From efeda879b4de167a54b49b143998d958f7473887 Mon Sep 17 00:00:00 2001 From: Julien Tachoires Date: Tue, 2 Dec 2025 10:38:45 +0100 Subject: [PATCH 1/7] Release buffer lock before scan key evaluation heapgettup() hold a buffer lock to examine tuple visibility. When the tuple is visible, the buffer lock can be released before calling HeapKeyTest() in order to avoid abritrary code execution due to scan key evaluation while the buffer lock is held. Holding the buffer pin is enough to access tuple's data. --- src/backend/access/heap/heapam.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/src/backend/access/heap/heapam.c b/src/backend/access/heap/heapam.c index 4d382a04338..1d9f9efa4fd 100644 --- a/src/backend/access/heap/heapam.c +++ b/src/backend/access/heap/heapam.c @@ -975,13 +975,27 @@ continue_page: if (!visible) continue; + /* + * If tuple visibility is statisfied, then we can release the + * buffer lock before evaluating the scan keys in order to avoid + * abritrary code execution while we hold the lock. + */ + LockBuffer(scan->rs_cbuf, BUFFER_LOCK_UNLOCK); + /* skip any tuples that don't match the scan key */ if (key != NULL && !HeapKeyTest(tuple, RelationGetDescr(scan->rs_base.rs_rd), nkeys, key)) + { + /* + * When the tuple is visible but does not satisfy any scan + * key, then we have to re-acquire the buffer lock to examine + * next tuple's visibility. + */ + LockBuffer(scan->rs_cbuf, BUFFER_LOCK_SHARE); continue; + } - LockBuffer(scan->rs_cbuf, BUFFER_LOCK_UNLOCK); scan->rs_coffset = lineoff; return; } -- 2.39.5