049e1e2edb
It's unusual to have any resjunk columns in an ON CONFLICT ... UPDATE list, but it can happen when MULTIEXPR_SUBLINK SubPlans are present. If it happens, the ON CONFLICT UPDATE code path would end up storing tuples that include the values of the extra resjunk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the new columns. This had escaped notice through a confluence of missing sanity checks, including * There's no cross-check that a tuple presented to heap_insert or heap_update matches the table rowtype. While it's difficult to check that fully at reasonable cost, we can easily add assertions that there aren't too many columns. * The output-column-assignment cases in execExprInterp.c lacked any sanity checks on the output column numbers, which seems like an oversight considering there are plenty of assertion checks on input column numbers. Add assertions there too. * We failed to apply nodeModifyTable's ExecCheckPlanOutput() to the ON CONFLICT UPDATE tlist. That wouldn't have caught this specific error, since that function is chartered to ignore resjunk columns; but it sure seems like a bad omission now that we've seen this bug. In HEAD, the right way to fix this is to make the processing of ON CONFLICT UPDATE tlists work the same as regular UPDATE tlists now do, that is don't add "SET x = x" entries, and use ExecBuildUpdateProjection to evaluate the tlist and combine it with old values of the not-set columns. This adds a little complication to ExecBuildUpdateProjection, but allows removal of a comparable amount of now-dead code from the planner. In the back branches, the most expedient solution seems to be to (a) use an output slot for the ON CONFLICT UPDATE projection that actually matches the target table, and then (b) invent a variant of ExecBuildProjectionInfo that can be told to not store values resulting from resjunk columns, so it doesn't try to store into nonexistent columns of the output slot. (We can't simply ignore the resjunk columns altogether; they have to be evaluated for MULTIEXPR_SUBLINK to work.) This works back to v10. In 9.6, projections work much differently and we can't cheaply give them such an option. The 9.6 version of this patch works by inserting a JunkFilter when it's necessary to get rid of resjunk columns. In addition, v11 and up have the reverse problem when trying to perform ON CONFLICT UPDATE on a partitioned table. Through a further oversight, adjust_partition_tlist() discarded resjunk columns when re-ordering the ON CONFLICT UPDATE tlist to match a partition. This accidentally prevented the storing-bogus-tuples problem, but at the cost that MULTIEXPR_SUBLINK cases didn't work, typically crashing if more than one row has to be updated. Fix by preserving resjunk columns in that routine. (I failed to resist the temptation to add more assertions there too, and to do some minor code beautification.) Per report from Andres Freund. Back-patch to all supported branches. Security: CVE-2021-32028 |
||
---|---|---|
.. | ||
Makefile | ||
README | ||
bitmapset.c | ||
copyfuncs.c | ||
equalfuncs.c | ||
extensible.c | ||
list.c | ||
makefuncs.c | ||
nodeFuncs.c | ||
nodes.c | ||
outfuncs.c | ||
params.c | ||
print.c | ||
read.c | ||
readfuncs.c | ||
tidbitmap.c | ||
value.c |
README
src/backend/nodes/README Node Structures =============== Andrew Yu (11/94) Introduction ------------ The current node structures are plain old C structures. "Inheritance" is achieved by convention. No additional functions will be generated. Functions that manipulate node structures reside in this directory. FILES IN THIS DIRECTORY (src/backend/nodes/) General-purpose node manipulation functions: copyfuncs.c - copy a node tree equalfuncs.c - compare two node trees outfuncs.c - convert a node tree to text representation readfuncs.c - convert text representation back to a node tree makefuncs.c - creator functions for some common node types nodeFuncs.c - some other general-purpose manipulation functions Specialized manipulation functions: bitmapset.c - Bitmapset support list.c - generic list support params.c - Param support tidbitmap.c - TIDBitmap support value.c - support for Value nodes FILES IN src/include/nodes/ Node definitions: nodes.h - define node tags (NodeTag) primnodes.h - primitive nodes parsenodes.h - parse tree nodes pathnodes.h - path tree nodes and planner internal structures plannodes.h - plan tree nodes execnodes.h - executor nodes memnodes.h - memory nodes pg_list.h - generic list Steps to Add a Node ------------------- Suppose you want to define a node Foo: 1. Add a tag (T_Foo) to the enum NodeTag in nodes.h. (If you insert the tag in a way that moves the numbers associated with existing tags, you'll need to recompile the whole tree after doing this. It doesn't force initdb though, because the numbers never go to disk.) 2. Add the structure definition to the appropriate include/nodes/???.h file. If you intend to inherit from, say a Plan node, put Plan as the first field of your struct definition. 3. If you intend to use copyObject, equal, nodeToString or stringToNode, add an appropriate function to copyfuncs.c, equalfuncs.c, outfuncs.c and readfuncs.c accordingly. (Except for frequently used nodes, don't bother writing a creator function in makefuncs.c) The header comments in those files give general rules for whether you need to add support. 4. Add cases to the functions in nodeFuncs.c as needed. There are many other places you'll probably also need to teach about your new node type. Best bet is to grep for references to one or two similar existing node types to find all the places to touch. Historical Note --------------- Prior to the current simple C structure definitions, the Node structures used a pseudo-inheritance system which automatically generated creator and accessor functions. Since every node inherited from LispValue, the whole thing was a mess. Here's a little anecdote: LispValue definition -- class used to support lisp structures in C. This is here because we did not want to totally rewrite planner and executor code which depended on lisp structures when we ported postgres V1 from lisp to C. -cim 4/23/90