Fix edge-case for xl_tot_len broken by bae868c.

macdice · macdice · commit becfbdd6c1c9 · 2023-09-26T10:53:38.000+13:00
bae868c removed a check that was still needed. If you had an xl_tot_len at the end of a page that was too small for a record header, but not big enough to span onto the next page, we'd immediately perform the CRC check using a bogus large length. Because of arbitrary coding differences between the CRC implementations on different platforms, nothing very bad happened on common modern systems. On systems using the _sb8.c fallback we could segfault. Restore that check, add a new assertion and supply a test for that case. Back-patch to 12, like bae868c. Tested-by: Tom Lane <tgl@sss.pgh.pa.us> Tested-by: Alexander Lakhin <exclusion@gmail.com> Discussion: https://postgr.es/m/CA%2BhUKGLCkTT7zYjzOxuLGahBdQ%3DMcF%3Dz5ZvrjSOnW4EDhVjT-g%40mail.gmail.com
diff --git a/src/backend/access/transam/xlogreader.c b/src/backend/access/transam/xlogreader.c
@@ -653,6 +653,15 @@ XLogDecodeNextRecord(XLogReaderState *state, bool nonblocking)
 	}
 	else
 	{
+		/* There may be no next page if it's too small. */
+		if (total_len < SizeOfXLogRecord)
+		{
+			report_invalid_record(state,
+								  "invalid record length at %X/%X: expected at least %u, got %u",
+								  LSN_FORMAT_ARGS(RecPtr),
+								  (uint32) SizeOfXLogRecord, total_len);
+			goto err;
+		}
 		/* We'll validate the header once we have the next page. */
 		gotheader = false;
 	}
@@ -1190,6 +1199,8 @@ ValidXLogRecord(XLogReaderState *state, XLogRecord *record, XLogRecPtr recptr)
 {
 	pg_crc32c	crc;
 
+	Assert(record->xl_tot_len >= SizeOfXLogRecord);
+
 	/* Calculate the CRC */
 	INIT_CRC32C(crc);
 	COMP_CRC32C(crc, ((char *) record) + SizeOfXLogRecord, record->xl_tot_len - SizeOfXLogRecord);
diff --git a/src/test/recovery/t/039_end_of_wal.pl b/src/test/recovery/t/039_end_of_wal.pl
@@ -281,6 +281,19 @@ sub advance_to_record_splitting_zone
 		$log_size),
 	"xl_tot_len short");
 
+# xl_tot_len in final position, not big enough to span into a new page but
+# also not eligible for regular record header validation
+emit_message($node, 0);
+$end_lsn = advance_to_record_splitting_zone($node);
+$node->stop('immediate');
+write_wal($node, $TLI, $end_lsn, build_record_header(1));
+$log_size = -s $node->logfile;
+$node->start;
+ok( $node->log_contains(
+		"invalid record length at .*: expected at least 24, got 1", $log_size
+	),
+	"xl_tot_len short at end-of-page");
+
 # Need more pages, but xl_prev check fails first.
 emit_message($node, 0);
 $end_lsn = advance_out_of_record_splitting_zone($node);

Original file line number	Diff line number	Diff line change
`@@ -653,6 +653,15 @@ XLogDecodeNextRecord(XLogReaderState *state, bool nonblocking)`
`653`	`653`	`}`
`654`	`654`	`else`
`655`	`655`	`{`
	`656`	`+ /* There may be no next page if it's too small. */`
	`657`	`+ if (total_len < SizeOfXLogRecord)`
	`658`	`+ {`
	`659`	`+ report_invalid_record(state,`
	`660`	`+ "invalid record length at %X/%X: expected at least %u, got %u",`
	`661`	`+ LSN_FORMAT_ARGS(RecPtr),`
	`662`	`+ (uint32) SizeOfXLogRecord, total_len);`
	`663`	`+ goto err;`
	`664`	`+ }`
`656`	`665`	`/* We'll validate the header once we have the next page. */`
`657`	`666`	`gotheader = false;`
`658`	`667`	`}`
`@@ -1190,6 +1199,8 @@ ValidXLogRecord(XLogReaderState state, XLogRecord record, XLogRecPtr recptr)`
`1190`	`1199`	`{`
`1191`	`1200`	`pg_crc32c crc;`
`1192`	`1201`
	`1202`	`+ Assert(record->xl_tot_len >= SizeOfXLogRecord);`
	`1203`	`+`
`1193`	`1204`	`/* Calculate the CRC */`
`1194`	`1205`	`INIT_CRC32C(crc);`
`1195`	`1206`	`COMP_CRC32C(crc, ((char *) record) + SizeOfXLogRecord, record->xl_tot_len - SizeOfXLogRecord);`