| Lists: | pgsql-committerspgsql-hackers |
|---|
| From: | tgl(at)postgresql(dot)org (Tom Lane) |
|---|---|
| To: | pgsql-committers(at)postgresql(dot)org |
| Subject: | pgsql: Fix failure due to accessing an already-freed tuple descriptor in |
| Date: | 2006-12-26 21:37:28 |
| Message-ID: | 20061226213728.C289D9FA1DA@postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-committers pgsql-hackers |
Log Message:
-----------
Fix failure due to accessing an already-freed tuple descriptor in a plan
involving HashAggregate over SubqueryScan (this is the known case, there
may well be more). The bug is only latent in releases before 8.2 since they
didn't try to access tupletable slots' descriptors during ExecDropTupleTable.
The least bogus fix seems to be to make subqueries share the parent query's
memory context, so that tupdescs they create will have the same lifespan as
those of the parent query. There are comments in the code envisioning going
even further by not having a separate child EState at all, but that will
require rethinking executor access to range tables, which I don't want to
tackle right now. Per bug report from Jean-Pierre Pelletier.
Tags:
----
REL8_2_STABLE
Modified Files:
--------------
pgsql/src/backend/executor:
execMain.c (r1.280 -> r1.280.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execMain.c.diff?r1=1.280&r2=1.280.2.1)
execUtils.c (r1.140 -> r1.140.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execUtils.c.diff?r1=1.140&r2=1.140.2.1)
nodeSubplan.c (r1.80 -> r1.80.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeSubplan.c.diff?r1=1.80&r2=1.80.2.1)
nodeSubqueryscan.c (r1.32.2.1 -> r1.32.2.2)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeSubqueryscan.c.diff?r1=1.32.2.1&r2=1.32.2.2)
pgsql/src/include/executor:
executor.h (r1.130 -> r1.130.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/executor/executor.h.diff?r1=1.130&r2=1.130.2.1)
pgsql/src/include/nodes:
execnodes.h (r1.161 -> r1.161.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/nodes/execnodes.h.diff?r1=1.161&r2=1.161.2.1)
| From: | Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp> |
|---|---|
| To: | tgl(at)postgresql(dot)org |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [COMMITTERS] pgsql: Fix failure due to accessing an |
| Date: | 2007-01-18 02:20:08 |
| Message-ID: | 20070118.112008.41656133.t-ishii@sraoss.co.jp |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-committers pgsql-hackers |
Tom,
Is this a fix for security hole/vulnerability?
One of our engineer claimed that double free bug itself is a
vulnerability, thus 8.2.1 release should be called as "security
release".
--
Tatsuo Ishii
SRA OSS, Inc. Japan
> Log Message:
> -----------
> Fix failure due to accessing an already-freed tuple descriptor in a plan
> involving HashAggregate over SubqueryScan (this is the known case, there
> may well be more). The bug is only latent in releases before 8.2 since they
> didn't try to access tupletable slots' descriptors during ExecDropTupleTable.
> The least bogus fix seems to be to make subqueries share the parent query's
> memory context, so that tupdescs they create will have the same lifespan as
> those of the parent query. There are comments in the code envisioning going
> even further by not having a separate child EState at all, but that will
> require rethinking executor access to range tables, which I don't want to
> tackle right now. Per bug report from Jean-Pierre Pelletier.
>
> Tags:
> ----
> REL8_2_STABLE
>
> Modified Files:
> --------------
> pgsql/src/backend/executor:
> execMain.c (r1.280 -> r1.280.2.1)
> (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execMain.c.diff?r1=1.280&r2=1.280.2.1)
> execUtils.c (r1.140 -> r1.140.2.1)
> (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execUtils.c.diff?r1=1.140&r2=1.140.2.1)
> nodeSubplan.c (r1.80 -> r1.80.2.1)
> (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeSubplan.c.diff?r1=1.80&r2=1.80.2.1)
> nodeSubqueryscan.c (r1.32.2.1 -> r1.32.2.2)
> (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeSubqueryscan.c.diff?r1=1.32.2.1&r2=1.32.2.2)
> pgsql/src/include/executor:
> executor.h (r1.130 -> r1.130.2.1)
> (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/executor/executor.h.diff?r1=1.130&r2=1.130.2.1)
> pgsql/src/include/nodes:
> execnodes.h (r1.161 -> r1.161.2.1)
> (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/nodes/execnodes.h.diff?r1=1.161&r2=1.161.2.1)
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Have you searched our list archives?
