Skip to content

Commit 49a4508

Browse files
author
Richard Guo
committed
Fix unsafe access to BufferDescriptors
When considering a local buffer, the GetBufferDescriptor() call in BufferGetLSNAtomic() would be retrieving a shared buffer with a bad buffer ID. Since the code checks whether the buffer is shared before using the retrieved BufferDesc, this issue did not lead to any malfunction. Nonetheless this seems like trouble waiting to happen, so fix it by ensuring that GetBufferDescriptor() is only called when we know the buffer is shared. Author: Tender Wang <tndrwang@gmail.com> Reviewed-by: Xuneng Zhou <xunengzhou@gmail.com> Reviewed-by: Richard Guo <guofenglinux@gmail.com> Discussion: https://postgr.es/m/CAHewXNku-o46-9cmUgyv6LkSZ25doDrWq32p=oz9kfD8ovVJMg@mail.gmail.com Backpatch-through: 13
1 parent 727bc6a commit 49a4508

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

src/backend/storage/buffer/bufmgr.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3973,8 +3973,8 @@ BufferIsPermanent(Buffer buffer)
39733973
XLogRecPtr
39743974
BufferGetLSNAtomic(Buffer buffer)
39753975
{
3976-
BufferDesc *bufHdr = GetBufferDescriptor(buffer - 1);
39773976
char *page = BufferGetPage(buffer);
3977+
BufferDesc *bufHdr;
39783978
XLogRecPtr lsn;
39793979
uint32 buf_state;
39803980

@@ -3988,6 +3988,7 @@ BufferGetLSNAtomic(Buffer buffer)
39883988
Assert(BufferIsValid(buffer));
39893989
Assert(BufferIsPinned(buffer));
39903990

3991+
bufHdr = GetBufferDescriptor(buffer - 1);
39913992
buf_state = LockBufHdr(bufHdr);
39923993
lsn = PageGetLSN(page);
39933994
UnlockBufHdr(bufHdr, buf_state);

0 commit comments

Comments
 (0)