| From: | Tatsuo Ishii <ishii(at)postgresql(dot)org> |
|---|---|
| To: | pgpool-committers(at)lists(dot)postgresql(dot)org |
| Subject: | pgpool: Fix use-after-free of query context after a backend node shutdo |
| Date: | 2026-06-18 09:38:33 |
| Message-ID: | E1wa9Ch-004tDI-3C@gothos.postgresql.org |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgpool-committers |
Fix use-after-free of query context after a backend node shutdown.
A POOL_QUERY_CONTEXT is referenced from the session scoped sent
message list (session_context->message_list) and pending message list,
which live in session_context->memory_context and survive for the
whole client session. However pool_init_query_context() allocated the
query context in the global QueryContext memory context.
do_child() resets QueryContext (MemoryContextResetAndDeleteChildren)
at the top of every iteration of its query processing loop. In normal
operation pool_process_query() runs the whole session in a single
iteration, so QueryContext is effectively session lived and this is
harmless. But when pool_process_query() returns POOL_CONTINUE in the
middle of a session, the loop iterates and QueryContext is reset while
the sent/pending message lists still reference query contexts that
were allocated in it. The freed query contexts are later dereferenced
(for example from pool_clear_sent_message_list() in
reset_connection(), or from pool_remove_sent_message() while binding a
reused statement name), causing a use-after-free and a SIGSEGV.
This is reachable when a backend node is shut down by an
administrative command (e.g. "fast" shutdown of PostgreSQL) while a
client session that has named prepared statements is open.
read_packets_and_process() detects the admin shutdown, sets was_error
and returns POOL_CONTINUE (cont = false), so pool_process_query()
returns to do_child() mid session and the next loop iteration frees
the still referenced query contexts.
Fix this by allocating the query context under the session memory
context rather than the per-iteration QueryContext, so its lifetime
matches the session scoped lists that reference it. When there is no
session context (internal queries issued before a session exists) fall
back to QueryContext, preserving the previous behaviour. Query
contexts are still freed explicitly by pool_query_context_destroy(),
and at the latest when the session memory context is destroyed, so
this does not change memory reclamation for the normal
single-iteration case (in which QueryContext was likewise only freed
at session end).
Author: Emond Papegaaij <emond(dot)papegaaij(at)gmail(dot)com>
Reported-by: Claude Code
Reviewed-by: Tatsuo Ishii <ishii(at)postgresql(dot)org>
Discussion: https://www.postgresql.org/message-id/CAGXsc%2BaFfv2_PUrEdCt8TousYP9dPmty3i%2B0mkJpWwVg%3DfVN%2BQ%40mail.gmail.com
Branch
------
V4_6_STABLE
Details
-------
https://git.postgresql.org/gitweb?p=pgpool2.git;a=commitdiff;h=760a166d03dd165bc92ebcbf7be9ded2c320e1b8
Modified Files
--------------
src/context/pool_query_context.c | 34 +++++++++++++++++++++++++++-------
1 file changed, 27 insertions(+), 7 deletions(-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tatsuo Ishii | 2026-06-18 09:38:38 | pgpool: Fix use-after-free of query context after a backend node shutdo |
| Previous Message | Tatsuo Ishii | 2026-06-18 09:38:27 | pgpool: Fix use-after-free of query context after a backend node shutdo |