| From: | Bernd Reiß <bd_reiss(at)gmx(dot)at> |
|---|---|
| To: | David Rowley <dgrowleyml(at)gmail(dot)com> |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Use-after-free in expand_partitioned_rtentry |
| Date: | 2025-08-29 13:16:28 |
| Message-ID: | 7ddccfdf-39ca-4fe4-b7a7-64df949784dd@gmx.at |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Glad I could be of help.
I found this through code analysis. I've been working on a custom PG
checker, adapting the Clang Static Checker for my bachelor thesis.
Always nice to see, when academic work has real world benefits :)
Bernd
On 8/29/25 3:02 PM, David Rowley wrote:
> On Fri, 29 Aug 2025 at 23:45, Bernd Reiß <bd_reiss(at)gmx(dot)at> wrote:
>> Thanks for the quick response and the review.
> Thanks for the report, investigation and patch.
>
> I've pushed and backpatched this to 15. v14 doesn't have the
> RelOptInfo.live_parts field, so it didn't suffer from the issue.
> Technically, 15 isn't broken either as the bms_del_member() function
> in that version wouldn't pfree the set. I decided to patch 15 anyway
> to keep the code the same and to avoid assuming it's ok to ignore the
> return value of bms_del_member().
>
>> This is admittedly a pretty remote edge case, but still, better safe
>> than sorry.
> Did you find it through code analysis or from a crash?
>
> It would just have been a matter of time before someone hit this.
>
> David
>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Sami Imseih | 2025-08-29 13:30:06 | Re: Improve LWLock tranche name visibility across backends |
| Previous Message | Tomas Vondra | 2025-08-29 13:09:57 | Re: Adding skip scan (including MDAM style range skip scan) to nbtree |