Fix out-of-bounds access in autoprewarm worker

The read stream callback apw_read_stream_next_block() advances p->pos
through the block_info array. When processing the last block, it
increments p->pos to prewarm_stop_idx before returning. The callback
itself is safe because it checks bounds before accessing the array.

However, the caller assigned blk from block_info[i] at the end of the
loop body, before the loop condition was re-evaluated. When i equaled
prewarm_stop_idx, this accessed memory beyond the allocated DSM segment,
causing a segfault.

Restructure the loop to check bounds at the top and assign blk at the
beginning of the loop body, where it is always safe. This avoids the
need for an explicit bounds check at the end.

Backpatch to 18, where the bug was introduced by commit 6acab8bdbcda.

Author: Matheus Alcantara <mths.dev@pm.me>
Reported-by: Glauber Batista <glauberrbatista@gmail.com>
Reviewed-by: Melanie Plageman <melanieplageman@gmail.com>
Reviewed-by: Tomas Vondra <tomas@vondra.me>
Backpatch-through: 18
Discussion: https://www.postgresql.org/message-id/CAO%2B_mTQgQyTYwDh%3DU8iTnsDmOGyWsZJjUV31SmEYwmw6_xY6Bw%40mail.gmail.com

diff --git a/contrib/pg_prewarm/autoprewarm.c b/contrib/pg_prewarm/autoprewarm.c
index ba0bc8e6d4aca492e900c2c1dd8e93461c86674d..deb4c2671b5d8b8f35cb08111e1907b6fe0d0776 100644 (file)
--- a/contrib/pg_prewarm/autoprewarm.c
+++ b/contrib/pg_prewarm/autoprewarm.c
@@ -572,16 +572,23 @@ autoprewarm_database_main(Datum main_arg)
                 * valid forks or run out of options, we'll close the relation and
                 * move on.
                 */
-               while (i < apw_state->prewarm_stop_idx &&
-                          blk.tablespace == tablespace &&
-                          blk.filenumber == filenumber)
+               while (i < apw_state->prewarm_stop_idx)
                {
-                       ForkNumber      forknum = blk.forknum;
+                       ForkNumber      forknum;
                        BlockNumber nblocks;
                        struct AutoPrewarmReadStreamData p;
                        ReadStream *stream;
                        Buffer          buf;
 
+                       blk = block_info[i];
+
+                       /* Stop when we reach a different relation. */
+                       if (blk.tablespace != tablespace ||
+                               blk.filenumber != filenumber)
+                               break;
+
+                       forknum = blk.forknum;
+
                        /*
                         * smgrexists is not safe for illegal forknum, hence check whether
                         * the passed forknum is valid before using it in smgrexists.
@@ -643,9 +650,12 @@ autoprewarm_database_main(Datum main_arg)
 
                        read_stream_end(stream);
 
-                       /* Advance i past all the blocks just prewarmed. */
+                       /*
+                        * Advance i past all the blocks just prewarmed. Note that the
+                        * callback might have advanced the index beyond the last valid
+                        * block, so don't access block_info[i] yet.
+                        */
                        i = p.pos;
-                       blk = block_info[i];
                }
 
                relation_close(rel, AccessShareLock);