Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wONXc-001iyw-2v for pgsql-bugs@arkaria.postgresql.org; Sat, 16 May 2026 22:31:29 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wONWb-004MgA-18 for pgsql-bugs@arkaria.postgresql.org; Sat, 16 May 2026 22:30:25 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wONWa-004Mg2-3A for pgsql-bugs@lists.postgresql.org; Sat, 16 May 2026 22:30:25 +0000 Received: from mail-ej1-x632.google.com ([2a00:1450:4864:20::632]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wONWZ-00000000zRm-07tO for pgsql-bugs@lists.postgresql.org; Sat, 16 May 2026 22:30:23 +0000 Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-bcb5370bb0dso274902466b.1 for ; Sat, 16 May 2026 15:30:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1778970621; cv=none; d=google.com; s=arc-20240605; b=a7Nbg59XOpf/h16Af8I8VXzFU4zpV3xeVl7JKsbkUOwOReLLPC/vgNNA6h6tFurydp 7Mc96b8tTN+MRSEfHvxSDkySdjC/uQjI+4x762Qc+kJZAM1Uyx0v61R14gHaZDSbz0TX bTwCA/LYiCsj0W3YwEsxPjB6yKW6mhFaJbwCMb78+069mpJmQoz2Klr5XoBY2yC1N3VE adfSl5CbGofoRk4VFp7SDYIC3s1HxwdH4Gl1loCN2GvfU2BRA9L19IcFF1GyfVUT0myb yR8Cw0CBWzK/O0QJknK3CiI+MJ9TkOKnKdrus5zsJEbyT/r2T0T3ijRZ+WjlSyjI38PK 3CCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:mime-version:dkim-signature; bh=cB+Fv6SY5S7ADJfw+zKP2NenjmaOO889oL5ZDrFhBhw=; fh=5pGqHvqjSezbhSqxdZhsbk55BADM93KnTM96Z/hX6Yk=; b=CuqwvxdcnF0BEiuHFenzU1WXG7MMYXL4um/2nv69P2wTPoyPWePTg1Wd3FE4vK+Qu/ LexodvvzhuqDQhn+yhNhNgQrjjaia1rmcUsy4u+zJNfCG2RkbYA74h732/0cCvSPipEI FGyDdmNShHBodyxjMFuOK9+S0HzUyBWokL7VmiZBQ52fsCnyVBb3aM0dhj2/RsOHRNWF GcbF67Z20IWMANsFXbQBXUEyYFzwABDJBEYZI7H1ATJPkycTrvqICJAUOVTtCIjq9OMt Smbl8bmrHuGYisAA/NhGJXs8AdOnGrDHqZOOxVMyEhXM+wnxbH/X1jIPyN4LJsJdjcu0 cujQ==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778970621; x=1779575421; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=cB+Fv6SY5S7ADJfw+zKP2NenjmaOO889oL5ZDrFhBhw=; b=ZQz9wB21w5DvpNWz5/pIs35jvW7m2EBK1TnFPN33g9dw3kXJzishjDURrojvbn4DOW P0FnfylSPf2nSyVESBEtfT1C0Nvi8PJdLYtAUcBar9hu7TFU7B7DHENy3VwBdvJovovD 88Hb4A7pjxhk17jsbO+KBOZ3WmDQsXSeyHIZmg3EppIUgQOx+Ua+4ZReqfE+QjdKvlrF bS5tC/+nkpKBV3UQkUWi7SdL79dKrrN9VhrsJyFus6GYG11uyanI8fxaKOyHlgJs+Y8Z DuvsqO2n7097ZGSG5dX10eHvP0fwKfAPaK0FVWw3spJ2VUlwMdZD4Rwdp4yLNV+tzbdB