pageinspect: Add more sanity checks to prevent out-of-bound reads

A couple of code paths use the special area on the page passed by the
function caller, expecting to find some data in it.  However, feeding
an incorrect page can lead to out-of-bound reads when trying to access
the page special area (like a heap page that has no special area,
leading PageGetSpecialPointer() to grab a pointer outside the allocated
page).

The functions used for hash and btree indexes have some protection
already against that, while some other functions using a relation OID
as argument would make sure that the access method involved is correct,
but functions taking in input a raw page without knowing the relation
the page is attached to would run into problems.

This commit improves the set of checks used in the code paths of BRIN,
btree (including one check if a leaf page is found with a non-zero
level), GIN and GiST to verify that the page given in input has a
special area size that fits with each access method, which is done
though PageGetSpecialSize(), becore calling PageGetSpecialPointer().

The scope of the checks done is limited to work with pages that one
would pass after getting a block with get_raw_page(), as it is possible
to craft byteas that could bypass existing code paths.  Having too many
checks would also impact the usability of pageinspect, as the existing
code is very useful to look at the content details in a corrupted page,
so the focus is really to avoid out-of-bound reads as this is never a
good thing even with functions whose execution is limited to
superusers.

The safest approach could be to rework the functions so as these fetch a
block using a relation OID and a block number, but there are also cases
where using a raw page is useful.

Tests are added to cover all the code paths that needed such checks, and
an error message for hash indexes is reworded to fit better with what
this commit adds.

Reported-By: Alexander Lakhin
Author: Julien Rouhaud, Michael Paquier
Discussion: https://postgr.es/m/16527-ef7606186f0610a1@postgresql.org
Discussion: https://postgr.es/m/561e187b-3549-c8d5-03f5-525c14e65bd0@postgrespro.ru
Backpatch-through: 10

Author: michaelpq

contrib/pageinspect/brinfuncs.c

@@ -58,6 +58,15 @@ brin_page_type(PG_FUNCTION_ARGS)
 
 	page = get_page_from_raw(raw_page);
 
+	/* verify the special space has the expected size */
+	if (PageGetSpecialSize(page) != MAXALIGN(sizeof(BrinSpecialSpace)))
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("input page is not a valid %s page", "BRIN"),
+					 errdetail("Expected special size %d, got %d.",
+							   (int) MAXALIGN(sizeof(BrinSpecialSpace)),
+							   (int) PageGetSpecialSize(page))));
+
 	switch (BrinPageType(page))
 	{
 		case BRIN_PAGETYPE_META:
@@ -86,6 +95,15 @@ verify_brin_page(bytea *raw_page, uint16 type, const char *strtype)
 {
 	Page		page = get_page_from_raw(raw_page);
 
+	/* verify the special space has the expected size */
+	if (PageGetSpecialSize(page) != MAXALIGN(sizeof(BrinSpecialSpace)))
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("input page is not a valid %s page", "BRIN"),
+					 errdetail("Expected special size %d, got %d.",
+							   (int) MAXALIGN(sizeof(BrinSpecialSpace)),
+							   (int) PageGetSpecialSize(page))));
+
 	/* verify the special space says this page is what we want */
 	if (BrinPageType(page) != type)
 		ereport(ERROR,

contrib/pageinspect/btreefuncs.c

@@ -613,13 +613,27 @@ bt_page_items_bytea(PG_FUNCTION_ARGS)
 
 		uargs->offset = FirstOffsetNumber;
 
+		/* verify the special space has the expected size */
+		if (PageGetSpecialSize(uargs->page) != MAXALIGN(sizeof(BTPageOpaqueData)))
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("input page is not a valid %s page", "btree"),
+					 errdetail("Expected special size %d, got %d.",
+							   (int) MAXALIGN(sizeof(BTPageOpaqueData)),
+							   (int) PageGetSpecialSize(uargs->page))));
+
 		opaque = (BTPageOpaque) PageGetSpecialPointer(uargs->page);
 
 		if (P_ISMETA(opaque))
 			ereport(ERROR,
 					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
 					 errmsg("block is a meta page")));
 
