diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2019-08-05 11:20:21 -0400 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2019-08-05 11:20:33 -0400 |
| commit | de4b75c1549ac0baf45b4bcb8d49e2fac90ac43a (patch) | |
| tree | 95fe057523c39a473cb1e343c373f1f40bc0869c /contrib/intarray/_intbig_gist.c | |
| parent | 9993fa9dd25d01e99748869b1fb1d6f4dc03960e (diff) | |
| download | postgresql-de4b75c1549ac0baf45b4bcb8d49e2fac90ac43a.tar.gz postgresql-de4b75c1549ac0baf45b4bcb8d49e2fac90ac43a.zip | |
Fix choice of comparison operators for cross-type hashed subplans.
Commit bf6c614a2 rearranged the lookup of the comparison operators
needed in a hashed subplan, and in so doing, broke the cross-type
case: it caused the original LHS-vs-RHS operator to be used to compare
hash table entries too (which of course are all of the RHS type).
This leads to C functions being passed a Datum that is not of the
type they expect, with the usual hazards of crashes and unauthorized
server memory disclosure.
For the set of hashable cross-type operators present in v11 core
Postgres, this bug is nearly harmless on 64-bit machines, which
may explain why it escaped earlier detection. But it is a live
security hazard on 32-bit machines; and of course there may be
extensions that add more hashable cross-type operators, which
would increase the risk.
Reported by Andreas Seltenreich. Back-patch to v11 where the
problem came in.
Security: CVE-2019-10209
Diffstat (limited to 'contrib/intarray/_intbig_gist.c')
0 files changed, 0 insertions, 0 deletions