J+VQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778970621; x=1779575421; h=cc:to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=cB+Fv6SY5S7ADJfw+zKP2NenjmaOO889oL5ZDrFhBhw=; b=A66PCWhevO/cUlwME72tm3m0Za0n+E+xHBHAHXkhynQRpYkTpU/nyQBxjJuPfuwUR4 vTUhmMFi6kxjAxsl3pDRtxk5oP6gVZ6zeknK+5VnxPPdlyK0fa1ysjMsJ7MtiiC/G0G+ R2LSjJNI7WTAHQ4D5YxLdmj8o5ergBxwQaUZSfL/aNwBbFV75kHQlV/CYDTvt+LOabyq PqpiWnDlp18LMNGj+Rv4bYhaWhjJDgrrA8Adwk+d0VZMSJ4vaUqiqcyGqT/441YTcQ7A kzAuKsWlUBoLtPreLH2BqmQPp5OD94nG5NsxeJ8kNtD+E22DQEl0jOySJcWSqof7N6No 3G8Q== X-Gm-Message-State: AOJu0YyrxI62hXfSxwqmifcI9zg5z/xY+rA4RrZLWdUMTDoIJ+7yMu7R SI6hevVzNzYfche9cIikjtwh/b6hsB82TWaImbfGFdf3w+XdmLB2Sqlhj3loOmXmvQ67Y9QOgaP +jzhj3wU4jNf77UbcqCuxYEsnpE2W922AvtIr X-Gm-Gg: Acq92OFb2eY1wzAcvxJb81FLR9iKpXgvzO9YzwOzwX1O9LvFRMZyNMFtDoEoPwWW8Kl sTNcsqfnFpbmze3xkaYRKuZfvDDK6PftsgYJGr0c32DOSC75n8A4+Bi6ENM1gaQzuuGF/4yt6sc W+cwtBqJ8G2xiM8jRea5AQMg/QVDs+Ma/IkMGntvyLVxKHgxvShbCEnbGRQeSgXLI4yxFNHJZLO NVzvhDnBDioSQJbYJmk3ScuAnOfro8aMFvfTpZuApMBvvfjZeTfYcMfNKnM9yhhw3TWMgsw44vZ jy6/4w== X-Received: by 2002:a17:907:1b27:b0:bd4:e62e:d399 with SMTP id a640c23a62f3a-bd51797a024mr490146366b.26.1778970620777; Sat, 16 May 2026 15:30:20 -0700 (PDT) MIME-Version: 1.0 From: Varik Matevosyan Date: Sun, 17 May 2026 02:30:00 +0400 X-Gm-Features: AVHnY4LXoX_xvqnPQDJJNbiZLnICc6qh6s6wqMJKmev_YPRvkjZDyVr_hx72310 Message-ID: Subject: [PATCH] Replace debug-only Asserts with runtime checks in logical replication apply worker To: pgsql-bugs@lists.postgresql.org Cc: Noah Misch Content-Type: multipart/mixed; boundary="000000000000eb13ac0651f6df05" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000eb13ac0651f6df05 Content-Type: text/plain; charset="UTF-8" The attached patch replaces three debug-only Asserts with runtime ereport(ERROR, ERRCODE_PROTOCOL_VIOLATION) checks in the logical replication apply worker (worker.c). These guard against a mismatch between the column count in the RELATION message and the count in a subsequent INSERT/UPDATE/DELETE tuple message. A publisher can send a RELATION claiming N columns and an INSERT claiming M < N columns, causing the subscriber to index past the end of the tuple's colvalues[]/colstatus[] arrays. I believe this is more of a correctness fix than a security issue as the attacker needs replication privileges, and in my testing I was not able to trigger a SIGSEGV, the OOB read landed on heap bytes that happened to not cause a crash. P.S: After a security review from Noah, I'm reporting this as a bug. Thanks, Varik --000000000000eb13ac0651f6df05 Content-Type: application/octet-stream; name="0001-Replace-debug-only-Asserts-with-runtime-checks-in-lo.patch" Content-Disposition: attachment; filename="0001-Replace-debug-only-Asserts-with-runtime-checks-in-lo.