public inbox for [email protected]
help / color / mirror / Atom feedFrom: Noah Misch <[email protected]>
To: [email protected]
Subject: pgsql: Make palloc_array() and friends safe against integer overflow.
Date: Mon, 11 May 2026 12:19:36 +0000
Message-ID: <[email protected]> (raw)
Make palloc_array() and friends safe against integer overflow.
Sufficiently large "count" arguments could result in undetected
overflow, causing the allocated memory chunk to be much smaller
than what the caller will subsequently write into it. This is
unlikely to be a hazard with 64-bit size_t but can sometimes
happen on 32-bit builds, primarily where a function allocates
workspace that's significantly larger than its input data.
Rather than trying to patch the at-risk callers piecemeal,
let's just redefine these macros so that they always check.
To do that, move the longstanding add_size() and mul_size() functions
into palloc.h and mcxt.c, and adjust them to not be specific to
shared-memory allocation. Then invent palloc_mul(), palloc0_mul(),
palloc_mul_extended() to use these functions. Actually, the latter
use inlined copies to save one function call. repalloc_array() gets
similar treatment. I didn't bother trying to inline the calls for
repalloc0_array() though.
In v14 and v15, this also adds repalloc_extended(), which previously
was only available in v16 and up.
We need copies of all this in fe_memutils.[hc] as well, since that
module also provides palloc_array() etc.
Reported-by: Xint Code
Author: Tom Lane <[email protected]>
Reviewed-by: Masahiko Sawada <[email protected]>
Backpatch-through: 14
Security: CVE-2026-6473
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/46593aea0a5ca7ead0876833d99639c9a4bb5a9d
Author: Tom Lane <[email protected]>
Modified Files
--------------
src/backend/storage/ipc/shmem.c | 31 -------
src/backend/utils/mmgr/mcxt.c | 129 +++++++++++++++++++++++++++
src/common/fe_memutils.c | 188 +++++++++++++++++++++++++++++++++++++++
src/include/common/fe_memutils.h | 28 ++++--
src/include/storage/shmem.h | 3 -
src/include/utils/memutils.h | 2 +-
src/include/utils/palloc.h | 22 ++++-
7 files changed, 358 insertions(+), 45 deletions(-)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: pgsql: Make palloc_array() and friends safe against integer overflow.
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox