| From: | Ayush Tiwari <ayushtiwari(dot)slg01(at)gmail(dot)com> |
|---|---|
| To: | pierre(dot)forstmann(at)gmail(dot)com |
| Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: BUG #19476: Segmentation fault in contrib/spi |
| Date: | 2026-05-12 19:27:47 |
| Message-ID: | CAJTYsWWh5qsJcLatT5HD9daTEbCnZUZoqaDPGiT=+EyHkEKJ2A@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Hi,
On Wed, 13 May 2026 at 00:22, <pierre(dot)forstmann(at)gmail(dot)com> wrote:
> Hello,
>
> You have not used the very last version of refint.c which has been updated
> just yesterday:
>
> commit 1ebda7da9a43d3ae3564d08612de9cb27fbaf482
> Author: Nathan Bossart <nathan(at)postgresql(dot)org>
> Date: Mon May 11 05:13:48 2026 -0700
>
> refint: Fix SQL injection and buffer overruns.
>
> Maliciously crafted key value updates could achieve SQL injection
> within check_foreign_key(). To fix, ensure new key values are
> properly quoted and escaped in the internally generated SQL
> statements. While at it, avoid potential buffer overruns by
> replacing the stack buffers for internally generated SQL statements
> with StringInfo.
>
> Reported-by: Nikolay Samokhvalov <nik(at)postgres(dot)ai>
> Author: Nathan Bossart <nathandbossart(at)gmail(dot)com>
> Reviewed-by: Noah Misch <noah(at)leadboat(dot)com>
> Reviewed-by: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
> Reviewed-by: Fujii Masao <masao(dot)fujii(at)gmail(dot)com>
> Security: CVE-2026-6637
> Backpatch-through: 14
>
>
You're right, thanks for catching this. I sent the v1 patches against
master from the day before; commit 260e97733bf (CVE-2026-6637) landed
in between and I had not noticed it. That commit rewrites the same
cascade-update path to use StringInfo and quote_literal_cstr(), so the
v1 patches do not apply on current master at all.
Importantly, after 260e97733bf the bug is also no longer dependent on
_FORTIFY_SOURCE: the new code calls quote_literal_cstr(nv) directly,
which dereferences nv via strlen() and segfaults on stock builds too.
I reproduced this on plain master built with --enable-cassert.
I have rebased the minimal fix on current master. It is essentially
the same shape as the snippet you suggested -- emit the NULL keyword
directly when SPI_getvalue() returns NULL, otherwise pass through
quote_literal_cstr() as today. Attached as v2-0001.
I dropped my earlier 0002 patch. The CVE fix already addressed the
quoting/escaping concerns that motivated half of it.
Regards,
Ayush
| Attachment | Content-Type | Size |
|---|---|---|
| v2-0001-Fix-refint-cascade-UPDATE-crash-with-NULL-keys.patch | application/octet-stream | 1.8 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alexander Lakhin | 2026-05-12 20:00:00 | Re: BUG #18158: Assert in pgstat_report_stat() fails when a backend shutting down with stats pending |
| Previous Message | pierre.forstmann | 2026-05-12 18:52:06 | Re: BUG #19476: Segmentation fault in contrib/spi |