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_mp80b4c40 RnJvbSBmNzY5NWJhZWQ0MGU1YmIyMDZkN2U0MjkxMGVhZjAzNDhiN2ZkYmFjIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBWYXJpayBNYXRldm9zeWFuIDx2YXJpa21hdGV2b3N5YW5AZ21h aWwuY29tPgpEYXRlOiBNb24sIDQgTWF5IDIwMjYgMTQ6MzM6MDkgKzAwMDAKU3ViamVjdDogW1BB VENIXSBSZXBsYWNlIGRlYnVnLW9ubHkgQXNzZXJ0cyB3aXRoIHJ1bnRpbWUgY2hlY2tzIGluIGxv Z2ljYWwKIHJlcGxpY2F0aW9uIGFwcGx5IHdvcmtlcgoKVGhyZWUgbG9jYXRpb25zIGluIHdvcmtl ci5jIHVzZSBBc3NlcnQoKSB0byBndWFyZCBhZ2FpbnN0IGEgbWlzbWF0Y2gKYmV0d2VlbiB0aGUg bnVtYmVyIG9mIGNvbHVtbnMgYWR2ZXJ0aXNlZCBpbiB0aGUgUkVMQVRJT04gbWVzc2FnZSBhbmQK dGhlIG51bWJlciBhY3R1YWxseSByZWNlaXZlZCBpbiB0aGUgc3Vic2VxdWVudCBJTlNFUlQvVVBE QVRFIHR1cGxlCm1lc3NhZ2UuIFNpbmNlIHRoZXNlIHZhbHVlcyBvcmlnaW5hdGUgZnJvbSB0aGUg cHVibGlzaGVyLCB0aGUgY2hlY2sKbXVzdCBzdXJ2aXZlIGludG8gcHJvZHVjdGlvbiBidWlsZHMu CgpBIG1hbGljaW91cyBvciBidWdneSBwdWJsaXNoZXIgY2FuIHNlbmQgYSBSRUxBVElPTiBjbGFp bWluZyBOIGNvbHVtbnMKYW5kIGFuIElOU0VSVCBjbGFpbWluZyBNIDwgTiBjb2x1bW5zLiBUaGUg c3Vic2NyaWJlcidzIGFwcGx5IHdvcmtlcgppbmRleGVzIGludG8gY29sdmFsdWVzW10vY29sc3Rh dHVzW10gdXNpbmcgY29sdW1uIGluZGljZXMgZnJvbSB0aGUKUkVMQVRJT04gbWVzc2FnZSdzIGF0 dHJpYnV0ZSBtYXAsIGNhdXNpbmcgYSBoZWFwIG91dC1vZi1ib3VuZHMgcmVhZAp3aGVuIHRoZSB0 dXBsZSdzIGNvbHVtbiBhcnJheSBpcyBzbWFsbGVyIHRoYW4gZXhwZWN0ZWQuCgpSZXBsYWNlIHRo ZSBBc3NlcnRzIHdpdGggZXJlcG9ydChFUlJPUiwgRVJSQ09ERV9QUk9UT0NPTF9WSU9MQVRJT04p CnRoYXQgcHJvZHVjZXMgYSBjbGVhciBkaWFnbm9zdGljIGFuZCBjbGVhbmx5IGFib3J0cyB0aGUg dHJhbnNhY3Rpb24uCi0tLQogc3JjL2JhY2tlbmQvcmVwbGljYXRpb24vbG9naWNhbC93b3JrZXIu YyB8IDIzICsrKysrKysrKysrKysrKysrKystLS0tCiAxIGZpbGUgY2hhbmdlZCwgMTkgaW5zZXJ0 aW9ucygrKSwgNCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9zcmMvYmFja2VuZC9yZXBsaWNh dGlvbi9sb2dpY2FsL3dvcmtlci5jIGIvc3JjL2JhY2tlbmQvcmVwbGljYXRpb24vbG9naWNhbC93 b3JrZXIuYwppbmRleCBkZDZmYzM4YTQxZS4uYTNmMjQwNmVkODMgMTAwNjQ0Ci0tLSBhL3NyYy9i YWNrZW5kL3JlcGxpY2F0aW9uL2xvZ2ljYWwvd29ya2VyLmMKKysrIGIvc3JjL2JhY2tlbmQvcmVw bGljYXRpb24vbG9naWNhbC93b3JrZXIuYwpAQCAtMTAzOCw5ICsxMDM4LDE1IEBAIHNsb3Rfc3Rv