diff options
| author | Tom Lane | 2019-08-05 15:20:21 +0000 |
|---|---|---|
| committer | Tom Lane | 2019-08-05 15:20:34 +0000 |
| commit | a034418cfc85fffa300d4d44792561c09e76f68b (patch) | |
| tree | 09bff577eb9ca3c4c93f5df200fc113ac3c7ff04 /src/test | |
| parent | 21f94c51f680cefa2ea6b0d94aa8a967a375afc6 (diff) | |
Fix choice of comparison operators for cross-type hashed subplans.
Commit bf6c614a2 rearranged the lookup of the comparison operators
needed in a hashed subplan, and in so doing, broke the cross-type
case: it caused the original LHS-vs-RHS operator to be used to compare
hash table entries too (which of course are all of the RHS type).
This leads to C functions being passed a Datum that is not of the
type they expect, with the usual hazards of crashes and unauthorized
server memory disclosure.
For the set of hashable cross-type operators present in v11 core
Postgres, this bug is nearly harmless on 64-bit machines, which
may explain why it escaped earlier detection. But it is a live
security hazard on 32-bit machines; and of course there may be
extensions that add more hashable cross-type operators, which
would increase the risk.
Reported by Andreas Seltenreich. Back-patch to v11 where the
problem came in.
Security: CVE-2019-10209
Diffstat (limited to 'src/test')
| -rw-r--r-- | src/test/regress/expected/subselect.out | 24 | ||||
| -rw-r--r-- | src/test/regress/sql/subselect.sql | 10 |
2 files changed, 34 insertions, 0 deletions
diff --git a/src/test/regress/expected/subselect.out b/src/test/regress/expected/subselect.out index 588d0695892..a288c6d33b8 100644 --- a/src/test/regress/expected/subselect.out +++ b/src/test/regress/expected/subselect.out @@ -746,6 +746,30 @@ select * from outer_7597 where (f1, f2) not in (select * from inner_7597); (2 rows) -- +-- Another test case for cross-type hashed subplans: comparison of +-- inner-side values must be done with appropriate operator +-- +explain (verbose, costs off) +select 'foo'::text in (select 'bar'::name union all select 'bar'::name); + QUERY PLAN +------------------------------------- + Result + Output: (hashed SubPlan 1) + SubPlan 1 + -> Append + -> Result + Output: 'bar'::name + -> Result + Output: 'bar'::name +(8 rows) + +select 'foo'::text in (select 'bar'::name union all select 'bar'::name); + ?column? +---------- + f +(1 row) + +-- -- Test case for premature memory release during hashing of subplan output -- select '1'::text in (select '1'::name union all select '1'::name); diff --git a/src/test/regress/sql/subselect.sql b/src/test/regress/sql/subselect.sql index 843f511b3dc..eafd927e828 100644 --- a/src/test/regress/sql/subselect.sql +++ b/src/test/regress/sql/subselect.sql @@ -436,6 +436,16 @@ insert into inner_7597 values(0, null); select * from outer_7597 where (f1, f2) not in (select * from inner_7597); -- +-- Another test case for cross-type hashed subplans: comparison of +-- inner-side values must be done with appropriate operator +-- + +explain (verbose, costs off) +select 'foo'::text in (select 'bar'::name union all select 'bar'::name); + +select 'foo'::text in (select 'bar'::name union all select 'bar'::name); + +-- -- Test case for premature memory release during hashing of subplan output -- |