Postgres Pro
Downloads
Home   >   mailing lists

BUG #17280: global-buffer-overflow on select from pg_stat_slru - Mailing list pgsql-bugs

From PG Bug reporting form
Subject BUG #17280: global-buffer-overflow on select from pg_stat_slru
Date
Msg-id 17280-37da556e86032070@postgresql.org
Whole thread Raw
Responses Re: BUG #17280: global-buffer-overflow on select from pg_stat_slru
List pgsql-bugs
Tree view 
The following bug has been logged on the website:

Bug reference:      17280
Logged by:          Alexander Kozhemyakin
Email address:      a.kozhemyakin@postgrespro.ru
PostgreSQL version: 14.0
Operating system:   Ubuntu 21.04
Description:

The following simple query:
select  * from pg_catalog.pg_stat_slru
leads to the sanitizer-detected error:
==23911==ERROR: AddressSanitizer: global-buffer-overflow on address
0x5582bec7c5e0 at pc 0x5582bbd2c01c bp 0x7fff0b73a470 sp 0x7fff0b73a460
READ of size 64 at 0x5582bec7c5e0 thread T0
    #0 0x5582bbd2c01b in pg_stat_get_slru
/home/postgres/postgres/src/backend/utils/adt/pgstatfuncs.c:1914
    #1 0x5582bb405b83 in ExecMakeTableFunctionResult
/home/postgres/postgres/src/backend/executor/execSRF.c:234
    #2 0x5582bb45dfd5 in FunctionNext
/home/postgres/postgres/src/backend/executor/nodeFunctionscan.c:95
    #3 0x5582bb408a6f in ExecScanFetch
/home/postgres/postgres/src/backend/executor/execScan.c:133
    #4 0x5582bb408cba in ExecScan
/home/postgres/postgres/src/backend/executor/execScan.c:182
    #5 0x5582bb45db99 in ExecFunctionScan
/home/postgres/postgres/src/backend/executor/nodeFunctionscan.c:270
    #6 0x5582bb3fd916 in ExecProcNodeFirst
/home/postgres/postgres/src/backend/executor/execProcnode.c:463
    #7 0x5582bb3ddf35 in ExecProcNode
../../../src/include/executor/executor.h:257
    #8 0x5582bb3ddf35 in ExecutePlan
/home/postgres/postgres/src/backend/executor/execMain.c:1551
    #9 0x5582bb3de54b in standard_ExecutorRun
/home/postgres/postgres/src/backend/executor/execMain.c:361
    #10 0x5582bb3de75a in ExecutorRun
/home/postgres/postgres/src/backend/executor/execMain.c:305
    #11 0x5582bbabc326 in PortalRunSelect
/home/postgres/postgres/src/backend/tcop/pquery.c:921
    #12 0x5582bbac25e3 in PortalRun
/home/postgres/postgres/src/backend/tcop/pquery.c:765
    #13 0x5582bbab6277 in exec_simple_query
/home/postgres/postgres/src/backend/tcop/postgres.c:1214
    #14 0x5582bbabb2e1 in PostgresMain
/home/postgres/postgres/src/backend/tcop/postgres.c:4497
    #15 0x5582bb86dadd in BackendRun
/home/postgres/postgres/src/backend/postmaster/postmaster.c:4584
    #16 0x5582bb876e01 in BackendStartup
/home/postgres/postgres/src/backend/postmaster/postmaster.c:4312
    #17 0x5582bb8775a9 in ServerLoop
/home/postgres/postgres/src/backend/postmaster/postmaster.c:1801
    #18 0x5582bb879d6f in PostmasterMain
/home/postgres/postgres/src/backend/postmaster/postmaster.c:1473
    #19 0x5582bb563465 in main
/home/postgres/postgres/src/backend/main/main.c:198
    #20 0x7fac88170564 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
    #21 0x5582baba0ded in _start
(/home/postgres/rel_master/bin/postgres+0x1a72ded)

0x5582bec7c5e0 is located 32 bytes to the left of global variable 'walStats'
defined in 'pgstat.c:282:24' (0x5582bec7c600) of size 72
0x5582bec7c5e0 is located 0 bytes to the right of global variable
'slruStats' defined in 'pgstat.c:283:25' (0x5582bec7c3e0) of size 512
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/postgres/postgres/src/backend/utils/adt/pgstatfuncs.c:1914 in
pg_stat_get_slru
Shadow bytes around the buggy address:
  0x0ab0d7d87860: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ab0d7d87870: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ab0d7d87880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab0d7d87890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab0d7d878a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ab0d7d878b0: 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9
  0x0ab0d7d878c0: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x0ab0d7d878d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
  0x0ab0d7d878e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab0d7d878f0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ab0d7d87900: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc

pgsql-bugs by date:

Previous
From: PG Bug reporting form
Date:
Subject: BUG #17279: 'return query update ... returning *' reports syntax error in pg/plsql function
Next
From: Tom Lane
Date:
Subject: Re: BUG #17279: 'return query update ... returning *' reports syntax error in pg/plsql function