Re: glibc qsort() vulnerability - Mailing list pgsql-hackers

From Nathan Bossart
Subject Re: glibc qsort() vulnerability
Date
Msg-id 20240206205305.GB3891538@nathanxps13
Whole thread Raw
In response to Re: glibc qsort() vulnerability  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: glibc qsort() vulnerability
List pgsql-hackers
On Tue, Feb 06, 2024 at 10:11:16AM -0500, Tom Lane wrote:
> Mats Kindahl <mats@timescale.com> writes:
>> There is a bug in glibc's qsort() algorithm that runs the risk of creating
>> an out-of-bounds error if the comparison function is not transitive, for
>> example, if subtraction is used so that it can create an overflow.
> 
> We don't use glibc's qsort.  Have you checked whether there's a
> problem with the code we do use?

Oh, interesting.  I didn't know that!  As of commit 6edd2b4, we've used an
in-tree qsort() for everything.  port.h has the following line:

    #define qsort(a,b,c,d) pg_qsort(a,b,c,d)

I see a handful of callers that use pg_qsort() directly, which IMO is odd.
I would've expected that to be something different if I didn't know about
that macro.  Maybe we should change those to qsort()...

Even if the glibc issue doesn't apply to Postgres, I'm tempted to suggest
that we make it project policy that comparison functions must be
transitive.  There might be no real issues today, but if we write all
comparison functions the way Mats is suggesting, it should be easier to
reason about overflow risks.

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com



pgsql-hackers by date:

Previous
From: Maiquel Grassi
Date:
Subject: RE: Psql meta-command conninfo+
Next
From: Tom Lane
Date:
Subject: Re: glibc qsort() vulnerability