| From: | Varik Matevosyan <varikmatevosyan(at)gmail(dot)com> |
|---|---|
| To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Cc: | Noah Misch <noah(at)leadboat(dot)com> |
| Subject: | [PATCH] Replace debug-only Asserts with runtime checks in logical replication apply worker |
| Date: | 2026-05-16 22:30:00 |
| Message-ID: | CA+bBoog3cCogktzfLb9bppUByu-10B3CFp8u=iKXG_OvtAguCw@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
The attached patch replaces three debug-only Asserts with runtime
ereport(ERROR, ERRCODE_PROTOCOL_VIOLATION) checks in the logical
replication apply worker (worker.c). These guard against a mismatch
between the column count in the RELATION message and the count in a
subsequent INSERT/UPDATE/DELETE tuple message.
A publisher can send a RELATION claiming N columns and
an INSERT claiming M < N columns, causing the subscriber
to index past the end of the tuple's colvalues[]/colstatus[] arrays.
I believe this is more of a correctness fix than a security issue as
the attacker needs replication privileges, and in my testing I was not
able to trigger a SIGSEGV, the OOB read landed on heap bytes that
happened to not cause a crash.
P.S: After a security review from Noah, I'm reporting this as a bug.
Thanks,
Varik
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Replace-debug-only-Asserts-with-runtime-checks-in-lo.patch | application/octet-stream | 3.1 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Noah Misch | 2026-05-17 01:40:54 | Re: [PATCH] Replace debug-only Asserts with runtime checks in logical replication apply worker |
| Previous Message | Alexander Lakhin | 2026-05-16 19:00:00 | Re: BUG #18374: Printing memory contexts on OOM condition might lead to segmentation fault |