cmVfZGF0YShUdXBsZVRhYmxlU2xvdCAqc2xvdCwgTG9naWNhbFJlcFJlbE1hcEVudHJ5ICpyZWws CiAKIAkJaWYgKCFhdHQtPmF0dGlzZHJvcHBlZCAmJiByZW1vdGVhdHRudW0gPj0gMCkKIAkJewot CQkJU3RyaW5nSW5mbwljb2x2YWx1ZSA9ICZ0dXBsZURhdGEtPmNvbHZhbHVlc1tyZW1vdGVhdHRu dW1dOworCQkJU3RyaW5nSW5mbwljb2x2YWx1ZTsKKworCQkJaWYgKHJlbW90ZWF0dG51bSA+PSB0 dXBsZURhdGEtPm5jb2xzKQorCQkJCWVyZXBvcnQoRVJST1IsCisJCQkJCQkoZXJyY29kZShFUlJD T0RFX1BST1RPQ09MX1ZJT0xBVElPTiksCisJCQkJCQkgZXJybXNnKCJsb2dpY2FsIHJlcGxpY2F0 aW9uIGNvbHVtbiAlZCBub3QgZm91bmQgaW4gdHVwbGU6IG9ubHkgJWQgY29sdW1uKHMpIHJlY2Vp dmVkIiwKKwkJCQkJCQkJcmVtb3RlYXR0bnVtICsgMSwgdHVwbGVEYXRhLT5uY29scykpKTsKIAot CQkJQXNzZXJ0KHJlbW90ZWF0dG51bSA8IHR1cGxlRGF0YS0+bmNvbHMpOworCQkJY29sdmFsdWUg PSAmdHVwbGVEYXRhLT5jb2x2YWx1ZXNbcmVtb3RlYXR0bnVtXTsKIAogCQkJLyogU2V0IGF0dG51 bSBmb3IgZXJyb3IgY2FsbGJhY2sgKi8KIAkJCWFwcGx5X2Vycm9yX2NhbGxiYWNrX2FyZy5yZW1v dGVfYXR0bnVtID0gcmVtb3RlYXR0bnVtOwpAQCAtMTE1MSw3ICsxMTU3LDExIEBAIHNsb3RfbW9k aWZ5X2RhdGEoVHVwbGVUYWJsZVNsb3QgKnNsb3QsIFR1cGxlVGFibGVTbG90ICpzcmNzbG90LAog CQlpZiAocmVtb3RlYXR0bnVtIDwgMCkKIAkJCWNvbnRpbnVlOwogCi0JCUFzc2VydChyZW1vdGVh dHRudW0gPCB0dXBsZURhdGEtPm5jb2xzKTsKKwkJaWYgKHJlbW90ZWF0dG51bSA+PSB0dXBsZURh dGEtPm5jb2xzKQorCQkJZXJlcG9ydChFUlJPUiwKKwkJCQkJKGVycmNvZGUoRVJSQ09ERV9QUk9U T0NPTF9WSU9MQVRJT04pLAorCQkJCQkgZXJybXNnKCJsb2dpY2FsIHJlcGxpY2F0aW9uIGNvbHVt biAlZCBub3QgZm91bmQgaW4gdHVwbGU6IG9ubHkgJWQgY29sdW1uKHMpIHJlY2VpdmVkIiwKKwkJ CQkJCQlyZW1vdGVhdHRudW0gKyAxLCB0dXBsZURhdGEtPm5jb2xzKSkpOwogCiAJCWlmICh0dXBs ZURhdGEtPmNvbHN0YXR1c1tyZW1vdGVhdHRudW1dICE9IExPR0lDQUxSRVBfQ09MVU1OX1VOQ0hB TkdFRCkKIAkJewpAQCAtMjg3MCw3ICsyODgwLDEyIEBAIGFwcGx5X2hhbmRsZV91cGRhdGUoU3Ry aW5nSW5mbyBzKQogCiAJCWlmICghYXR0LT5hdHRpc2Ryb3BwZWQgJiYgcmVtb3RlYXR0bnVtID49 IDApCiAJCXsKLQkJCUFzc2VydChyZW1vdGVhdHRudW0gPCBuZXd0dXAubmNvbHMpOworCQkJaWYg KHJlbW90ZWF0dG51bSA+PSBuZXd0dXAubmNvbHMpCisJCQkJZXJlcG9ydChFUlJPUiwKKwkJCQkJ CShlcnJjb2RlKEVSUkNPREVfUFJPVE9DT0xfVklPTEFUSU9OKSwKKwkJCQkJCSBlcnJtc2coImxv Z2ljYWwgcmVwbGljYXRpb24gY29sdW1uICVkIG5vdCBmb3VuZCBpbiB0dXBsZTogb25seSAlZCBj b2x1bW4ocykgcmVjZWl2ZWQiLAorCQkJCQkJCQlyZW1vdGVhdHRudW0gKyAxLCBuZXd0dXAubmNv bHMpKSk7CisKIAkJCWlmIChuZXd0dXAuY29sc3RhdHVzW3JlbW90ZWF0dG51bV0gIT0gTE9HSUNB TFJFUF9DT0xVTU5fVU5DSEFOR0VEKQogCQkJCXRhcmdldF9wZXJtaW5mby0+dXBkYXRlZENvbHMg PQogCQkJCQlibXNfYWRkX21lbWJlcih0YXJnZXRfcGVybWluZm8tPnVwZGF0ZWRDb2xzLAotLSAK Mi40My4wCgo= --000000000000eb13ac0651f6df05--