database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-14 08:21:07 +03:00
Code Activity

Prevent a double free by not reentering be_tls_close().

Browse Source 
Reentering this function with the right timing caused a double free,
typically crashing the backend.  By synchronizing a disconnection with
the authentication timeout, an unauthenticated attacker could achieve
this somewhat consistently.  Call be_tls_close() solely from within
proc_exit_prepare().  Back-patch to 9.0 (all supported versions).

Benkocs Norbert Attila

Security: CVE-2015-3165
This commit is contained in:
Noah Misch
2015-05-18 10:02:31 -04:00
parent 8cc7a4c5fd
commit b0ce385032
3 changed files with 28 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/backend/libpq/pqcomm.c
View File

@ -220,32 +220,45 @@ socket_comm_reset(void)
/* --------------------------------
* socket_close - shutdown libpq at backend exit
*
* Note: in a standalone backend MyProcPort will be null,
* don't crash during exit...
* This is the one pg_on_exit_callback in place during BackendInitialize().
* That function's unusual signal handling constrains that this callback be
* safe to run at any instant.
* --------------------------------
*/
static void
socket_close(int code, Datum arg)
{
/* Nothing to do in a standalone backend, where MyProcPort is NULL. */
if (MyProcPort != NULL)
{
#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
#ifdef ENABLE_GSS
OM_uint32 min_s;
/* Shutdown GSSAPI layer */
/*
* Shutdown GSSAPI layer. This section does nothing when interrupting
* BackendInitialize(), because pg_GSS_recvauth() makes first use of
* "ctx" and "cred".
*/
if (MyProcPort->gss->ctx != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&min_s, &MyProcPort->gss->ctx, NULL);
if (MyProcPort->gss->cred != GSS_C_NO_CREDENTIAL)
gss_release_cred(&min_s, &MyProcPort->gss->cred);
#endif /* ENABLE_GSS */
/* GSS and SSPI share the port->gss struct */
/*
* GSS and SSPI share the port->gss struct. Since nowhere else does a
* postmaster child free this, doing so is safe when interrupting
* BackendInitialize().
*/
free(MyProcPort->gss);
#endif /* ENABLE_GSS || ENABLE_SSPI */
/* Cleanly shut down SSL layer */
/*
* Cleanly shut down SSL layer. Nowhere else does a postmaster child
* call this, so this is safe when interrupting BackendInitialize().
*/
secure_close(MyProcPort);
/*