granicus.if.org Git - postgresql/commit

author	Tom Lane <tgl@sss.pgh.pa.us>
	Mon, 5 Aug 2019 15:20:21 +0000 (11:20 -0400)
committer	Tom Lane <tgl@sss.pgh.pa.us>
	Mon, 5 Aug 2019 15:20:33 +0000 (11:20 -0400)
commit	de4b75c1549ac0baf45b4bcb8d49e2fac90ac43a
tree	95fe057523c39a473cb1e343c373f1f40bc0869c	tree \| snapshot
parent	9993fa9dd25d01e99748869b1fb1d6f4dc03960e	commit \| diff

Fix choice of comparison operators for cross-type hashed subplans.

Commit bf6c614a2 rearranged the lookup of the comparison operators
needed in a hashed subplan, and in so doing, broke the cross-type
case: it caused the original LHS-vs-RHS operator to be used to compare
hash table entries too (which of course are all of the RHS type).
This leads to C functions being passed a Datum that is not of the
type they expect, with the usual hazards of crashes and unauthorized
server memory disclosure.

For the set of hashable cross-type operators present in v11 core
Postgres, this bug is nearly harmless on 64-bit machines, which
may explain why it escaped earlier detection. But it is a live
security hazard on 32-bit machines; and of course there may be
extensions that add more hashable cross-type operators, which
would increase the risk.

Reported by Andreas Seltenreich. Back-patch to v11 where the
problem came in.

Security: CVE-2019-10209

src/backend/executor/nodeSubplan.c		diff \| blob \| history
src/test/regress/expected/subselect.out		diff \| blob \| history
src/test/regress/sql/subselect.sql		diff \| blob \| history