Query *query;
@@ -4875,6 +4873,7 @@ make_ruledef(StringInfo buf, HeapTuple ruletup, TupleDesc rulettc,
appendStringInfoString(buf, "INSTEAD ");
/* Finally the rules actions */
+ Assert(list_length(actions) > 0);
if (list_length(actions) > 1)
{
ListCell *action;
@@ -4893,10 +4892,6 @@ make_ruledef(StringInfo buf, HeapTuple ruletup, TupleDesc rulettc,
}
appendStringInfoString(buf, ");");
}
- else if (list_length(actions) == 0)
- {
- appendStringInfoString(buf, "NOTHING;");
- }
else
{
Query *query;
Em seg., 2 de nov. de 2020 às 01:36, Kyotaro Horiguchi <
horikyota.ntt@gmail.com> escreveu:
At Sun, 01 Nov 2020 21:05:29 -0500, Tom Lane <tgl@sss.pgh.pa.us> wrote in
Kyotaro Horiguchi <horikyota.ntt@gmail.com> writes:
We cannot reach there with ev_action == NULL since it comes from a
non-nullable column. Since most of the other columns has an assertion
that !isnull, I think we should do the same thing for ev_action (and
ev_qual). SPI_getvalue() returns C-NULL for SQL-NULL (or for some
other unexpected situations.).Isn't the comment just above there wrong?
/* these could be nulls */
I wonder just when that became outdated.
Mmm. I investigated that.
At the very beginning of CREATE RULE (d31084e9d1, 1996), InsertRule()
did the following.template = "INSERT INTO pg_rewrite \
(rulename, ev_type, ev_class, ev_attr, action, ev_qual, is_instead)VALUES \
('%s', %d::char, %d::oid, %d::int2, '%s'::text, '%s'::text, \
'%s'::bool);";
if (strlen(template) + strlen(rulname) + strlen(actionbuf) +
strlen(qualbuf) + 20 /* fudge fac */ > RULE_PLAN_SIZE) {
elog(WARN, "DefineQueryRewrite: rule plan string too big.");
}
sprintf(rulebuf, template,
rulname, evtype, eventrel_oid, evslot_index, actionbuf,
qualbuf, is_instead);Doesn't seem that ev_qual and ev_action can be NULL. The same
function in the current converts action list to string using
nodeToSTring so NIL is converted into '<>', which is not NULL.So I think ev_action cannot be null from the beginning of the history
unless the columns is modified manually. ev_qual and ev_action are
marked as non-nullable (9b39b799db, in 2018). They could be null if we
modified that columns nullable then set NULL, but that could happen on
all other columns in pg_rewite catalog, which are Assert(!null)ed.Although ev_action cannot be a empty list using SQL interface. So we
can get rid of the case list_length(action) == 0, but I'm not sure
it's worth doing (but the attaches does..).
I think that Assert is not the right solution here.
For a function that returns NULL twice (SPI_getvalue), it is worth testing
the result against NULL.
In the future, any modification may cause further dereference.
In addition, the static analysis tools would continue to note this snippet
either as a bug or as a suspect.
Checking "actions" pointer against NULL, and acting appropriately would do.
regards,
Ranier Vilela
Ranier Vilela <ranier.vf@gmail.com> writes:
Em seg., 2 de nov. de 2020 às 01:36, Kyotaro Horiguchi <
horikyota.ntt@gmail.com> escreveu:Doesn't seem that ev_qual and ev_action can be NULL. The same
function in the current converts action list to string using
nodeToSTring so NIL is converted into '<>', which is not NULL.
I think that Assert is not the right solution here.
I think there's some confusion here: whether the ev_actions column can
contain a SQL NULL is a very different thing from whether the result of
stringToNode() on it can be a NIL list. The latter should also not
happen, but it's not enforced by low-level code in the same way that
the NOT NULL property is. So in my judgment, it's okay for us to just
Assert that we got a not-null datum, but it's probably worth expending
an actual test-and-elog for the NIL-list case.
Of course, someone could put a string into that column that doesn't
read out as a List at all, or it does but the elements aren't Query
nodes, etc etc. There's a very finite limit to how much code I'm
willing to expend on such scenarios. But a test for NIL list seems
reasonable, since this function previously had what looked like sane
handling for that case.
Anyway, I adjusted Kyotaro-san's patch a bit (including fixing the
near identical code in make_viewdef) and pushed it.
regards, tom lane
At Mon, 02 Nov 2020 14:49:50 -0500, Tom Lane <tgl@sss.pgh.pa.us> wrote in
Ranier Vilela <ranier.vf@gmail.com> writes:
Em seg., 2 de nov. de 2020 às 01:36, Kyotaro Horiguchi <
horikyota.ntt@gmail.com> escreveu:Doesn't seem that ev_qual and ev_action can be NULL. The same
function in the current converts action list to string using
nodeToSTring so NIL is converted into '<>', which is not NULL.I think that Assert is not the right solution here.
I think there's some confusion here: whether the ev_actions column can
contain a SQL NULL is a very different thing from whether the result of
stringToNode() on it can be a NIL list. The latter should also not
happen, but it's not enforced by low-level code in the same way that
the NOT NULL property is. So in my judgment, it's okay for us to just
Assert that we got a not-null datum, but it's probably worth expending
an actual test-and-elog for the NIL-list case.Of course, someone could put a string into that column that doesn't
read out as a List at all, or it does but the elements aren't Query
nodes, etc etc. There's a very finite limit to how much code I'm
willing to expend on such scenarios. But a test for NIL list seems
reasonable, since this function previously had what looked like sane
handling for that case.Anyway, I adjusted Kyotaro-san's patch a bit (including fixing the
near identical code in make_viewdef) and pushed it.
Thanks!
--
Kyotaro Horiguchi
NTT Open Source Software Center