+		if (P_ISLEAF(opaque) && opaque->btpo_level != 0)
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("block is not a valid btree leaf page")));
+
 		if (P_ISDELETED(opaque))
 			elog(NOTICE, "page is deleted");
 

contrib/pageinspect/expected/brin.out

@@ -52,4 +52,14 @@ SELECT * FROM brin_page_items(get_raw_page('test1_a_idx', 2), 'test1_a_idx')
 CREATE INDEX test1_a_btree ON test1 (a);
 SELECT brin_page_items(get_raw_page('test1_a_btree', 0), 'test1_a_btree');
 ERROR:  "test1_a_btree" is not a BRIN index
+-- Mask DETAIL messages as these are not portable across architectures.
+\set VERBOSITY terse
+-- Invalid special area size
+SELECT brin_page_type(get_raw_page('test1', 0));
+ERROR:  input page is not a valid BRIN page
+SELECT * FROM brin_metapage_info(get_raw_page('test1', 0));
+ERROR:  input page is not a valid BRIN page
+SELECT * FROM brin_revmap_data(get_raw_page('test1', 0));
+ERROR:  input page is not a valid BRIN page
+\set VERBOSITY default
 DROP TABLE test1;

contrib/pageinspect/expected/btree.out

@@ -1,5 +1,5 @@
-CREATE TABLE test1 (a int8, b text);
-INSERT INTO test1 VALUES (72057594037927937, 'text');
+CREATE TABLE test1 (a int8, b int4range);
+INSERT INTO test1 VALUES (72057594037927937, '[0,1)');
 CREATE INDEX test1_a_idx ON test1 USING btree (a);
 \x
 SELECT * FROM bt_metap('test1_a_idx');
@@ -78,11 +78,25 @@ SELECT bt_page_stats('test1_a_hash', 0);
 ERROR:  "test1_a_hash" is not a btree index
 SELECT bt_page_items('test1_a_hash', 0);
 ERROR:  "test1_a_hash" is not a btree index
--- Failure with incorrect page size
+SELECT bt_page_items(get_raw_page('test1_a_hash', 0));
+ERROR:  block is a meta page
+CREATE INDEX test1_b_gist ON test1 USING gist(b);
+-- Special area of GiST is the same as btree, this complains about inconsistent
+-- leaf data on the page.
+SELECT bt_page_items(get_raw_page('test1_b_gist', 0));
+ERROR:  block is not a valid btree leaf page
+-- Several failure modes.
 -- Suppress the DETAIL message, to allow the tests to work across various
--- page sizes.
+-- page sizes and architectures.
 \set VERBOSITY terse
+-- invalid page size
 SELECT bt_page_items('aaa'::bytea);
 ERROR:  invalid page size
+-- invalid special area size
+CREATE INDEX test1_a_brin ON test1 USING brin(a);
+SELECT bt_page_items(get_raw_page('test1', 0));
+ERROR:  input page is not a valid btree page
+SELECT bt_page_items(get_raw_page('test1_a_brin', 0));
+ERROR:  input page is not a valid btree page
 \set VERBOSITY default
 DROP TABLE test1;

contrib/pageinspect/expected/gin.out

@@ -35,15 +35,23 @@ FROM gin_leafpage_items(get_raw_page('test1_y_idx',
 -[ RECORD 1 ]
 ?column? | t
 
-DROP TABLE test1;
--- Failure with incorrect page size
+-- Failure with various modes.
 -- Suppress the DETAIL message, to allow the tests to work across various
--- page sizes.
+-- page sizes and architectures.
 \set VERBOSITY terse
+-- invalid page size
 SELECT gin_leafpage_items('aaa'::bytea);
 ERROR:  invalid page size
 SELECT gin_metapage_info('bbb'::bytea);
 ERROR:  invalid page size
 SELECT gin_page_opaque_info('ccc'::bytea);
 ERROR:  invalid page size
+-- invalid special area size
+SELECT * FROM gin_metapage_info(get_raw_page('test1', 0));
+ERROR:  input page is not a valid GIN metapage
+SELECT * FROM gin_page_opaque_info(get_raw_page('test1', 0));
+ERROR:  input page is not a valid GIN data leaf page
+SELECT * FROM gin_leafpage_items(get_raw_page('test1', 0));
+ERROR:  input page is not a valid GIN data leaf page
 \set VERBOSITY default
+DROP TABLE test1;

