Fix use-after-free in parallel_vacuum_reset_dead_items

parallel_vacuum_reset_dead_items used a local variable to hold a
pointer from the passed vacrel, purely as a shorthand. This pointer
was later freed and a new allocation was made and stored to the
struct. Then the local pointer was mistakenly referenced again.

This apparently happened not to break anything since the freed chunk
would have been put on the context's freelist, so it was accidentally
the same pointer anyway, in which case the DSA handle was correctly
updated. The minimal fix is to change two places so they access
dead_items through the vacrel. This coding style is a maintenance
hazard, so while at it get rid of most other similar usages, which
were inconsistently used anyway.

Analysis and patch by Vallimaharajan G, with further defensive coding
by me

Backpath to v17, when TidStore came in

Discussion: https://postgr.es/m/1936493cc38.68cb2ef27266.7456585136086197135@zohocorp.com

diff --git a/src/backend/access/heap/vacuumlazy.c b/src/backend/access/heap/vacuumlazy.c
index abb47ae596098ea61f28fff5baa34de748a56494..f2d25987120bf447c3f2c1a177b9ad9fe798d2fc 100644 (file)
--- a/src/backend/access/heap/vacuumlazy.c
+++ b/src/backend/access/heap/vacuumlazy.c
@@ -820,8 +820,6 @@ lazy_scan_heap(LVRelState *vacrel)
                                next_fsm_block_to_vacuum = 0;
        bool            all_visible_according_to_vm;
 
-       TidStore   *dead_items = vacrel->dead_items;
-       VacDeadItemsInfo *dead_items_info = vacrel->dead_items_info;
        Buffer          vmbuffer = InvalidBuffer;
        const int       initprog_index[] = {
                PROGRESS_VACUUM_PHASE,
@@ -833,7 +831,7 @@ lazy_scan_heap(LVRelState *vacrel)
        /* Report that we're scanning the heap, advertising total # of blocks */
        initprog_val[0] = PROGRESS_VACUUM_PHASE_SCAN_HEAP;
        initprog_val[1] = rel_pages;
-       initprog_val[2] = dead_items_info->max_bytes;
+       initprog_val[2] = vacrel->dead_items_info->max_bytes;
        pgstat_progress_update_multi_param(3, initprog_index, initprog_val);
 
        /* Initialize for the first heap_vac_scan_next_block() call */
@@ -876,7 +874,7 @@ lazy_scan_heap(LVRelState *vacrel)
                 * dead_items TIDs, pause and do a cycle of vacuuming before we tackle
                 * this page.
                 */
-               if (TidStoreMemoryUsage(dead_items) > dead_items_info->max_bytes)
+               if (TidStoreMemoryUsage(vacrel->dead_items) > vacrel->dead_items_info->max_bytes)
                {
                        /*
                         * Before beginning index vacuuming, we release any pin we may
@@ -1046,7 +1044,7 @@ lazy_scan_heap(LVRelState *vacrel)
         * Do index vacuuming (call each index's ambulkdelete routine), then do
         * related heap vacuuming
         */
-       if (dead_items_info->num_items > 0)
+       if (vacrel->dead_items_info->num_items > 0)
                lazy_vacuum(vacrel);
 
        /*
@@ -2882,19 +2880,18 @@ static void
 dead_items_add(LVRelState *vacrel, BlockNumber blkno, OffsetNumber *offsets,
                           int num_offsets)
 {
-       TidStore   *dead_items = vacrel->dead_items;
        const int       prog_index[2] = {
                PROGRESS_VACUUM_NUM_DEAD_ITEM_IDS,
                PROGRESS_VACUUM_DEAD_TUPLE_BYTES
        };
        int64           prog_val[2];
 
-       TidStoreSetBlockOffsets(dead_items, blkno, offsets, num_offsets);
+       TidStoreSetBlockOffsets(vacrel->dead_items, blkno, offsets, num_offsets);
        vacrel->dead_items_info->num_items += num_offsets;
 
        /* update the progress information */
        prog_val[0] = vacrel->dead_items_info->num_items;
-       prog_val[1] = TidStoreMemoryUsage(dead_items);
+       prog_val[1] = TidStoreMemoryUsage(vacrel->dead_items);
        pgstat_progress_update_multi_param(2, prog_index, prog_val);
 }
 
@@ -2904,8 +2901,6 @@ dead_items_add(LVRelState *vacrel, BlockNumber blkno, OffsetNumber *offsets,
 static void
 dead_items_reset(LVRelState *vacrel)
 {
-       TidStore   *dead_items = vacrel->dead_items;
-
        if (ParallelVacuumIsActive(vacrel))
        {
                parallel_vacuum_reset_dead_items(vacrel->pvs);
@@ -2913,7 +2908,7 @@ dead_items_reset(LVRelState *vacrel)
        }
 
        /* Recreate the tidstore with the same max_bytes limitation */
-       TidStoreDestroy(dead_items);
+       TidStoreDestroy(vacrel->dead_items);
        vacrel->dead_items = TidStoreCreateLocal(vacrel->dead_items_info->max_bytes, true);
 
        /* Reset the counter */

diff --git a/src/backend/commands/vacuumparallel.c b/src/backend/commands/vacuumparallel.c
index f26070bff2a12b3b3809ac798d37e1a403cba027..f02fc8296f1b7d27c9c67d457977a178345ca071 100644 (file)
--- a/src/backend/commands/vacuumparallel.c
+++ b/src/backend/commands/vacuumparallel.c
@@ -472,7 +472,6 @@ parallel_vacuum_get_dead_items(ParallelVacuumState *pvs, VacDeadItemsInfo **dead
 void
 parallel_vacuum_reset_dead_items(ParallelVacuumState *pvs)
 {
-       TidStore   *dead_items = pvs->dead_items;
        VacDeadItemsInfo *dead_items_info = &(pvs->shared->dead_items_info);
 
        /*
@@ -480,13 +479,13 @@ parallel_vacuum_reset_dead_items(ParallelVacuumState *pvs)
         * operating system. Then we recreate the tidstore with the same max_bytes
         * limitation we just used.
         */
-       TidStoreDestroy(dead_items);
+       TidStoreDestroy(pvs->dead_items);
        pvs->dead_items = TidStoreCreateShared(dead_items_info->max_bytes,
                                                                                   LWTRANCHE_PARALLEL_VACUUM_DSA);
 
        /* Update the DSA pointer for dead_items to the new one */
-       pvs->shared->dead_items_dsa_handle = dsa_get_handle(TidStoreGetDSA(dead_items));
-       pvs->shared->dead_items_handle = TidStoreGetHandle(dead_items);
+       pvs->shared->dead_items_dsa_handle = dsa_get_handle(TidStoreGetDSA(pvs->dead_items));
+       pvs->shared->dead_items_handle = TidStoreGetHandle(pvs->dead_items);
 
        /* Reset the counter */
        dead_items_info->num_items = 0;