| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | pgsql: Fix choice of comparison operators for cross-type hashed subplan |
| Date: | 2019-08-05 15:20:57 |
| Message-ID: | [email protected] |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Fix choice of comparison operators for cross-type hashed subplans.
Commit bf6c614a2 rearranged the lookup of the comparison operators
needed in a hashed subplan, and in so doing, broke the cross-type
case: it caused the original LHS-vs-RHS operator to be used to compare
hash table entries too (which of course are all of the RHS type).
This leads to C functions being passed a Datum that is not of the
type they expect, with the usual hazards of crashes and unauthorized
server memory disclosure.
For the set of hashable cross-type operators present in v11 core
Postgres, this bug is nearly harmless on 64-bit machines, which
may explain why it escaped earlier detection. But it is a live
security hazard on 32-bit machines; and of course there may be
extensions that add more hashable cross-type operators, which
would increase the risk.
Reported by Andreas Seltenreich. Back-patch to v11 where the
problem came in.
Security: CVE-2019-10209
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/4766dce0dd1a1a26db253dfc81773a2c55cd2555
Modified Files
--------------
src/backend/executor/nodeSubplan.c | 15 ++++++++++-----
src/test/regress/expected/subselect.out | 24 ++++++++++++++++++++++++
src/test/regress/sql/subselect.sql | 10 ++++++++++
3 files changed, 44 insertions(+), 5 deletions(-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2019-08-05 15:49:32 | pgsql: Last-minute updates for release notes. |
| Previous Message | Noah Misch | 2019-08-05 14:49:41 | pgsql: Require the schema qualification in pg_temp.type_name(arg). |