| From: | David Rowley <dgrowleyml(at)gmail(dot)com> |
|---|---|
| To: | Bernd Reiß <bd_reiss(at)gmx(dot)at> |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Use-after-free in expand_partitioned_rtentry |
| Date: | 2025-08-29 13:02:37 |
| Message-ID: | CAApHDvowszp=_uEm21vsXOZ3b3QttzrJug0iBZCTg0UUvJfMBg@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, 29 Aug 2025 at 23:45, Bernd Reiß <bd_reiss(at)gmx(dot)at> wrote:
> Thanks for the quick response and the review.
Thanks for the report, investigation and patch.
I've pushed and backpatched this to 15. v14 doesn't have the
RelOptInfo.live_parts field, so it didn't suffer from the issue.
Technically, 15 isn't broken either as the bms_del_member() function
in that version wouldn't pfree the set. I decided to patch 15 anyway
to keep the code the same and to avoid assuming it's ok to ignore the
return value of bms_del_member().
> This is admittedly a pretty remote edge case, but still, better safe
> than sorry.
Did you find it through code analysis or from a crash?
It would just have been a matter of time before someone hit this.
David
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Paul A Jungwirth | 2025-08-29 13:03:44 | Re: SQL:2011 Application Time Update & Delete |
| Previous Message | Pavel Stehule | 2025-08-29 12:57:21 | Re: Assert single row returning SQL-standard functions |