From 9ed87a78e0377728588e5c8688202195694581aa Mon Sep 17 00:00:00 2001 From: Heikki Linnakangas Date: Wed, 16 Feb 2022 12:01:32 +0200 Subject: [PATCH] Fix read beyond buffer bug introduced by the split xlog.c patch. FinishWalRecovery() copied the valid part of the last WAL block into a palloc'd buffer, and the code in StartupXLOG() copied it to the WAL buffer. But the memcpy in StartupXLOG() copied a full 8kB block, not just the valid part, i.e. it copied from beyond the end of the buffer. The invalid part was cleared immediately afterwards, so as long as the memory was allocated and didn't segfault, it didn't do any harm, but it can definitely segfault. Discussion: https://www.postgresql.org/message-id/efc12e32-5af2-3485-5b1d-5af9f707491a@iki.fi --- src/backend/access/transam/xlog.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c index eb3c516058..ce78ac413e 100644 --- a/src/backend/access/transam/xlog.c +++ b/src/backend/access/transam/xlog.c @@ -5454,7 +5454,7 @@ StartupXLOG(void) /* Copy the valid part of the last block, and zero the rest */ page = &XLogCtl->pages[firstIdx * XLOG_BLCKSZ]; - memcpy(page, endOfRecoveryInfo->lastPage, XLOG_BLCKSZ); + memcpy(page, endOfRecoveryInfo->lastPage, len); memset(page + len, 0, XLOG_BLCKSZ - len); XLogCtl->xlblocks[firstIdx] = endOfRecoveryInfo->lastPageBeginPtr + XLOG_BLCKSZ; -- 2.39.5