Re: BUG #19476: Segmentation fault in contrib/spi
Ayush Tiwari <ayushtiwari.slg01@gmail.com>
From: Ayush Tiwari <ayushtiwari.slg01@gmail.com>
To: pierre.forstmann@gmail.com
Cc: pgsql-bugs@lists.postgresql.org
Date: 2026-05-12T19:27:47Z
Lists: pgsql-bugs
Attachments
- v2-0001-Fix-refint-cascade-UPDATE-crash-with-NULL-keys.patch (application/octet-stream) patch v2-0001
Hi, On Wed, 13 May 2026 at 00:22, <pierre.forstmann@gmail.com> wrote: > Hello, > > You have not used the very last version of refint.c which has been updated > just yesterday: > > commit 1ebda7da9a43d3ae3564d08612de9cb27fbaf482 > Author: Nathan Bossart <nathan@postgresql.org> > Date: Mon May 11 05:13:48 2026 -0700 > > refint: Fix SQL injection and buffer overruns. > > Maliciously crafted key value updates could achieve SQL injection > within check_foreign_key(). To fix, ensure new key values are > properly quoted and escaped in the internally generated SQL > statements. While at it, avoid potential buffer overruns by > replacing the stack buffers for internally generated SQL statements > with StringInfo. > > Reported-by: Nikolay Samokhvalov <nik@postgres.ai> > Author: Nathan Bossart <nathandbossart@gmail.com> > Reviewed-by: Noah Misch <noah@leadboat.com> > Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us> > Reviewed-by: Fujii Masao <masao.fujii@gmail.com> > Security: CVE-2026-6637 > Backpatch-through: 14 > > You're right, thanks for catching this. I sent the v1 patches against master from the day before; commit 260e97733bf (CVE-2026-6637) landed in between and I had not noticed it. That commit rewrites the same cascade-update path to use StringInfo and quote_literal_cstr(), so the v1 patches do not apply on current master at all. Importantly, after 260e97733bf the bug is also no longer dependent on _FORTIFY_SOURCE: the new code calls quote_literal_cstr(nv) directly, which dereferences nv via strlen() and segfaults on stock builds too. I reproduced this on plain master built with --enable-cassert. I have rebased the minimal fix on current master. It is essentially the same shape as the snippet you suggested -- emit the NULL keyword directly when SPI_getvalue() returns NULL, otherwise pass through quote_literal_cstr() as today. Attached as v2-0001. I dropped my earlier 0002 patch. The CVE fix already addressed the quoting/escaping concerns that motivated half of it. Regards, Ayush
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
refint: Fix segfault in check_foreign_key().
- ed0c4d5af2ef 18 (unreleased) landed
- eb93f10e20db 16 (unreleased) landed
- 77b2d18e9c3b 15 (unreleased) landed
- 6b4de201e82f 17 (unreleased) landed
- 611756948eef 19 (unreleased) landed
- 1de0a711db9b 14 (unreleased) landed
-
refint: Fix SQL injection and buffer overruns.
- 1ebda7da9a43 18.4 cited
- 260e97733bf0 19 (unreleased) cited