Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1wOQV4-001lzj-2b
	for pgsql-bugs@arkaria.postgresql.org;
	Sun, 17 May 2026 01:41:02 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1wOQV2-004dVO-35
	for pgsql-bugs@arkaria.postgresql.org;
	Sun, 17 May 2026 01:41:00 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <noah@leadboat.com>)
	id 1wOQV2-004dVG-1U
	for pgsql-bugs@lists.postgresql.org;
	Sun, 17 May 2026 01:41:00 +0000
Received: from mail-dl1-x1229.google.com ([2607:f8b0:4864:20::1229])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.98.2)
	(envelope-from <noah@leadboat.com>)
	id 1wOQV0-000000010gj-1pPb
	for pgsql-bugs@lists.postgresql.org;
	Sun, 17 May 2026 01:40:59 +0000
Received: by mail-dl1-x1229.google.com with SMTP id
 a92af1059eb24-134fe980658so1279433c88.1
        for <pgsql-bugs@lists.postgresql.org>;
 Sat, 16 May 2026 18:40:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=leadboat.com; s=google; t=1778982057; x=1779586857;
 darn=lists.postgresql.org;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=KKrE+xAYu8s0wAy05HY8aV1Ie3BpFTS9/a5GrorXjYE=;
        b=Y7Tw/+BO2oiukC15QfKpTxCTi7fpOoxQoB3P0ERpHbnZ9pDt83uYKn3M8Q4utWIGBZ
         3zrmRjgZ18N/6VDDMxhUF/KqYnjk9gtzH6j/5fYiTfMvWEcIV1RPjFjS43wgjHazOoNq
         AgoRlKi7gL9Tvof900v8VILvn3YGv7U0364J8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778982057; x=1779586857;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=KKrE+xAYu8s0wAy05HY8aV1Ie3BpFTS9/a5GrorXjYE=;
        b=sNvqrlbg5Of89DjFmnQWTQT1cQLQ76TncOZ4DcxCdokpL+RPLcNm0gx/kuzaiJzl3i
         y3IGf0ckGABXbeGOh9Xo3WfEYForBaV3vnUwYJ+6ex0FBMCMBuiLp4tqhTOoNUCBda//
         aPv3xz0laYqHJzJwrwp24cpiyToFAAoYcyUfbh5egJBXke5pZi5f73uUPqTCJb9ERoST
         fJt4Mgu9D0NzofDIQsNsyx3mDw8qUbhvLpT/PKdsNTfXfc2Lw7inkXpzl9qOCNtz0+Wb
         jkII8GQhQOymIkJF64bxwbb54v6jHRGxqwLAy/80TUom4TSlKJ9g9Yqjccd4Vz84LMRe
         iTPg==
X-Gm-Message-State: AOJu0YyMtV5+Bwyie6gzlv0y3xNNB9nKt+FfmhjcNipajGuOjXtveWcG
	GiX9wYZ7DHz7eVwUQy2hrM/fQ8DSwOXdGvkNb4lFdtXX9kKwBsM5UjCihenahPqKLQ==
X-Gm-Gg: Acq92OEwwg9R3zZ/COXQE4OG6uoJ1F1inoRGXUugvdgjZ6P2Mf5PK1A50qjfchxoOmM
	3UrzKeIICjxkWNTAjWFbA0m2iDm1aPr2ziVjTW+S2AJJMO/0BVbbgRj/SC6LBVDc9xAcFJuh6TW
	cxl1YrjRXD6tDJiByvEC/YB2+x1Md2MbEzHwey1r3+Ud/An1TVESldksvXdN2KRXmMPRXroP/3U
	bYzHvhvErnWb1AjpmJvYjo1Ad1SozOLWoOVrCNh/uhu2FYFOdycy48nF5HT6e70WFvVHhvIJovG
	eLATiZTJwuUtzcjlIcLlI72D1lGJycwFWJc8lWWNtu7pfG9oN1hFI8EY2yFFxB87oLOEWjTeQAV
	+s6dXfNsB+zeysOGUUde1m5gSS0D21FkZvw3DdG2kdiELZ7zcrj2mksKymqXOeYKp3IR6pgfB9y
	bDrRvkT6li/VU4GnyuDqPLIIQgfOCbwMp/kjmpJ/HBjKsEbxDBBjjWYJFBCbU=
X-Received: by 2002:a05:7301:608a:b0:2be:833c:149d with SMTP id
 5a478bee46e88-3039869d771mr4338692eec.28.1778982057290;
        Sat, 16 May 2026 18:40:57 -0700 (PDT)
Received: from rfd.leadboat.com (c-73-15-160-255.hsd1.ca.comcast.net.
 [73.15.160.255])
        by smtp.gmail.com with ESMTPSA id
 5a478bee46e88-30293e2e69esm13421669eec.1.2026.05.16.18.40.56
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 16 May 2026 18:40:56 -0700 (PDT)
Date: Sat, 16 May 2026 18:40:54 -0700
From: Noah Misch <noah@leadboat.com>
To: Varik Matevosyan <varikmatevosyan@gmail.com>
Cc: pgsql-bugs@lists.postgresql.org
Subject: Re: [PATCH] Replace debug-only Asserts with runtime checks in
 logical replication apply worker
Message-ID: <20260517014054.c1@rfd.leadboat.com>
References: 
 <CA+bBoog3cCogktzfLb9bppUByu-10B3CFp8u=iKXG_OvtAguCw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: 
 <CA+bBoog3cCogktzfLb9bppUByu-10B3CFp8u=iKXG_OvtAguCw@mail.gmail.com>
User-Agent: Mutt/2.3.0 (2026-01-25)
List-Id: <pgsql-bugs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-bugs@lists.postgresql.org>
List-Owner: <mailto:pgsql-bugs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-bugs>
Archived-At: 
 <https://www.postgresql.org/message-id/20260517014054.c1%40rfd.leadboat.com>
Precedence: bulk

On Sun, May 17, 2026 at 02:30:00AM +0400, Varik Matevosyan wrote:
> The attached patch replaces three debug-only Asserts with runtime
> ereport(ERROR, ERRCODE_PROTOCOL_VIOLATION) checks in the logical
> replication apply worker (worker.c). These guard against a mismatch
> between the column count in the RELATION message and the count in a
> subsequent INSERT/UPDATE/DELETE tuple message.
> 
> A publisher can send a RELATION claiming N columns and
> an INSERT claiming M < N columns, causing the subscriber
> to index past the end of the tuple's colvalues[]/colstatus[] arrays.
> 
> I believe this is more of a correctness fix than a security issue as
> the attacker needs replication privileges, and in my testing I was not
> able to trigger a SIGSEGV, the OOB read landed on heap bytes that
> happened to not cause a crash.
> 
> P.S: After a security review from Noah, I'm reporting this as a bug.

Pushed (bf7d19b).  Thank you.