diff options
| author | John Naylor | 2024-12-04 09:51:55 +0000 |
|---|---|---|
| committer | John Naylor | 2024-12-04 09:58:25 +0000 |
| commit | ccc8194e4275d0be557a9b94126a12b389520593 (patch) | |
| tree | 24b7237d06e6830638a68c50d9609b220172f96d /src/backend/commands/vacuumparallel.c | |
| parent | 7727049e8f663344d4d0457e1d9ec048d626f3d9 (diff) | |
Fix use-after-free in parallel_vacuum_reset_dead_items
parallel_vacuum_reset_dead_items used a local variable to hold a
pointer from the passed vacrel, purely as a shorthand. This pointer
was later freed and a new allocation was made and stored to the
struct. Then the local pointer was mistakenly referenced again.
This apparently happened not to break anything since the freed chunk
would have been put on the context's freelist, so it was accidentally
the same pointer anyway, in which case the DSA handle was correctly
updated. The minimal fix is to change two places so they access
dead_items through the vacrel. This coding style is a maintenance
hazard, so while at it get rid of most other similar usages, which
were inconsistently used anyway.
Analysis and patch by Vallimaharajan G, with further defensive coding
by me
Backpath to v17, when TidStore came in
Discussion: https://postgr.es/m/[email protected]
Diffstat (limited to 'src/backend/commands/vacuumparallel.c')
| -rw-r--r-- | src/backend/commands/vacuumparallel.c | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/src/backend/commands/vacuumparallel.c b/src/backend/commands/vacuumparallel.c index 4fd6574e129..67cba17a564 100644 --- a/src/backend/commands/vacuumparallel.c +++ b/src/backend/commands/vacuumparallel.c @@ -474,7 +474,6 @@ parallel_vacuum_get_dead_items(ParallelVacuumState *pvs, VacDeadItemsInfo **dead void parallel_vacuum_reset_dead_items(ParallelVacuumState *pvs) { - TidStore *dead_items = pvs->dead_items; VacDeadItemsInfo *dead_items_info = &(pvs->shared->dead_items_info); /* @@ -482,13 +481,13 @@ parallel_vacuum_reset_dead_items(ParallelVacuumState *pvs) * operating system. Then we recreate the tidstore with the same max_bytes * limitation we just used. */ - TidStoreDestroy(dead_items); + TidStoreDestroy(pvs->dead_items); pvs->dead_items = TidStoreCreateShared(dead_items_info->max_bytes, LWTRANCHE_PARALLEL_VACUUM_DSA); /* Update the DSA pointer for dead_items to the new one */ - pvs->shared->dead_items_dsa_handle = dsa_get_handle(TidStoreGetDSA(dead_items)); - pvs->shared->dead_items_handle = TidStoreGetHandle(dead_items); + pvs->shared->dead_items_dsa_handle = dsa_get_handle(TidStoreGetDSA(pvs->dead_items)); + pvs->shared->dead_items_handle = TidStoreGetHandle(pvs->dead_items); /* Reset the counter */ dead_items_info->num_items = 0; |