Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wMslv-000Prc-38 for pgsql-bugs@arkaria.postgresql.org; Tue, 12 May 2026 19:28:04 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wMslu-005cLZ-1x for pgsql-bugs@arkaria.postgresql.org; Tue, 12 May 2026 19:28:02 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wMslu-005cLQ-0i for pgsql-bugs@lists.postgresql.org; Tue, 12 May 2026 19:28:02 +0000 Received: from mail-yw1-x112c.google.com ([2607:f8b0:4864:20::112c]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wMslr-00000000Fgl-358k for pgsql-bugs@lists.postgresql.org; Tue, 12 May 2026 19:28:01 +0000 Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-7bd810cdc5dso63911137b3.1 for ; Tue, 12 May 2026 12:28:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1778614079; cv=none; d=google.com; s=arc-20240605; b=byjxac/xygGxhtxF1Y2a2jwyI2ZeeRzHE28WQqa/NCtj0UqnigB6e4sSxDxzSBwM2o ZcCTOYKhsS3uLZ3j1N//Fp+DTKqNdhc8WGdCFPMBt9mt2MK0z+OygCQMI11BFbHq5n4q OnwVelH3SQPyBdQqntRPIVyLUGWMkRFtku8BXYoqtu6Bs27n2vCop/VHsuxDCjbh5PuG x5Oy1Q0NBxKpj7JGAGbIP8awS3hhlH4aFQAQwVT9LFn6iA2rbNN5pnzJXOfqgOQgfLON rQj8l9S1KTWaC7sa3qNcBAzxNDNbOrF6BrYZdVfzlJxxoU2Z5dBG2rywpczftn7zWHk8 syNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=mB+mh7Cb6+ANVg2FZmIK2wgUYzDGBuBE73gldrEht8U=; fh=rioNTYZOEnBQSRWjqfbvr8Vmsdzr8tQ/zDO32fID4H4=; b=jsmyE4bVjAbsBhZBPCgW1sWbFAA/2FWot/aOJWywm9GVAyWY0RSHT5/T24kJWlTIuQ nbZKqVW0SoJ/oE/L2JC4bJbPzfjnWOZRK2wVhhbkRNllClikYXWJshp7y7wx5Kknp4Mq xesGIMFQHjdN6gfDkgGMiIVETv+p0xyd0uVWcfYrB583ejxOV3fYRqOxCpGuG30WZJh6 a53FLcNZOIm2n4H5v7jj6BiV5gQEFW2P35/cF4T0dR2Tq2BqGkDc6GIf5RqtkLIpOGNC ddauukUDnnr8Ng8E1yQTrtCgUjCza69vMq0B309D06Nr8B8WqCOe+MlcGjfIyeVT+Uza wtfg==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778614079; x=1779218879; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=mB+mh7Cb6+ANVg2FZmIK2wgUYzDGBuBE73gldrEht8U=; b=psPHuO0RGXYqvKnOpOswZw9HTafVedUD9mTLkWDYX3Q6a7p35WkiYiNLU7L32Gl4N0 Y0OElqd7XxefLIN3Ib71DDdtZtZvgfwggkzTLZ9ZZWqvD9hdb4jxuTiLZ6GamHUNF3rs hxvS37QnjieQ3jMCf4gsOek/2ESXLUzJKmmqCSDNZMXoTDQibiM2Hue9yaYGTXAO+vM/ EDBf5zJ7LxM8ffWF5MExrhfZy9a9tMPkVrfx6EWIu2uyaEZJATFevjjytxldXuJ+QjRl yiQglT5EBSZMKlf0JraXX5SQZqip2+WS2nt/VR1ZRc9SREo7OKe8gWYnJrT+GgYEbVq0 DiGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778614079; x=1779218879; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=mB+mh7Cb6+ANVg2FZmIK2wgUYzDGBuBE73gldrEht8U=; b=i6strEhRi4d7yu0z9/koU1KF32zw7nklHjcZqanCHQDZmL3PuDibv5aA36qDMeL7UG 10sMyyvV+CZbHMgM2gVABJKGSUYpeJmxw1fC7H/0/DP3LqcR5+KDgQfUHJWYmiz7tHRj g60kQHcqiOvYY8EQPPQMCz6uGMlQ5iEo/NWBFHmOOFS3Vm4tJqIa4HFkrP/uREDR5qWk Km/XJnhyseEt7wkluWuGA4C0YMaxqAvK/goCk5UWzXWAsFSm0SPbt3vxye0xzhev4+Iq CY/P5eC74VfgjYEPd3pFtZH62lINCqGvky9SENxQPlXEDRXoYidBbsWEa+xiqURMgADa Au7w== X-Gm-Message-State: AOJu0YwakyNZWOGrS2+c8nzdsfZa+AaMWY4EKDzxBd+M1H9jQCFXXzhw xDT4qRjjo4p3JkL9wWtLUbxWx13v00+J3ulHjPoWLmd1ZEAP4bOoWBQifnuFstptQ6Y4ORo13v9 GnoEUa+mub8JdNjmdkwAhdS0Q4qBScXY= X-Gm-Gg: Acq92OFnED8IrnRwjgwaOZG9J2XDLvVfBuzZCh3rsWkrmwYw23b1+JbgCLQBS/1FN7I hNGTgSCGD7Nq7mFOshg6uY2C/o7QCimVeQPqee3kYJhl7QUxcrz2FxYm2wdpWFvB+GmsEgqfV8K