From 2da7f0258e458bf37df79ca3efcf2bd37b27e667 Mon Sep 17 00:00:00 2001 From: Matthias van de Meent Date: Fri, 11 Mar 2022 16:16:22 +0100 Subject: [PATCH v2] Add protections in xlog record APIs against large numbers and overflows. Before this; it was possible for an extension to create malicious WAL records that were too large to replay; or that would overflow the xl_tot_len field, causing potential corruption in WAL record IO ops. --- src/backend/access/transam/xloginsert.c | 37 +++++++++++++++++++++---- src/include/access/xlogrecord.h | 4 +++ 2 files changed, 35 insertions(+), 6 deletions(-) diff --git a/src/backend/access/transam/xloginsert.c b/src/backend/access/transam/xloginsert.c index c260310c4c..71a649e216 100644 --- a/src/backend/access/transam/xloginsert.c +++ b/src/backend/access/transam/xloginsert.c @@ -338,10 +338,16 @@ XLogRegisterData(char *data, int len) { XLogRecData *rdata; - Assert(begininsert_called); + Assert(begininsert_called && len >= 0 && AllocSizeIsValid(len)); - if (num_rdatas >= max_rdatas) + /* + * Check against max_rdatas; and ensure we don't fill a record with + * more data than can be replayed + */ + if (unlikely(num_rdatas >= max_rdatas || + !AllocSizeIsValid((uint64) mainrdata_len + (uint64) len))) elog(ERROR, "too much WAL data"); + rdata = &rdatas[num_rdatas++]; rdata->data = data; @@ -377,7 +383,7 @@ XLogRegisterBufData(uint8 block_id, char *data, int len) registered_buffer *regbuf; XLogRecData *rdata; - Assert(begininsert_called); + Assert(begininsert_called && len >= 0 && len <= UINT16_MAX); /* find the registered buffer struct */ regbuf = ®istered_buffers[block_id]; @@ -385,8 +391,14 @@ XLogRegisterBufData(uint8 block_id, char *data, int len) elog(ERROR, "no block with id %d registered with WAL insertion", block_id); - if (num_rdatas >= max_rdatas) + /* + * Check against max_rdatas; and ensure we don't register more data per + * buffer than can be handled by the physical record format. + */ + if (unlikely(num_rdatas >= max_rdatas || + regbuf->rdata_len + len > UINT16_MAX)) elog(ERROR, "too much WAL data"); + rdata = &rdatas[num_rdatas++]; rdata->data = data; @@ -505,7 +517,7 @@ XLogRecordAssemble(RmgrId rmid, uint8 info, XLogRecPtr *fpw_lsn, int *num_fpi, bool *topxid_included) { XLogRecData *rdt; - uint32 total_len = 0; + uint64 total_len = 0; int block_id; pg_crc32c rdata_crc; registered_buffer *prev_regbuf = NULL; @@ -734,12 +746,18 @@ XLogRecordAssemble(RmgrId rmid, uint8 info, if (needs_data) { + /* + * When copying to XLogRecordBlockHeader, the length is narrowed + * to an uint16. We double-check that that is still correct. + */ + Assert(regbuf->rdata_len <= UINT16_MAX); + /* * Link the caller-supplied rdata chain for this buffer to the * overall list. */ bkpb.fork_flags |= BKPBLOCK_HAS_DATA; - bkpb.data_length = regbuf->rdata_len; + bkpb.data_length = (uint16) regbuf->rdata_len; total_len += regbuf->rdata_len; rdt_datas_last->next = regbuf->rdata_head; @@ -836,6 +854,13 @@ XLogRecordAssemble(RmgrId rmid, uint8 info, for (rdt = hdr_rdt.next; rdt != NULL; rdt = rdt->next) COMP_CRC32C(rdata_crc, rdt->data, rdt->len); + /* + * Ensure that xlogreader.c can read the record by ensuring that the + * data section of the WAL record can be allocated. + */ + if (unlikely(!AllocSizeIsValid(total_len))) + elog(ERROR, "too much registered data for WAL record"); + /* * Fill in the fields in the record header. Prev-link is filled in later, * once we know where in the WAL the record will be inserted. The CRC does diff --git a/src/include/access/xlogrecord.h b/src/include/access/xlogrecord.h index c1b1137aa7..950e1f22b0 100644 --- a/src/include/access/xlogrecord.h +++ b/src/include/access/xlogrecord.h @@ -37,6 +37,10 @@ * The XLogRecordBlockHeader, XLogRecordDataHeaderShort and * XLogRecordDataHeaderLong structs all begin with a single 'id' byte. It's * used to distinguish between block references, and the main data structs. + * + * Note that xlogreader.c limits the total size of the xl_tot_len to + * MaxAllocSize (1GB - 1). This means that this is also the maximum size + * of a single WAL record - we would be unable to replay any larger record. */ typedef struct XLogRecord { -- 2.30.2