Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rXSU7-00AlrF-9p for pgsql-hackers@arkaria.postgresql.org; Tue, 06 Feb 2024 20:56:03 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rXSU6-006da8-Di for pgsql-hackers@arkaria.postgresql.org; Tue, 06 Feb 2024 20:56:02 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rXSU6-006da0-4e for pgsql-hackers@lists.postgresql.org; Tue, 06 Feb 2024 20:56:02 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rXSU3-005pE3-Tm for pgsql-hackers@lists.postgresql.org; Tue, 06 Feb 2024 20:56:01 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 416KtwCV642085; Tue, 6 Feb 2024 15:55:58 -0500 From: Tom Lane To: Nathan Bossart cc: Mats Kindahl , pgsql-hackers@lists.postgresql.org Subject: Re: glibc qsort() vulnerability In-reply-to: <20240206205305.GB3891538@nathanxps13> References: <508821.1707232276@sss.pgh.pa.us> <20240206205305.GB3891538@nathanxps13> Comments: In-reply-to Nathan Bossart message dated "Tue, 06 Feb 2024 14:53:05 -0600" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <642083.1707252958.1@sss.pgh.pa.us> Date: Tue, 06 Feb 2024 15:55:58 -0500 Message-ID: <642084.1707252958@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Nathan Bossart writes: > Even if the glibc issue doesn't apply to Postgres, I'm tempted to suggest > that we make it project policy that comparison functions must be > transitive. There might be no real issues today, but if we write all > comparison functions the way Mats is suggesting, it should be easier to > reason about overflow risks. A comparison routine that is not is probably broken, agreed. I didn't look through the details of the patch --- I was more curious whether we had a version of the qsort bug, because if we do, we should fix that too. regards, tom lane