Re: [PATCH] Replace debug-only Asserts with runtime checks in logical replication apply worker

public inbox for pgsql-bugs@postgresql.org  
help / color / mirror / Atom feed

From: Noah Misch <noah@leadboat.com>
To: Varik Matevosyan <varikmatevosyan@gmail.com>
Cc: pgsql-bugs@lists.postgresql.org
Subject: Re: [PATCH] Replace debug-only Asserts with runtime checks in logical replication apply worker
Date: Sat, 16 May 2026 18:40:54 -0700
Message-ID: <20260517014054.c1@rfd.leadboat.com> (raw)
In-Reply-To: <CA+bBoog3cCogktzfLb9bppUByu-10B3CFp8u=iKXG_OvtAguCw@mail.gmail.com>
References: <CA+bBoog3cCogktzfLb9bppUByu-10B3CFp8u=iKXG_OvtAguCw@mail.gmail.com>

On Sun, May 17, 2026 at 02:30:00AM +0400, Varik Matevosyan wrote:
> The attached patch replaces three debug-only Asserts with runtime
> ereport(ERROR, ERRCODE_PROTOCOL_VIOLATION) checks in the logical
> replication apply worker (worker.c). These guard against a mismatch
> between the column count in the RELATION message and the count in a
> subsequent INSERT/UPDATE/DELETE tuple message.
> 
> A publisher can send a RELATION claiming N columns and
> an INSERT claiming M < N columns, causing the subscriber
> to index past the end of the tuple's colvalues[]/colstatus[] arrays.
> 
> I believe this is more of a correctness fix than a security issue as
> the attacker needs replication privileges, and in my testing I was not
> able to trigger a SIGSEGV, the OOB read landed on heap bytes that
> happened to not cause a crash.
> 
> P.S: After a security review from Noah, I'm reporting this as a bug.

Pushed (bf7d19b).  Thank you.

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: pgsql-bugs@postgresql.org
  Cc: noah@leadboat.com, varikmatevosyan@gmail.com, pgsql-bugs@lists.postgresql.org
  Subject: Re: [PATCH] Replace debug-only Asserts with runtime checks in logical replication apply worker
  In-Reply-To: <20260517014054.c1@rfd.leadboat.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox