Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qIG7B-0000cY-SV for pgsql-hackers@arkaria.postgresql.org; Sat, 08 Jul 2023 22:09:17 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1qIG79-00066Z-Fb for pgsql-hackers@arkaria.postgresql.org; Sat, 08 Jul 2023 22:09:15 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qIG79-00066P-3w for pgsql-hackers@lists.postgresql.org; Sat, 08 Jul 2023 22:09:15 +0000 Received: from mail-pf1-x430.google.com ([2607:f8b0:4864:20::430]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1qIG72-002mHj-5o for pgsql-hackers@lists.postgresql.org; Sat, 08 Jul 2023 22:09:13 +0000 Received: by mail-pf1-x430.google.com with SMTP id d2e1a72fcca58-666ecf9a081so2641793b3a.2 for ; Sat, 08 Jul 2023 15:09:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1688854147; x=1691446147; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=DKeZ6z8PRgYyFsBVm20Tbd45I/c4F69W8hzDuaWoEbI=; b=Z7xrLE+IJtqPTYh7+ykDwe/OgmHJEz2HpWMnSQRMSo6Md6h52xqka8OP/AJS+74AAd qEKpp2At+JFI7dh0CMM+/CR2r0g5m53IFuO3me7D/S2S65wQWhR+w3MmhVs4MvSqWM4W 4Oeom0xGBdfXA9987jCRT2QRzzSWXnWLpIzNVA96TOu1EUxDSb5GTFvo5e7RdeOWA89U KbBTQiki2HTK4HDhFOadNdvuBI7xnSTI6IRUZw1OoIJ8T1nqLy58DTHo+FZttYJoEg/I 84BQ5xEeCUNMprtf7RQdPsWWiM2pKmkNFg8fDiGSIca8Fsc4Zk1pu5VxYRHb39CSkQHC uO0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688854147; x=1691446147; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=DKeZ6z8PRgYyFsBVm20Tbd45I/c4F69W8hzDuaWoEbI=; b=IfeOAa5Zg05tfqUTneLrVKlQmIcLTWoYZNZqBf931D3cWxospUl+0/NXi+sQqYk2dl 486Dlf2vI0YqkCREfM6/Ox94DrpMm5icwSnv4QpaNIpGRGoxMTFwzBMGDnD4k0A3xWQb nNv/P7OPZ0xr+9CsgLvkwekhxi2gPtbnzF6W3SM6uuMVAka0I9XTCoBvZWhIN7zndxCL CRTUcPq8hHjmQT1Y9fXaEPuA7MSQPx9HFAjFsMPVCDn54G0FkkuEJVvYBvr5BFuPopLg Cyzr3zTh/huoosQnWPb9DtIocaWjV05QRTypCaLzpWNxphRhMhsZy9aS6+1p9ygtFZ5/ FwbA== X-Gm-Message-State: ABy/qLb8AvJjPTVAepUr7rKX5sNg7ShuTPkDrMyzG/XmHBl3KOQwIBJD 4iQ4e+omTlyCxOWIZQf/DGc= X-Google-Smtp-Source: APBJJlGXKS+ynoW/Tcc2TF0F3Qp4Lmd7CUss30lapprCRVhiPfqzD/PLJt62TwxtHiBYxBrZb6015g== X-Received: by 2002:a05:6a20:8414:b0:130:d8dd:f75e with SMTP id c20-20020a056a20841400b00130d8ddf75emr4039533pzd.27.1688854146730; Sat, 08 Jul 2023 15:09:06 -0700 (PDT) Received: from nathanxps13 ([50.47.162.83]) by smtp.gmail.com with ESMTPSA id l20-20020a62be14000000b00682a8e600f0sm4676086pff.35.2023.07.08.15.09.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 08 Jul 2023 15:09:06 -0700 (PDT) Date: Sat, 8 Jul 2023 15:09:04 -0700 From: Nathan Bossart To: Joseph Koshakow Cc: PostgreSQL Hackers Subject: Re: Preventing non-superusers from altering session authorization Message-ID: <20230708220904.GB4044380@nathanxps13> References: <20230622034818.GA1077640@nathanxps13> <20230623175416.GA1268820@nathanxps13> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Sat, Jul 08, 2023 at 04:44:06PM -0400, Joseph Koshakow wrote: > 2023-07-08 16:33:27.787 EDT [157141] PANIC: ERRORDATA_STACK_SIZE exceeded > 2023-07-08 16:33:27.882 EDT [156878] LOG: server process (PID 157141) was > terminated by signal 6: Aborted > 2023-07-08 16:33:27.882 EDT [156878] DETAIL: Failed process was running: > CREATE TABLE t (); > > I think the issue here is that if a session loses the ability to set > their session authorization in the middle of a transaction, then > rolling back the transaction may fail and cause the server to panic. > That's probably what the deleted comment mean when it said: > >> * It's OK because the check does not require catalog access and can't >> * fail during an end-of-transaction GUC reversion Yeah. IIUC the ERROR longjmps to a block that calls AbortTransaction(), which ERRORs again when resetting the session authorization, which causes us to call AbortTransaction() again, etc., etc. > Interestingly, if the r1 session manually types `ROLLBACK` instead of > executing a command that fails, then everything is fine and there's no > panic. I'm not familiar enough with transaction handling to know why > there would be a difference there. I haven't had a chance to dig into this one yet, but that is indeed interesting. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com