Noah Misch <n...@leadboat.com> wrote:

> (Kevin, I saw no attachment.)

Apologies.  Trying again.

> The threat is that rounding the read size up to the next MAXALIGN
> would cross into an unreadable memory page, resulting in a
> SIGSEGV.  Every palloc chunk has MAXALIGN'd size under the hood,
> so the excess read of "toDelete" cannot cause a SIGSEGV.  For a
> stack variable, it depends on the ABI.  I'm not aware of an ABI
> where the four bytes past the end of this stack variable could be
> unreadable, which is not to claim I'm well-read on the topic.  We
> should fix this in due course on code hygiene grounds, but I
> would not back-patch it.

If you're sure.  I hadn't worked through the code, but had two
concerns (neither of which was about a SEGSEGV):

(1)  That multiple MAXALIGNs of shorter values could push the
structure into overlap with the next thing on the stack, allowing
one or the other to get stepped on.

(2)  That the CRC calculation might picking up uninitialized data
which was not actually going to match what was used during
recovery, leading to "end of recovery" on replay.

If you are confident that neither of these is a real risk, I'll
relax about this.

--
Kevin Grittner
EDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
=================================================================
==7232==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7fffbcb2e834 at pc 0xef0335 bp 0x7fffbcb29b30 sp 0x7fffbcb29b28
READ of size 1 at 0x7fffbcb2e834 thread T0
    #0 0xef0334 in XLogInsert 
/home/kgrittn/pg/master/src/backend/access/transam/xlog.c:1040
    #1 0xd53792 in doPickSplit 
/home/kgrittn/pg/master/src/backend/access/spgist/spgdoinsert.c:1391
    #2 0xd0d9f1 in spgdoinsert 
/home/kgrittn/pg/master/src/backend/access/spgist/spgdoinsert.c:2008
    #3 0xcbb4d1 in spginsert 
/home/kgrittn/pg/master/src/backend/access/spgist/spginsert.c:238
    #4 0x46f9de3 in FunctionCall6Coll 
/home/kgrittn/pg/master/src/backend/utils/fmgr/fmgr.c:1436
    #5 0xad43fb in index_insert 
/home/kgrittn/pg/master/src/backend/access/index/indexam.c:223
    #6 0x2122fcd in ExecInsertIndexTuples 
/home/kgrittn/pg/master/src/backend/executor/execUtils.c:1104
    #7 0x228413f in ExecInsert 
/home/kgrittn/pg/master/src/backend/executor/nodeModifyTable.c:274
    #8 0x227fba8 in ExecModifyTable 
/home/kgrittn/pg/master/src/backend/executor/nodeModifyTable.c:1014
    #9 0x2026b03 in ExecProcNode 
/home/kgrittn/pg/master/src/backend/executor/execProcnode.c:377
    #10 0x1fef534 in ExecutePlan 
/home/kgrittn/pg/master/src/backend/executor/execMain.c:1474
    #11 0x1fee488 in standard_ExecutorRun 
/home/kgrittn/pg/master/src/backend/executor/execMain.c:308
    #12 0x1fec7e9 in ExecutorRun 
/home/kgrittn/pg/master/src/backend/executor/execMain.c:256
    #13 0x34f05ab in ProcessQuery 
/home/kgrittn/pg/master/src/backend/tcop/pquery.c:185
    #14 0x34e8c3a in PortalRunMulti 
/home/kgrittn/pg/master/src/backend/tcop/pquery.c:1279
    #15 0x34e1b9c in PortalRun 
/home/kgrittn/pg/master/src/backend/tcop/pquery.c:816
    #16 0x34b6721 in exec_simple_query 
/home/kgrittn/pg/master/src/backend/tcop/postgres.c:1054
    #17 0x34b1420 in PostgresMain 
/home/kgrittn/pg/master/src/backend/tcop/postgres.c:3998
    #18 0x2f1f925 in BackendRun 
/home/kgrittn/pg/master/src/backend/postmaster/postmaster.c:4085
    #19 0x2f1b830 in BackendStartup 
/home/kgrittn/pg/master/src/backend/postmaster/postmaster.c:3774
    #20 0x2efcc96 in ServerLoop 
/home/kgrittn/pg/master/src/backend/postmaster/postmaster.c:1585
    #21 0x2ef13ee in PostmasterMain 
/home/kgrittn/pg/master/src/backend/postmaster/postmaster.c:1240
    #22 0x24dc3c3 in main /home/kgrittn/pg/master/src/backend/main/main.c:196
    #23 0x2b89d526e76c in __libc_start_main 
/build/buildd/eglibc-2.15/csu/libc-start.c:226
    #24 0x4dc3cc in _start ??:?

Address 0x7fffbcb2e834 is located in stack of thread T0 at offset 2644 in frame
    #0 0xd2b5ef in doPickSplit 
/home/kgrittn/pg/master/src/backend/access/spgist/spgdoinsert.c:680

  This frame has 57 object(s):
    [32, 40) ''
    [96, 104) ''
    [160, 168) ''
    [224, 232) ''
    [288, 296) ''
    [352, 356) ''
    [416, 417) ''
    [480, 481) ''
    [544, 545) 'insertedNew'
    [608, 632) 'in'
    [672, 720) 'out'
    [768, 776) 'procinfo'
    [832, 833) 'includeNew'
    [896, 900) 'i'
    [960, 964) 'max'
    [1024, 1028) 'n'
    [1088, 1096) 'innerTuple'
    [1152, 1160) 'node'
    [1216, 1224) 'nodes'
    [1280, 1284) 'newInnerBuffer'
    [1344, 1348) 'newLeafBuffer'
    [1408, 1416) 'heapPtrs'
    [1472, 1480) 'leafPageSelect'
    [1536, 1544) 'leafSizes'
    [1600, 1608) 'toDelete'
    [1664, 1672) 'toInsert'
    [1728, 1730) 'redirectTuplePos'
    [1792, 1796) 'startOffsets'
    [1856, 1864) 'newLeafs'
    [1920, 1924) 'spaceToDelete'
    [1984, 1988) 'currentFreeSpace'
    [2048, 2052) 'totalLeafSizes'
    [2112, 2113) 'allTheSame'
    [2176, 2496) 'rdata'
    [2528, 2532) 'nRdata'
    [2592, 2644) 'xlrec' <== Memory access at offset 2644 overflows this 
variable
    [2688, 2696) 'leafdata'
    [2752, 2760) 'leafptr'
    [2816, 2840) 'saveCurrent'
    [2880, 2884) 'nToDelete'
    [2944, 2948) 'nToInsert'
    [3008, 3012) 'maxToInclude'
    [3072, 3080) 'it'
    [3136, 3144) 'it1'
    [3200, 3208) 'label'
    [3264, 3265) 'labelisnull'
    [3328, 3336) 'nodePageSelect'
    [3392, 3396) 'curspace'
    [3456, 3460) 'newspace'
    [3520, 3524) 'nodeOfNewTuple'
    [3584, 3592) 'it2'
    [3648, 3652) 'leafBuffer'
    [3712, 3716) 'leafBlock'
    [3776, 3778) 'newoffset'
    [3840, 3848) 'recptr'
    [3904, 3912) 'page'
    [3968, 3976) 'page3'
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x10007795dcb0: f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4
  0x10007795dcc0: f2 f2 f2 f2 01 f4 f4 f4 f2 f2 f2 f2 00 00 00 00
  0x10007795dcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007795dce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007795dcf0: 00 00 00 00 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2
=>0x10007795dd00: 00 00 00 00 00 00[04]f4 f2 f2 f2 f2 00 f4 f4 f4
  0x10007795dd10: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 f4
  0x10007795dd20: f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4
  0x10007795dd30: f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
  0x10007795dd40: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
  0x10007795dd50: f2 f2 f2 f2 01 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==7232==ABORTING



=================================================================
==7492==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7fffbcb2a514 at pc 0xef0335 bp 0x7fffbcb25810 sp 0x7fffbcb25808
READ of size 1 at 0x7fffbcb2a514 thread T0
    #0 0xef0334 in XLogInsert 
/home/kgrittn/pg/master/src/backend/access/transam/xlog.c:1040
    #1 0xd53792 in doPickSplit 
/home/kgrittn/pg/master/src/backend/access/spgist/spgdoinsert.c:1391
    #2 0xd0d9f1 in spgdoinsert 
/home/kgrittn/pg/master/src/backend/access/spgist/spgdoinsert.c:2008
    #3 0xcb9208 in spgistBuildCallback 
/home/kgrittn/pg/master/src/backend/access/spgist/spginsert.c:54
    #4 0x10bfd98 in IndexBuildHeapScan 
/home/kgrittn/pg/master/src/backend/catalog/index.c:2454
    #5 0xcb8492 in spgbuild 
/home/kgrittn/pg/master/src/backend/access/spgist/spginsert.c:140
    #6 0x4704ab6 in OidFunctionCall3Coll 
/home/kgrittn/pg/master/src/backend/utils/fmgr/fmgr.c:1649
    #7 0x10aa65c in index_build 
/home/kgrittn/pg/master/src/backend/catalog/index.c:1963
    #8 0x109327c in index_create 
/home/kgrittn/pg/master/src/backend/catalog/index.c:1082
    #9 0x1bd5dab in DefineIndex 
/home/kgrittn/pg/master/src/backend/commands/indexcmds.c:595
    #10 0x3504ffb in ProcessUtilitySlow 
/home/kgrittn/pg/master/src/backend/tcop/utility.c:1163
    #11 0x34fdde9 in standard_ProcessUtility 
/home/kgrittn/pg/master/src/backend/tcop/utility.c:873
    #12 0x34f69ca in ProcessUtility 
/home/kgrittn/pg/master/src/backend/tcop/utility.c:352
    #13 0x34f2ea1 in PortalRunUtility 
/home/kgrittn/pg/master/src/backend/tcop/pquery.c:1187
    #14 0x34e934a in PortalRunMulti 
/home/kgrittn/pg/master/src/backend/tcop/pquery.c:1318
    #15 0x34e1b9c in PortalRun 
/home/kgrittn/pg/master/src/backend/tcop/pquery.c:816
    #16 0x34b6721 in exec_simple_query 
/home/kgrittn/pg/master/src/backend/tcop/postgres.c:1054
    #17 0x34b1420 in PostgresMain 
/home/kgrittn/pg/master/src/backend/tcop/postgres.c:3998
    #18 0x2f1f925 in BackendRun 
/home/kgrittn/pg/master/src/backend/postmaster/postmaster.c:4085
    #19 0x2f1b830 in BackendStartup 
/home/kgrittn/pg/master/src/backend/postmaster/postmaster.c:3774
    #20 0x2efcc96 in ServerLoop 
/home/kgrittn/pg/master/src/backend/postmaster/postmaster.c:1585
    #21 0x2ef13ee in PostmasterMain 
/home/kgrittn/pg/master/src/backend/postmaster/postmaster.c:1240
    #22 0x24dc3c3 in main /home/kgrittn/pg/master/src/backend/main/main.c:196
    #23 0x2b89d526e76c in __libc_start_main 
/build/buildd/eglibc-2.15/csu/libc-start.c:226
    #24 0x4dc3cc in _start ??:?

Address 0x7fffbcb2a514 is located in stack of thread T0 at offset 2644 in frame
    #0 0xd2b5ef in doPickSplit 
/home/kgrittn/pg/master/src/backend/access/spgist/spgdoinsert.c:680

  This frame has 57 object(s):
    [32, 40) ''
    [96, 104) ''
    [160, 168) ''
    [224, 232) ''
    [288, 296) ''
    [352, 356) ''
    [416, 417) ''
    [480, 481) ''
    [544, 545) 'insertedNew'
    [608, 632) 'in'
    [672, 720) 'out'
    [768, 776) 'procinfo'
    [832, 833) 'includeNew'
    [896, 900) 'i'
    [960, 964) 'max'
    [1024, 1028) 'n'
    [1088, 1096) 'innerTuple'
    [1152, 1160) 'node'
    [1216, 1224) 'nodes'
    [1280, 1284) 'newInnerBuffer'
    [1344, 1348) 'newLeafBuffer'
    [1408, 1416) 'heapPtrs'
    [1472, 1480) 'leafPageSelect'
    [1536, 1544) 'leafSizes'
    [1600, 1608) 'toDelete'
    [1664, 1672) 'toInsert'
    [1728, 1730) 'redirectTuplePos'
    [1792, 1796) 'startOffsets'
    [1856, 1864) 'newLeafs'
    [1920, 1924) 'spaceToDelete'
    [1984, 1988) 'currentFreeSpace'
    [2048, 2052) 'totalLeafSizes'
    [2112, 2113) 'allTheSame'
    [2176, 2496) 'rdata'
    [2528, 2532) 'nRdata'
    [2592, 2644) 'xlrec' <== Memory access at offset 2644 overflows this 
variable
    [2688, 2696) 'leafdata'
    [2752, 2760) 'leafptr'
    [2816, 2840) 'saveCurrent'
    [2880, 2884) 'nToDelete'
    [2944, 2948) 'nToInsert'
    [3008, 3012) 'maxToInclude'
    [3072, 3080) 'it'
    [3136, 3144) 'it1'
    [3200, 3208) 'label'
    [3264, 3265) 'labelisnull'
    [3328, 3336) 'nodePageSelect'
    [3392, 3396) 'curspace'
    [3456, 3460) 'newspace'
    [3520, 3524) 'nodeOfNewTuple'
    [3584, 3592) 'it2'
    [3648, 3652) 'leafBuffer'
    [3712, 3716) 'leafBlock'
    [3776, 3778) 'newoffset'
    [3840, 3848) 'recptr'
    [3904, 3912) 'page'
    [3968, 3976) 'page3'
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x10007795d450: 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2
  0x10007795d460: 01 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x10007795d470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007795d480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007795d490: f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 00 00 00
=>0x10007795d4a0: 00 00[04]f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
  0x10007795d4b0: 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 f4 f2 f2 f2 f2
  0x10007795d4c0: 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2
  0x10007795d4d0: 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
  0x10007795d4e0: 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
  0x10007795d4f0: 01 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==7492==ABORTING
-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to