Re: Potential use-after-free in partion related code

On 2023-Nov-15, Andres Freund wrote:

>     partConstraint = list_concat(partBoundConstraint,
>                                  RelationGetPartitionQual(rel));
> 
> At this point partBoundConstraint may not be used anymore, because
> list_concat() might have reallocated.
> 
> But then a few lines later:
> 
>         /* we already hold a lock on the default partition */
>         defaultrel = table_open(defaultPartOid, NoLock);
>         defPartConstraint =
>             get_proposed_default_constraint(partBoundConstraint);
> 
> We use partBoundConstraint again.

Yeah, this is wrong if partBoundConstraint is reallocated by
list_concat.  One possible fix is to change list_concat to
list_concat_copy(), which leaves the original list unmodified.

AFAICT the bug came in with 6f6b99d1335b, which added default
partitions.

-- 
Álvaro Herrera        Breisgau, Deutschland  —  https://www.EnterpriseDB.com/
"Now I have my system running, not a byte was off the shelf;
It rarely breaks and when it does I fix the code myself.
It's stable, clean and elegant, and lightning fast as well,
And it doesn't cost a nickel, so Bill Gates can go to hell."