contrib/pageinspect/expected/gist.out

@@ -68,15 +68,23 @@ SELECT itemoffset, ctid, itemlen FROM gist_page_items_bytea(get_raw_page('test_g
 CREATE INDEX test_gist_btree on test_gist(t);
 SELECT gist_page_items(get_raw_page('test_gist_btree', 0), 'test_gist_btree');
 ERROR:  "test_gist_btree" is not a GiST index
--- Failure with incorrect page size
+-- Failure with various modes.
 -- Suppress the DETAIL message, to allow the tests to work across various
--- page sizes.
+-- page sizes and architectures.
 \set VERBOSITY terse
+-- invalid page size
 SELECT gist_page_items_bytea('aaa'::bytea);
 ERROR:  invalid page size
 SELECT gist_page_items('aaa'::bytea, 'test_gist_idx'::regclass);
 ERROR:  invalid page size
 SELECT gist_page_opaque_info('aaa'::bytea);
 ERROR:  invalid page size
+-- invalid special area size
+SELECT * FROM gist_page_opaque_info(get_raw_page('test_gist', 0));
+ERROR:  input page is not a valid GiST page
+SELECT gist_page_items_bytea(get_raw_page('test_gist', 0));
+ERROR:  input page is not a valid GiST page
+SELECT gist_page_items_bytea(get_raw_page('test_gist_btree', 0));
+ERROR:  input page is not a valid GiST page
 \set VERBOSITY default
 DROP TABLE test_gist;

contrib/pageinspect/expected/hash.out

@@ -167,10 +167,11 @@ ERROR:  page is not a hash bucket or overflow page
 CREATE INDEX test_hash_a_btree ON test_hash USING btree (a);
 SELECT hash_bitmap_info('test_hash_a_btree', 0);
 ERROR:  "test_hash_a_btree" is not a hash index
--- Failure with incorrect page size
+-- Failure with various modes.
 -- Suppress the DETAIL message, to allow the tests to work across various
--- page sizes.
+-- page sizes and architectures.
 \set VERBOSITY terse
+-- invalid page size
 SELECT hash_metapage_info('aaa'::bytea);
 ERROR:  invalid page size
 SELECT hash_page_items('bbb'::bytea);
@@ -179,5 +180,14 @@ SELECT hash_page_stats('ccc'::bytea);
 ERROR:  invalid page size
 SELECT hash_page_type('ddd'::bytea);
 ERROR:  invalid page size
+-- invalid special area size
+SELECT hash_metapage_info(get_raw_page('test_hash', 0));
+ERROR:  input page is not a valid hash page
+SELECT hash_page_items(get_raw_page('test_hash', 0));
+ERROR:  input page is not a valid hash page
+SELECT hash_page_stats(get_raw_page('test_hash', 0));
+ERROR:  input page is not a valid hash page
+SELECT hash_page_type(get_raw_page('test_hash', 0));
+ERROR:  input page is not a valid hash page
 \set VERBOSITY default
 DROP TABLE test_hash;

contrib/pageinspect/ginfuncs.c

@@ -49,6 +49,14 @@ gin_metapage_info(PG_FUNCTION_ARGS)
 
 	page = get_page_from_raw(raw_page);
 
+	if (PageGetSpecialSize(page) != MAXALIGN(sizeof(GinPageOpaqueData)))
+		ereport(ERROR,
+				(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+				 errmsg("input page is not a valid GIN metapage"),
+				 errdetail("Expected special size %d, got %d.",
+						   (int) MAXALIGN(sizeof(GinPageOpaqueData)),
+						   (int) PageGetSpecialSize(page))));
+
 	opaq = (GinPageOpaque) PageGetSpecialPointer(page);
 	if (opaq->flags != GIN_META)
 		ereport(ERROR,
@@ -107,6 +115,14 @@ gin_page_opaque_info(PG_FUNCTION_ARGS)
 
 	page = get_page_from_raw(raw_page);
 
+	if (PageGetSpecialSize(page) != MAXALIGN(sizeof(GinPageOpaqueData)))
+		ereport(ERROR,
+				(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+				 errmsg("input page is not a valid GIN data leaf page"),
+				 errdetail("Expected special size %d, got %d.",
+						   (int) MAXALIGN(sizeof(GinPageOpaqueData)),
+						   (int) PageGetSpecialSize(page))));
+
 	opaq = (GinPageOpaque) PageGetSpecialPointer(page);
 