jupTOlhL0w8IASJ8A5DsRcpNXieQap1utjCOq+CQC3Y21TeWD5QyC2UA7U7Tvh9tQThiCCXTaHv W1VATcdPg1ahZp/jNkXXSXMV9HBZ8zdoTS3VX6JNpp1Dzs71nySjwkDlqfzkototkML9TH5VEuH vzJ+pg== X-Received: by 2002:a05:690c:23c3:b0:7bd:4cb2:4492 with SMTP id 00721157ae682-7c6ad180463mr1827057b3.48.1778614079317; Tue, 12 May 2026 12:27:59 -0700 (PDT) MIME-Version: 1.0 References: <19476-bd04ea6241345303@postgresql.org> <1357efa6-dddb-4e60-ba6f-e88d03a4e010@gmail.com> In-Reply-To: <1357efa6-dddb-4e60-ba6f-e88d03a4e010@gmail.com> From: Ayush Tiwari Date: Wed, 13 May 2026 00:57:47 +0530 X-Gm-Features: AVHnY4JRfcML4EFIZmsKzpT5Z-LwRrLwlBAiNrouFi1r9sBQz-o4FBCdRV6RNhc Message-ID: Subject: Re: BUG #19476: Segmentation fault in contrib/spi To: pierre.forstmann@gmail.com Cc: pgsql-bugs@lists.postgresql.org Content-Type: multipart/mixed; boundary="00000000000064213b0651a3dc25" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000064213b0651a3dc25 Content-Type: multipart/alternative; boundary="00000000000064213b0651a3dc23" --00000000000064213b0651a3dc23 Content-Type: text/plain; charset="UTF-8" Hi, On Wed, 13 May 2026 at 00:22, wrote: > Hello, > > You have not used the very last version of refint.c which has been updated > just yesterday: > > commit 1ebda7da9a43d3ae3564d08612de9cb27fbaf482 > Author: Nathan Bossart > Date: Mon May 11 05:13:48 2026 -0700 > > refint: Fix SQL injection and buffer overruns. > > Maliciously crafted key value updates could achieve SQL injection > within check_foreign_key(). To fix, ensure new key values are > properly quoted and escaped in the internally generated SQL > statements. While at it, avoid potential buffer overruns by > replacing the stack buffers for internally generated SQL statements > with StringInfo. > > Reported-by: Nikolay Samokhvalov > Author: Nathan Bossart > Reviewed-by: Noah Misch > Reviewed-by: Tom Lane > Reviewed-by: Fujii Masao > Security: CVE-2026-6637 > Backpatch-through: 14 > > You're right, thanks for catching this. I sent the v1 patches against master from the day before; commit 260e97733bf (CVE-2026-6637) landed in between and I had not noticed it. That commit rewrites the same cascade-update path to use StringInfo and quote_literal_cstr(), so the v1 patches do not apply on current master at all. Importantly, after 260e97733bf the bug is also no longer dependent on _FORTIFY_SOURCE: the new code calls quote_literal_cstr(nv) directly, which dereferences nv via strlen() and segfaults on stock builds too. I reproduced this on plain master built with --enable-cassert. I have rebased the minimal fix on current master. It is essentially the same shape as the snippet you suggested -- emit the NULL keyword directly when SPI_getvalue() returns NULL, otherwise pass through quote_literal_cstr() as today. Attached as v2-0001. I dropped my earlier 0002 patch. The CVE fix already addressed the quoting/escaping concerns that motivated half of it. Regards, Ayush --00000000000064213b0651a3dc23 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,