>
> http://archives.postgresql.org
>
| From: | Tatsuo Ishii <ishii(at)postgresql(dot)org> |
|---|---|
| To: | tgl(at)postgresql(dot)org |
| Cc: | pgsql-committers(at)postgresql(dot)org |
| Subject: | Re: pgsql: Fix failure due to accessing an |
| Date: | 2007-01-18 13:49:53 |
| Message-ID: | 20070118.224953.35685121.t-ishii@sraoss.co.jp |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-committers pgsql-hackers |
Tom,
Is this a fix for security hole/vulnerability?
One of our engineer claimed that double free bug itself is a
vulnerability, thus 8.2.1 release should be called as "security
release".
--
Tatsuo Ishii
SRA OSS, Inc. Japan
> Log Message:
> -----------
> Fix failure due to accessing an already-freed tuple descriptor in a plan
> involving HashAggregate over SubqueryScan (this is the known case, there
> may well be more). The bug is only latent in releases before 8.2 since they
> didn't try to access tupletable slots' descriptors during ExecDropTupleTable.
> The least bogus fix seems to be to make subqueries share the parent query's
> memory context, so that tupdescs they create will have the same lifespan as
> those of the parent query. There are comments in the code envisioning going
> even further by not having a separate child EState at all, but that will
> require rethinking executor access to range tables, which I don't want to
> tackle right now. Per bug report from Jean-Pierre Pelletier.
>
> Tags:
> ----
> REL8_2_STABLE
>
> Modified Files:
> --------------
> pgsql/src/backend/executor:
> execMain.c (r1.280 -> r1.280.2.1)
> (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execMain.c.diff?r1=1.280&r2=1.280.2.1)
> execUtils.c (r1.140 -> r1.140.2.1)
> (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execUtils.c.diff?r1=1.140&r2=1.140.2.1)
> nodeSubplan.c (r1.80 -> r1.80.2.1)
> (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeSubplan.c.diff?r1=1.80&r2=1.80.2.1)
> nodeSubqueryscan.c (r1.32.2.1 -> r1.32.2.2)
> (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeSubqueryscan.c.diff?r1=1.32.2.1&r2=1.32.2.2)
> pgsql/src/include/executor:
> executor.h (r1.130 -> r1.130.2.1)
> (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/executor/executor.h.diff?r1=1.130&r2=1.130.2.1)
> pgsql/src/include/nodes:
> execnodes.h (r1.161 -> r1.161.2.1)
> (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/nodes/execnodes.h.diff?r1=1.161&r2=1.161.2.1)
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Have you searched our list archives?
>
> http://archives.postgresql.org
>
| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [COMMITTERS] pgsql: Fix failure due to accessing an |
| Date: | 2007-01-18 16:42:20 |
| Message-ID: | 27900.1169138540@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-committers pgsql-hackers |
Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp> writes:
> One of our engineer claimed that double free bug itself is a
> vulnerability, thus 8.2.1 release should be called as "security
> release".
[ shrug... ] AFAICS the crashing bugs we fixed in 8.2.1 can't be
exploited for anything beyond crashing the backend, and only by an
attacker who can issue arbitrary SQL commands. There are plenty of
other ways to cause momentary DOS if you can do that, so it doesn't
strike me as a big security vulnerability. But if you want to call
it one, you can.
regards, tom lane
| From: | Tatsuo Ishii <ishii(at)postgresql(dot)org> |
|---|---|
| To: | tgl(at)sss(dot)pgh(dot)pa(dot)us |
| Cc: | ishii(at)sraoss(dot)co(dot)jp, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [COMMITTERS] pgsql: Fix failure due to accessing an |
| Date: | 2007-01-18 22:30:41 |
| Message-ID: | 20070119.073041.77425384.t-ishii@sraoss.co.jp |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-committers pgsql-hackers |
Ok, understood.
--
Tatsuo Ishii
SRA OSS, Inc. Japan
> Tatsuo Ishii <ishii(at)sraoss(dot)co(dot)jp> writes:
> > One of our engineer claimed that double free bug itself is a
> > vulnerability, thus 8.2.1 release should be called as "security
> > release".
>
> [ shrug... ] AFAICS the crashing bugs we fixed in 8.2.1 can't be
> exploited for anything beyond crashing the backend, and only by an
> attacker who can issue arbitrary SQL commands. There are plenty of
> other ways to cause momentary DOS if you can do that, so it doesn't
> strike me as a big security vulnerability. But if you want to call
> it one, you can.
>
> regards, tom lane
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly
>