 	/* Build a tuple descriptor for our result type */
@@ -188,9 +204,9 @@ gin_leafpage_items(PG_FUNCTION_ARGS)
 			ereport(ERROR,
 					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
 					 errmsg("input page is not a valid GIN data leaf page"),
-					 errdetail("Special size %d, expected %d",
-							   (int) PageGetSpecialSize(page),
-							   (int) MAXALIGN(sizeof(GinPageOpaqueData)))));
+					 errdetail("Expected special size %d, got %d.",
+							   (int) MAXALIGN(sizeof(GinPageOpaqueData)),
+							   (int) PageGetSpecialSize(page))));
 
 		opaq = (GinPageOpaque) PageGetSpecialPointer(page);
 		if (opaq->flags != (GIN_DATA | GIN_LEAF | GIN_COMPRESSED))

contrib/pageinspect/gistfuncs.c

@@ -55,7 +55,23 @@ gist_page_opaque_info(PG_FUNCTION_ARGS)
 
 	page = get_page_from_raw(raw_page);
 
+	/* verify the special space has the expected size */
+	if (PageGetSpecialSize(page) != MAXALIGN(sizeof(GISTPageOpaqueData)))
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("input page is not a valid %s page", "GiST"),
+					 errdetail("Expected special size %d, got %d.",
+							   (int) MAXALIGN(sizeof(GISTPageOpaqueData)),
+							   (int) PageGetSpecialSize(page))));
+
 	opaq = (GISTPageOpaque) PageGetSpecialPointer(page);
+	if (opaq->gist_page_id != GIST_PAGE_ID)
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("input page is not a valid %s page", "GiST"),
+					 errdetail("Expected %08x, got %08x.",
+							   GIST_PAGE_ID,
+							   opaq->gist_page_id)));
 
 	/* Build a tuple descriptor for our result type */
 	if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE)
@@ -101,6 +117,7 @@ gist_page_items_bytea(PG_FUNCTION_ARGS)
 	bytea	   *raw_page = PG_GETARG_BYTEA_P(0);
 	ReturnSetInfo *rsinfo = (ReturnSetInfo *) fcinfo->resultinfo;
 	Page		page;
+	GISTPageOpaque opaq;
 	OffsetNumber offset;
 	OffsetNumber maxoff = InvalidOffsetNumber;
 
@@ -113,6 +130,24 @@ gist_page_items_bytea(PG_FUNCTION_ARGS)
 
 	page = get_page_from_raw(raw_page);
 
+	/* verify the special space has the expected size */
+	if (PageGetSpecialSize(page) != MAXALIGN(sizeof(GISTPageOpaqueData)))
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("input page is not a valid %s page", "GiST"),
+					 errdetail("Expected special size %d, got %d.",
+							   (int) MAXALIGN(sizeof(GISTPageOpaqueData)),
+							   (int) PageGetSpecialSize(page))));
+
+	opaq = (GISTPageOpaque) PageGetSpecialPointer(page);
+	if (opaq->gist_page_id != GIST_PAGE_ID)
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("input page is not a valid %s page", "GiST"),
+					 errdetail("Expected %08x, got %08x.",
+							   GIST_PAGE_ID,
+							   opaq->gist_page_id)));
+
 	/* Avoid bogus PageGetMaxOffsetNumber() call with deleted pages */
 	if (GistPageIsDeleted(page))
 		elog(NOTICE, "page is deleted");

contrib/pageinspect/hashfuncs.c

@@ -66,14 +66,17 @@ verify_hash_page(bytea *raw_page, int flags)
 
 		if (PageGetSpecialSize(page) != MAXALIGN(sizeof(HashPageOpaqueData)))
 			ereport(ERROR,
-					(errcode(ERRCODE_INDEX_CORRUPTED),
-					 errmsg("index table contains corrupted page")));
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("input page is not a valid %s page", "hash"),
+					 errdetail("Expected special size %d, got %d.",
+							   (int) MAXALIGN(sizeof(HashPageOpaqueData)),
+							   (int) PageGetSpecialSize(page))));
 
 		pageopaque = (HashPageOpaque) PageGetSpecialPointer(page);
 		if (pageopaque->hasho_page_id != HASHO_PAGE_ID)
 			ereport(ERROR,
 					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-					 errmsg("page is not a hash page"),
+					 errmsg("input page is not a valid %s page", "hash"),
 					 errdetail("Expected %08x, got %08x.",
 							   HASHO_PAGE_ID, pageopaque->hasho_page_id)));
 