On Wed, = 13 May 2026 at 00:22, <pie= rre.forstmann@gmail.com> wrote:
Hello,

You have not used the very last version of refint.c which has been updated = just yesterday:

commit 1ebda7da9a43d3ae3564d08612de9cb27fbaf482
Author: Nathan Bossart <nathan@postgresql.org>
Date:=C2=A0 =C2=A0Mon May 11 05:13:48 2026 -0700

=C2=A0 =C2=A0 refint: Fix SQL injection and buffer overruns.

=C2=A0 =C2=A0 Maliciously crafted key value updates could achieve SQL injec= tion
=C2=A0 =C2=A0 within check_foreign_key().=C2=A0 To fix, ensure new key valu= es are
=C2=A0 =C2=A0 properly quoted and escaped in the internally generated SQL =C2=A0 =C2=A0 statements.=C2=A0 While at it, avoid potential buffer overrun= s by
=C2=A0 =C2=A0 replacing the stack buffers for internally generated SQL stat= ements
=C2=A0 =C2=A0 with StringInfo.

=C2=A0 =C2=A0 Reported-by: Nikolay Samokhvalov <nik@postgres.ai>
=C2=A0 =C2=A0 Author: Nathan Bossart <nathandbossart@gmail.com>
=C2=A0 =C2=A0 Reviewed-by: Noah Misch <noah@leadboat.com>
=C2=A0 =C2=A0 Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
=C2=A0 =C2=A0 Reviewed-by: Fujii Masao <masao.fujii@gmail.com>
=C2=A0 =C2=A0 Security: CVE-2026-6637
=C2=A0 =C2=A0 Backpatch-through: 14


You&= #39;re right, thanks for catching this.=C2=A0 I sent the v1 patches against=
master from the day before; commit 260e97733bf (CVE-2026-6637) landedin between and I had not noticed it.=C2=A0 That commit rewrites the same<= br>cascade-update path to use StringInfo and quote_literal_cstr(), so thev1 patches do not apply on current master at all.

Importantly, aft= er 260e97733bf the bug is also no longer dependent on
_FORTIFY_SOURCE: t= he new code calls quote_literal_cstr(nv) directly,
which dereferences nv= via strlen() and segfaults on stock builds too.
I reproduced this on pl= ain master built with --enable-cassert.

I have rebased the minimal f= ix on current master.=C2=A0 It is essentially
the same shape as the snip= pet you suggested -- emit the NULL keyword
directly when SPI_getvalue() = returns NULL, otherwise pass through
quote_literal_cstr() as today.=C2= =A0 Attached as v2-0001.

I dropped my earlier 0002 patch.=C2=A0 The = CVE fix already addressed the
quoting/escaping concerns that motivated h= alf of it.

