Re: BUG #19476: Segmentation fault in contrib/spi

Ayush Tiwari <ayushtiwari.slg01@gmail.com>

From: Ayush Tiwari <ayushtiwari.slg01@gmail.com>
To: pierre.forstmann@gmail.com
Cc: pgsql-bugs@lists.postgresql.org
Date: 2026-05-12T19:27:47Z
Lists: pgsql-bugs

Attachments

Hi,


On Wed, 13 May 2026 at 00:22, <pierre.forstmann@gmail.com> wrote:

> Hello,
>
> You have not used the very last version of refint.c which has been updated
> just yesterday:
>
> commit 1ebda7da9a43d3ae3564d08612de9cb27fbaf482
> Author: Nathan Bossart <nathan@postgresql.org>
> Date:   Mon May 11 05:13:48 2026 -0700
>
>     refint: Fix SQL injection and buffer overruns.
>
>     Maliciously crafted key value updates could achieve SQL injection
>     within check_foreign_key().  To fix, ensure new key values are
>     properly quoted and escaped in the internally generated SQL
>     statements.  While at it, avoid potential buffer overruns by
>     replacing the stack buffers for internally generated SQL statements
>     with StringInfo.
>
>     Reported-by: Nikolay Samokhvalov <nik@postgres.ai>
>     Author: Nathan Bossart <nathandbossart@gmail.com>
>     Reviewed-by: Noah Misch <noah@leadboat.com>
>     Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
>     Reviewed-by: Fujii Masao <masao.fujii@gmail.com>
>     Security: CVE-2026-6637
>     Backpatch-through: 14
>
>
You're right, thanks for catching this.  I sent the v1 patches against
master from the day before; commit 260e97733bf (CVE-2026-6637) landed
in between and I had not noticed it.  That commit rewrites the same
cascade-update path to use StringInfo and quote_literal_cstr(), so the
v1 patches do not apply on current master at all.

Importantly, after 260e97733bf the bug is also no longer dependent on
_FORTIFY_SOURCE: the new code calls quote_literal_cstr(nv) directly,
which dereferences nv via strlen() and segfaults on stock builds too.
I reproduced this on plain master built with --enable-cassert.

I have rebased the minimal fix on current master.  It is essentially
the same shape as the snippet you suggested -- emit the NULL keyword
directly when SPI_getvalue() returns NULL, otherwise pass through
quote_literal_cstr() as today.  Attached as v2-0001.

I dropped my earlier 0002 patch.  The CVE fix already addressed the
quoting/escaping concerns that motivated half of it.

Regards,
Ayush

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. refint: Fix segfault in check_foreign_key().

  2. refint: Fix SQL injection and buffer overruns.