| From: | Noah Misch <noah(at)leadboat(dot)com> |
|---|---|
| To: | Varik Matevosyan <varikmatevosyan(at)gmail(dot)com> |
| Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: [PATCH] Replace debug-only Asserts with runtime checks in logical replication apply worker |
| Date: | 2026-05-17 01:40:54 |
| Message-ID: | 20260517014054.c1@rfd.leadboat.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Sun, May 17, 2026 at 02:30:00AM +0400, Varik Matevosyan wrote:
> The attached patch replaces three debug-only Asserts with runtime
> ereport(ERROR, ERRCODE_PROTOCOL_VIOLATION) checks in the logical
> replication apply worker (worker.c). These guard against a mismatch
> between the column count in the RELATION message and the count in a
> subsequent INSERT/UPDATE/DELETE tuple message.
>
> A publisher can send a RELATION claiming N columns and
> an INSERT claiming M < N columns, causing the subscriber
> to index past the end of the tuple's colvalues[]/colstatus[] arrays.
>
> I believe this is more of a correctness fix than a security issue as
> the attacker needs replication privileges, and in my testing I was not
> able to trigger a SIGSEGV, the OOB read landed on heap bytes that
> happened to not cause a crash.
>
> P.S: After a security review from Noah, I'm reporting this as a bug.
Pushed (bf7d19b). Thank you.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ayush Tiwari | 2026-05-17 14:44:24 | Re: BUG #19482: Recursive QueueFKConstraintValidation() lacks stack depth check |
| Previous Message | Varik Matevosyan | 2026-05-16 22:30:00 | [PATCH] Replace debug-only Asserts with runtime checks in logical replication apply worker |