Skip to content

Commit 4c6b5dd

Browse files
author
Richard Guo
committed
Fix unsafe access to BufferDescriptors
When considering a local buffer, the GetBufferDescriptor() call in BufferGetLSNAtomic() would be retrieving a shared buffer with a bad buffer ID. Since the code checks whether the buffer is shared before using the retrieved BufferDesc, this issue did not lead to any malfunction. Nonetheless this seems like trouble waiting to happen, so fix it by ensuring that GetBufferDescriptor() is only called when we know the buffer is shared. Author: Tender Wang <tndrwang@gmail.com> Reviewed-by: Xuneng Zhou <xunengzhou@gmail.com> Reviewed-by: Richard Guo <guofenglinux@gmail.com> Discussion: https://postgr.es/m/CAHewXNku-o46-9cmUgyv6LkSZ25doDrWq32p=oz9kfD8ovVJMg@mail.gmail.com Backpatch-through: 13
1 parent 8d07562 commit 4c6b5dd

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

src/backend/storage/buffer/bufmgr.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3550,8 +3550,8 @@ BufferIsPermanent(Buffer buffer)
35503550
XLogRecPtr
35513551
BufferGetLSNAtomic(Buffer buffer)
35523552
{
3553-
BufferDesc *bufHdr = GetBufferDescriptor(buffer - 1);
35543553
char *page = BufferGetPage(buffer);
3554+
BufferDesc *bufHdr;
35553555
XLogRecPtr lsn;
35563556
uint32 buf_state;
35573557

@@ -3565,6 +3565,7 @@ BufferGetLSNAtomic(Buffer buffer)
35653565
Assert(BufferIsValid(buffer));
35663566
Assert(BufferIsPinned(buffer));
35673567

3568+
bufHdr = GetBufferDescriptor(buffer - 1);
35683569
buf_state = LockBufHdr(bufHdr);
35693570
lsn = PageGetLSN(page);
35703571
UnlockBufHdr(bufHdr, buf_state);

0 commit comments

Comments
 (0)