Re: Use-after-free in expand_partitioned_rtentry
| От | Bernd Reiß |
|---|---|
| Тема | Re: Use-after-free in expand_partitioned_rtentry |
| Дата | |
| Msg-id | 7ddccfdf-39ca-4fe4-b7a7-64df949784dd@gmx.at обсуждение исходный текст |
| Ответ на | Re: Use-after-free in expand_partitioned_rtentry (David Rowley <dgrowleyml@gmail.com>) |
| Список | pgsql-hackers |
Glad I could be of help. I found this through code analysis. I've been working on a custom PG checker, adapting the Clang Static Checker for my bachelor thesis. Always nice to see, when academic work has real world benefits :) Bernd On 8/29/25 3:02 PM, David Rowley wrote: > On Fri, 29 Aug 2025 at 23:45, Bernd Reiß <bd_reiss@gmx.at> wrote: >> Thanks for the quick response and the review. > Thanks for the report, investigation and patch. > > I've pushed and backpatched this to 15. v14 doesn't have the > RelOptInfo.live_parts field, so it didn't suffer from the issue. > Technically, 15 isn't broken either as the bms_del_member() function > in that version wouldn't pfree the set. I decided to patch 15 anyway > to keep the code the same and to avoid assuming it's ok to ignore the > return value of bms_del_member(). > >> This is admittedly a pretty remote edge case, but still, better safe >> than sorry. > Did you find it through code analysis or from a crash? > > It would just have been a matter of time before someone hit this. > > David > >
В списке pgsql-hackers по дате отправления: