pgsql: pg_stat_statements: Fix potential use-after-free of PlannedStmt

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Michael Paquier <[email protected]>
To: [email protected]
Subject: pgsql: pg_stat_statements: Fix potential use-after-free of PlannedStmt
Date: Tue, 12 May 2026 04:45:26 +0000
Message-ID: <[email protected]> (raw)

pg_stat_statements: Fix potential use-after-free of PlannedStmt

pgss_ProcessUtility() included a reference to a portion of a PlannedStmt
after the point where this data's structure could have been freed,
causing an incorrect memory access.  There was a comment documenting
this requirement, missed in 3357471cf9f5.

This commit includes a test able to make valgrind complain with a
PlannedStmt freed by an internal ROLLBACK query.  Similarly to what is
mentioned in 495e73c2079e, this can be triggered by using the extended
query protocol, something that can be now tested thanks to the recent
meta-command additions in psql.  This commit mentions potential other
cases, but as far as I can see the extended protocol case with an
internal ROLLBACK is the only problematic pattern reachable in practice.

Issue introduced by 3357471cf9f5, gone unnoticed due to a lack of test
coverage.  The fix is authored by Chao, my contribution being the new
test.

Author: Chao Li <[email protected]>
Co-authored-by: Michael Paquier <[email protected]>
Discussion: https://postgr.es/m/[email protected]

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/8268e41aca23ae3414360b0a1dc6ae99ea7b43f4

Modified Files
--------------
contrib/pg_stat_statements/expected/plancache.out | 38 +++++++++++++++++++++++
contrib/pg_stat_statements/pg_stat_statements.c   |  3 +-
contrib/pg_stat_statements/sql/plancache.sql      | 19 ++++++++++++
3 files changed, 59 insertions(+), 1 deletion(-)

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: pgsql: pg_stat_statements: Fix potential use-after-free of PlannedStmt
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox