From 83ce20d67184d79f7a1e65feed7c06ec03e4472d Mon Sep 17 00:00:00 2001 From: John Naylor Date: Wed, 4 Dec 2024 16:51:55 +0700 Subject: Fix use-after-free in parallel_vacuum_reset_dead_items parallel_vacuum_reset_dead_items used a local variable to hold a pointer from the passed vacrel, purely as a shorthand. This pointer was later freed and a new allocation was made and stored to the struct. Then the local pointer was mistakenly referenced again. This apparently happened not to break anything since the freed chunk would have been put on the context's freelist, so it was accidentally the same pointer anyway, in which case the DSA handle was correctly updated. The minimal fix is to change two places so they access dead_items through the vacrel. This coding style is a maintenance hazard, so while at it get rid of most other similar usages, which were inconsistently used anyway. Analysis and patch by Vallimaharajan G, with further defensive coding by me Backpath to v17, when TidStore came in Discussion: https://postgr.es/m/1936493cc38.68cb2ef27266.7456585136086197135@zohocorp.com --- src/backend/commands/vacuumparallel.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'src/backend/commands') diff --git a/src/backend/commands/vacuumparallel.c b/src/backend/commands/vacuumparallel.c index f26070bff2a..f02fc8296f1 100644 --- a/src/backend/commands/vacuumparallel.c +++ b/src/backend/commands/vacuumparallel.c @@ -472,7 +472,6 @@ parallel_vacuum_get_dead_items(ParallelVacuumState *pvs, VacDeadItemsInfo **dead void parallel_vacuum_reset_dead_items(ParallelVacuumState *pvs) { - TidStore *dead_items = pvs->dead_items; VacDeadItemsInfo *dead_items_info = &(pvs->shared->dead_items_info); /* @@ -480,13 +479,13 @@ parallel_vacuum_reset_dead_items(ParallelVacuumState *pvs) * operating system. Then we recreate the tidstore with the same max_bytes * limitation we just used. */ - TidStoreDestroy(dead_items); + TidStoreDestroy(pvs->dead_items); pvs->dead_items = TidStoreCreateShared(dead_items_info->max_bytes, LWTRANCHE_PARALLEL_VACUUM_DSA); /* Update the DSA pointer for dead_items to the new one */ - pvs->shared->dead_items_dsa_handle = dsa_get_handle(TidStoreGetDSA(dead_items)); - pvs->shared->dead_items_handle = TidStoreGetHandle(dead_items); + pvs->shared->dead_items_dsa_handle = dsa_get_handle(TidStoreGetDSA(pvs->dead_items)); + pvs->shared->dead_items_handle = TidStoreGetHandle(pvs->dead_items); /* Reset the counter */ dead_items_info->num_items = 0; -- cgit v1.2.3