yugabyte-db
yugabyte-db copied to clipboard
yugabyte
[YSQL] load_relcache_init_file should clear yb_table_properties
Jira Link: DB-11248
Description
typedef struct RelationData
{
...
YbTableProperties yb_table_properties; /* NULL if not loaded */
...
} RelationData;
In write_relcache_init_file
/* first write the relcache entry proper */
write_item(rel, sizeof(RelationData), fp);
This is going to write the contents of RelationData as raw bytes to the rel cache init file fp.
In load_relcache_init_file, we load the raw bytes back into RelationData:
/* first read the relation descriptor length */
nread = fread(&len, 1, sizeof(len), fp);
if (nread != sizeof(len))
{
if (nread == 0)
break; /* end of file */
goto read_failed;
}
/* safety check for incompatible relcache layout */
if (len != sizeof(RelationData))
goto read_failed;
/* allocate another relcache header */
if (num_rels >= max_rels)
{
max_rels *= 2;
rels = (Relation *) repalloc(rels, max_rels * sizeof(Relation));
}
rel = rels[num_rels++] = (Relation) palloc(len);
/* then, read the Relation structure */
if (fread(rel, 1, len, fp) != len)
goto read_failed;
The bug here is that yb_table_properties is a pointer, it is a private memory address in the PG backend process that invoked write_relcache_init_file, and then it will be interpreted within the PG backend process that invoked load_relcache_init_file. It is not valid to do that because it can point to some random bytes meant for other things. In the worst case the same raw pointer may point to an address that is not even mmap'ed into the PG backend process and can lead to SEGV if accessed.
Issue Type
kind/bug
Warning: Please confirm that this issue does not contain any sensitive information
- [X] I confirm this issue does not contain any sensitive information.