@@ -134,7 +137,7 @@ verify_hash_page(bytea *raw_page, int flags)
 			ereport(ERROR,
 					(errcode(ERRCODE_INDEX_CORRUPTED),
 					 errmsg("invalid version for metadata"),
-					 errdetail("Expected %d, got %d",
+					 errdetail("Expected %d, got %d.",
 							   HASH_VERSION, metap->hashm_version)));
 	}
 

contrib/pageinspect/sql/brin.sql

@@ -19,4 +19,12 @@ SELECT * FROM brin_page_items(get_raw_page('test1_a_idx', 2), 'test1_a_idx')
 CREATE INDEX test1_a_btree ON test1 (a);
 SELECT brin_page_items(get_raw_page('test1_a_btree', 0), 'test1_a_btree');
 
+-- Mask DETAIL messages as these are not portable across architectures.
+\set VERBOSITY terse
+-- Invalid special area size
+SELECT brin_page_type(get_raw_page('test1', 0));
+SELECT * FROM brin_metapage_info(get_raw_page('test1', 0));
+SELECT * FROM brin_revmap_data(get_raw_page('test1', 0));
+\set VERBOSITY default
+
 DROP TABLE test1;

contrib/pageinspect/sql/btree.sql

@@ -1,5 +1,5 @@
-CREATE TABLE test1 (a int8, b text);
-INSERT INTO test1 VALUES (72057594037927937, 'text');
+CREATE TABLE test1 (a int8, b int4range);
+INSERT INTO test1 VALUES (72057594037927937, '[0,1)');
 CREATE INDEX test1_a_idx ON test1 USING btree (a);
 
 \x
@@ -26,12 +26,22 @@ CREATE INDEX test1_a_hash ON test1 USING hash(a);
 SELECT bt_metap('test1_a_hash');
 SELECT bt_page_stats('test1_a_hash', 0);
 SELECT bt_page_items('test1_a_hash', 0);
+SELECT bt_page_items(get_raw_page('test1_a_hash', 0));
+CREATE INDEX test1_b_gist ON test1 USING gist(b);
+-- Special area of GiST is the same as btree, this complains about inconsistent
+-- leaf data on the page.
+SELECT bt_page_items(get_raw_page('test1_b_gist', 0));
 
--- Failure with incorrect page size
+-- Several failure modes.
 -- Suppress the DETAIL message, to allow the tests to work across various
--- page sizes.
+-- page sizes and architectures.
 \set VERBOSITY terse
+-- invalid page size
 SELECT bt_page_items('aaa'::bytea);
+-- invalid special area size
+CREATE INDEX test1_a_brin ON test1 USING brin(a);
+SELECT bt_page_items(get_raw_page('test1', 0));
+SELECT bt_page_items(get_raw_page('test1_a_brin', 0));
 \set VERBOSITY default
 
 DROP TABLE test1;

contrib/pageinspect/sql/gin.sql

@@ -18,13 +18,18 @@ FROM gin_leafpage_items(get_raw_page('test1_y_idx',
                         (pg_relation_size('test1_y_idx') /
                          current_setting('block_size')::bigint)::int - 1));
 
-DROP TABLE test1;
-
--- Failure with incorrect page size
+-- Failure with various modes.
 -- Suppress the DETAIL message, to allow the tests to work across various
--- page sizes.
+-- page sizes and architectures.
 \set VERBOSITY terse
+-- invalid page size
 SELECT gin_leafpage_items('aaa'::bytea);
 SELECT gin_metapage_info('bbb'::bytea);
 SELECT gin_page_opaque_info('ccc'::bytea);
+-- invalid special area size
+SELECT * FROM gin_metapage_info(get_raw_page('test1', 0));
+SELECT * FROM gin_page_opaque_info(get_raw_page('test1', 0));
+SELECT * FROM gin_leafpage_items(get_raw_page('test1', 0));
 \set VERBOSITY default
+
+DROP TABLE test1;