Regards,
Ayush
--00000000000064213b0651a3dc23-- --00000000000064213b0651a3dc25 Content-Type: application/octet-stream; name="v2-0001-Fix-refint-cascade-UPDATE-crash-with-NULL-keys.patch" Content-Disposition: attachment; filename="v2-0001-Fix-refint-cascade-UPDATE-crash-with-NULL-keys.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_mp30v7q10 RnJvbSAxZjJiMzE5MjA0YmEwZmFlMGZiZjEwNWUxZWI1MzE4NzljNjcyOTRiIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBBeXVzaCBUaXdhcmkgPGF5dXNodGl3YXJpLnNsZzAxQGdtYWls LmNvbT4KRGF0ZTogVHVlLCAxMiBNYXkgMjAyNiAxOToyMDowOCArMDAwMApTdWJqZWN0OiBbUEFU Q0ggdjJdIEZpeCByZWZpbnQgY2FzY2FkZSBVUERBVEUgY3Jhc2ggd2l0aCBOVUxMIGtleXMKCmNo ZWNrX2ZvcmVpZ25fa2V5KCkgYnVpbGRzIGNhc2NhZGUgVVBEQVRFIHF1ZXJpZXMgdXNpbmcgdGhl IG5ldyBrZXkKdmFsdWUgcmV0cmlldmVkIGJ5IFNQSV9nZXR2YWx1ZSgpLiAgQWZ0ZXIgY29tbWl0 IDI2MGU5NzczM2JmCihDVkUtMjAyNi02NjM3KSBpdCBwYXNzZXMgdGhhdCB2YWx1ZSB0aHJvdWdo IHF1b3RlX2xpdGVyYWxfY3N0cigpIHRvCnByb3Blcmx5IGVzY2FwZSBsaXRlcmFscyBpbiB0aGUg Z2VuZXJhdGVkIFNRTC4KCldoZW4gdGhlIG5ldyBrZXkgdmFsdWUgaXMgTlVMTCwgaG93ZXZlciwg U1BJX2dldHZhbHVlKCkgcmV0dXJucyBhIE5VTEwKcG9pbnRlciwgd2hpY2ggcXVvdGVfbGl0ZXJh bF9jc3RyKCkgdGhlbiBkZXJlZmVyZW5jZXMgaW4gaXRzIHN0cmxlbigpCmNhbGwsIGNyYXNoaW5n IHRoZSBiYWNrZW5kLgoKRW1pdCB0aGUgU1FMIE5VTEwga2V5d29yZCBkaXJlY3RseSB3aGVuIFNQ SV9nZXR2YWx1ZSgpIHJldHVybnMgTlVMTC4KClJlcG9ydGVkLWJ5OiBOaWtpdGEgS2FsaW5pbiA8 bi5rYWxpbmluQHBvc3RncmVzcHJvLnJ1PgpEaXNjdXNzaW9uOiBodHRwczovL3Bvc3Rnci5lcy9t LzE5NDc2LWJkMDRlYTYyNDEzNDUzMDNAcG9zdGdyZXNxbC5vcmcKLS0tCiBjb250cmliL3NwaS9y ZWZpbnQuYyB8IDEzICsrKysrKysrKysrLS0KIDEgZmlsZSBjaGFuZ2VkLCAxMSBpbnNlcnRpb25z KCspLCAyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2NvbnRyaWIvc3BpL3JlZmludC5jIGIv Y29udHJpYi9zcGkvcmVmaW50LmMKaW5kZXggYzQ0Yzg3YmNkOTYuLjU0MjhiNTExYzE2IDEwMDY0 NAotLS0gYS9jb250cmliL3NwaS9yZWZpbnQuYworKysgYi9jb250cmliL3NwaS9yZWZpbnQuYwpA QCAtNDg2LDggKzQ4NiwxNyBAQCBjaGVja19mb3JlaWduX2tleShQR19GVU5DVElPTl9BUkdTKQog CQkJCQkJQXNzZXJ0KGZuID4gMCk7IC8qIGFscmVhZHkgY2hlY2tlZCBhYm92ZSAqLwogCQkJCQkJ bnYgPSBTUElfZ2V0dmFsdWUobmV3dHVwbGUsIHR1cGRlc2MsIGZuKTsKIAotCQkJCQkJYXBwZW5k U3RyaW5nSW5mbygmc3FsLCAiICVzID0gJXMgIiwKLQkJCQkJCQkJCQkgYXJnczJba10sIHF1b3Rl X2xpdGVyYWxfY3N0cihudikpOworCQkJCQkJLyoKKwkJCQkJCSAqIFNQSV9nZXR2YWx1ZSgpIHJl dHVybnMgTlVMTCBmb3IgU1FMIE5VTEwgdmFsdWVzLgorCQkJCQkJICogRW1pdCB0aGUgTlVMTCBr ZXl3b3JkIGRpcmVjdGx5IHJhdGhlciB0aGFuIHBhc3NpbmcKKwkJCQkJCSAqIGEgTlVMTCBwb2lu dGVyIHRvIHF1b3RlX2xpdGVyYWxfY3N0cigpLCB3aGljaCB3b3VsZAorCQkJCQkJICogZGVyZWZl cmVuY2UgaXQuCisJCQkJCQkgKi8KKwkJCQkJCWlmIChudiA9PSBOVUxMKQorCQkJCQkJCWFwcGVu ZFN0cmluZ0luZm8oJnNxbCwgIiAlcyA9IE5VTEwgIiwgYXJnczJba10pOworCQkJCQkJZWxzZQor CQkJCQkJCWFwcGVuZFN0cmluZ0luZm8oJnNxbCwgIiAlcyA9ICVzICIsCisJCQkJCQkJCQkJCSBh cmdzMltrXSwgcXVvdGVfbGl0ZXJhbF9jc3RyKG52KSk7CiAJCQkJCQlpZiAoayA8IG5rZXlzKQog CQkJCQkJCWFwcGVuZFN0cmluZ0luZm9TdHJpbmcoJnNxbCwgIiwgIik7CiAJCQkJCX0KLS0gCjIu NDMuMAoK --00000000000064213b0651a3dc25--