Skip to content

Commit 52635c2

Browse files
michaelpqmichaelpq
committed
Fix tuple printing in error message of tuple routing for partitions
With correctly crafted DDLs, this could lead to disclosure of arbitrary backend memory a user may have no right to access. This impacts only REL_11_STABLE, as the issue has been introduced by 34295b8. On HEAD, add regression tests to cover this issue in the future. Author: Michael Paquier Reviewed-by: Noah Misch Security: CVE-2019-10129
1 parent 98dad4c commit 52635c2

File tree

3 files changed

+26
-4
lines changed

3 files changed

+26
-4
lines changed

src/backend/executor/execPartition.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -329,10 +329,6 @@ ExecFindPartition(ResultRelInfo *resultRelInfo, PartitionDispatch *pd,
329329
}
330330
}
331331

332-
/* Release the tuple in the lowest parent's dedicated slot. */
333-
if (myslot != slot)
334-
ExecClearTuple(myslot);
335-
336332
/* A partition was not found. */
337333
if (result < 0)
338334
{
@@ -348,6 +344,10 @@ ExecFindPartition(ResultRelInfo *resultRelInfo, PartitionDispatch *pd,
348344
val_desc ? errdetail("Partition key of the failing row contains %s.", val_desc) : 0));
349345
}
350346

347+
/* Release the tuple in the lowest parent's dedicated slot. */
348+
if (myslot != slot)
349+
ExecClearTuple(myslot);
350+
351351
MemoryContextSwitchTo(oldcxt);
352352
ecxt->ecxt_scantuple = ecxt_scantuple_old;
353353

src/test/regress/expected/insert.out

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -637,13 +637,22 @@ create table mlparted5 partition of mlparted
637637
for values from (1, 40) to (1, 50) partition by range (c);
638638
create table mlparted5_ab partition of mlparted5
639639
for values from ('a') to ('c') partition by list (c);
640+
-- This partitioned table should remain with no partitions.
641+
create table mlparted5_cd partition of mlparted5
642+
for values from ('c') to ('e') partition by list (c);
640643
create table mlparted5_a partition of mlparted5_ab for values in ('a');
641644
create table mlparted5_b (d int, b int, c text, a int);
642645
alter table mlparted5_ab attach partition mlparted5_b for values in ('b');
643646
truncate mlparted;
644647
insert into mlparted values (1, 2, 'a', 1);
645648
insert into mlparted values (1, 40, 'a', 1); -- goes to mlparted5_a
646649
insert into mlparted values (1, 45, 'b', 1); -- goes to mlparted5_b
650+
insert into mlparted values (1, 45, 'c', 1); -- goes to mlparted5_cd, fails
651+
ERROR: no partition of relation "mlparted5_cd" found for row
652+
DETAIL: Partition key of the failing row contains (c) = (c).
653+
insert into mlparted values (1, 45, 'f', 1); -- goes to mlparted5, fails
654+
ERROR: no partition of relation "mlparted5" found for row
655+
DETAIL: Partition key of the failing row contains (c) = (f).
647656
select tableoid::regclass, * from mlparted order by a, b, c, d;
648657
tableoid | a | b | c | d
649658
-------------+---+----+---+---
@@ -660,6 +669,12 @@ alter table mlparted drop e;
660669
insert into mlparted values (1, 2, 'a', 1);
661670
insert into mlparted values (1, 40, 'a', 1); -- goes to mlparted5_a
662671
insert into mlparted values (1, 45, 'b', 1); -- goes to mlparted5_b
672+
insert into mlparted values (1, 45, 'c', 1); -- goes to mlparted5_cd, fails
673+
ERROR: no partition of relation "mlparted5_cd" found for row
674+
DETAIL: Partition key of the failing row contains (c) = (c).
675+
insert into mlparted values (1, 45, 'f', 1); -- goes to mlparted5, fails
676+
ERROR: no partition of relation "mlparted5" found for row
677+
DETAIL: Partition key of the failing row contains (c) = (f).
663678
select tableoid::regclass, * from mlparted order by a, b, c, d;
664679
tableoid | a | b | c | d
665680
-------------+---+----+---+---

src/test/regress/sql/insert.sql

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -409,13 +409,18 @@ create table mlparted5 partition of mlparted
409409
for values from (1, 40) to (1, 50) partition by range (c);
410410
create table mlparted5_ab partition of mlparted5
411411
for values from ('a') to ('c') partition by list (c);
412+
-- This partitioned table should remain with no partitions.
413+
create table mlparted5_cd partition of mlparted5
414+
for values from ('c') to ('e') partition by list (c);
412415
create table mlparted5_a partition of mlparted5_ab for values in ('a');
413416
create table mlparted5_b (d int, b int, c text, a int);
414417
alter table mlparted5_ab attach partition mlparted5_b for values in ('b');
415418
truncate mlparted;
416419
insert into mlparted values (1, 2, 'a', 1);
417420
insert into mlparted values (1, 40, 'a', 1); -- goes to mlparted5_a
418421
insert into mlparted values (1, 45, 'b', 1); -- goes to mlparted5_b
422+
insert into mlparted values (1, 45, 'c', 1); -- goes to mlparted5_cd, fails
423+
insert into mlparted values (1, 45, 'f', 1); -- goes to mlparted5, fails
419424
select tableoid::regclass, * from mlparted order by a, b, c, d;
420425
alter table mlparted drop d;
421426
truncate mlparted;
@@ -425,6 +430,8 @@ alter table mlparted drop e;
425430
insert into mlparted values (1, 2, 'a', 1);
426431
insert into mlparted values (1, 40, 'a', 1); -- goes to mlparted5_a
427432
insert into mlparted values (1, 45, 'b', 1); -- goes to mlparted5_b
433+
insert into mlparted values (1, 45, 'c', 1); -- goes to mlparted5_cd, fails
434+
insert into mlparted values (1, 45, 'f', 1); -- goes to mlparted5, fails
428435
select tableoid::regclass, * from mlparted order by a, b, c, d;
429436
alter table mlparted drop d;
430437
drop table mlparted5;

0 commit comments

Comments
 (0)