Skip to content

Commit a38a7ad

Browse files
author
Richard Guo
committed
Fix unsafe access to BufferDescriptors
When considering a local buffer, the GetBufferDescriptor() call in BufferGetLSNAtomic() would be retrieving a shared buffer with a bad buffer ID. Since the code checks whether the buffer is shared before using the retrieved BufferDesc, this issue did not lead to any malfunction. Nonetheless this seems like trouble waiting to happen, so fix it by ensuring that GetBufferDescriptor() is only called when we know the buffer is shared. Author: Tender Wang <tndrwang@gmail.com> Reviewed-by: Xuneng Zhou <xunengzhou@gmail.com> Reviewed-by: Richard Guo <guofenglinux@gmail.com> Discussion: https://postgr.es/m/CAHewXNku-o46-9cmUgyv6LkSZ25doDrWq32p=oz9kfD8ovVJMg@mail.gmail.com Backpatch-through: 13
1 parent e9c95c6 commit a38a7ad

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

src/backend/storage/buffer/bufmgr.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2897,8 +2897,8 @@ BufferIsPermanent(Buffer buffer)
28972897
XLogRecPtr
28982898
BufferGetLSNAtomic(Buffer buffer)
28992899
{
2900-
BufferDesc *bufHdr = GetBufferDescriptor(buffer - 1);
29012900
char *page = BufferGetPage(buffer);
2901+
BufferDesc *bufHdr;
29022902
XLogRecPtr lsn;
29032903
uint32 buf_state;
29042904

@@ -2912,6 +2912,7 @@ BufferGetLSNAtomic(Buffer buffer)
29122912
Assert(BufferIsValid(buffer));
29132913
Assert(BufferIsPinned(buffer));
29142914

2915+
bufHdr = GetBufferDescriptor(buffer - 1);
29152916
buf_state = LockBufHdr(bufHdr);
29162917
lsn = PageGetLSN(page);
29172918
UnlockBufHdr(bufHdr, buf_state);

0 commit comments

Comments
 (0)