Re: BUG #19527: Double-Abort Crash in `ResOwnerReleaseOSSLCipher` via `encrypt_iv` with Oversized Input
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: 3020001251@tju.edu.cn
Cc: pgsql-bugs@lists.postgresql.org
Date: 2026-06-22T16:37:33Z
Lists: pgsql-bugs
PG Bug reporting form <noreply@postgresql.org> writes:
> Any role with `EXECUTE` on `encrypt_iv` (granted by default when pgcrypto is
> installed) can crash the backend with a single statement:
> ```sql
> CREATE EXTENSION IF NOT EXISTS pgcrypto;
> SELECT encrypt_iv(
> repeat('A', 1073741308)::bytea,
> decode('00112233445566778899aabbccddeeff', 'hex'),
> decode('000102030405060708090a0b0c0d0e0f', 'hex'),
> 'aes'
> );
> ```
> The fix is to clear `od->owner` before calling `free_openssl_cipher` in
> `ResOwnerReleaseOSSLCipher`:
Good catch, thanks for the report!
regards, tom lane
Commits
-
pgcrypto: avoid recursive ResourceOwnerForget().
- 80bb0ebcc11f 19 (unreleased) landed
- 2aa6be6e6481 17 (unreleased) landed
- 020426268ff6 18 (unreleased) landed