public inbox for [email protected]  
help / color / mirror / Atom feed
From: PG Bug reporting form <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: BUG #19527: Double-Abort Crash in `ResOwnerReleaseOSSLCipher` via `encrypt_iv` with Oversized Input
Date: Thu, 18 Jun 2026 18:17:12 +0000
Message-ID: <[email protected]> (raw)

The following bug has been logged on the website:

Bug reference:      19527
Logged by:          Yuelin Wang
Email address:      [email protected]
PostgreSQL version: 19beta1
Operating system:   Linux (Ubuntu 24.04, x86_64)
Description:        

**Component**: `contrib/pgcrypto/openssl.c`, `ResOwnerReleaseOSSLCipher`
(line 833), `free_openssl_cipher` (line 291)

Any role with `EXECUTE` on `encrypt_iv` (granted by default when pgcrypto is
installed) can crash the backend with a single statement:

```sql
CREATE EXTENSION IF NOT EXISTS pgcrypto;
SELECT encrypt_iv(
    repeat('A', 1073741308)::bytea,
    decode('00112233445566778899aabbccddeeff', 'hex'),
    decode('000102030405060708090a0b0c0d0e0f', 'hex'),
    'aes'
);
```

Expected vs actual output:

| Step | Expected | Actual |
|---|---|---|
| `encrypt_iv(...)` | `ERROR: invalid memory alloc request size ...` then
clean abort | `WARNING: AbortTransaction while in ABORT state` followed by
`ERROR: ResourceOwnerForget called for pgcrypto OpenSSL cipher handle after
release started` then backend crash |
| Server state after | Normal | `FATAL: the database system is in recovery
mode` (postmaster restarted) |

`1073741308 + 512 + 4 = 1073741824 = 0x40000000 > MaxAllocSize
(0x3FFFFFFF)`, so `palloc` throws `ERROR` and longjmps past `px_combo_free`,
leaving the `OSSLCipher` registered with the current `ResourceOwner`. When
`AbortTransaction` calls `ResourceOwnerRelease`, `ResOwnerReleaseOSSLCipher`
calls `free_openssl_cipher` with `od->owner` still set.
`free_openssl_cipher` then calls `ResourceOwnerForgetOSSLCipher`, which
checks `owner->releasing == true` and throws `elog(ERROR, ...)`. An ERROR
thrown inside `AbortTransaction` re-enters `AbortCurrentTransaction`,
calling `ResourceOwnerRelease` a second time on the already-released owner.
The second call invokes `EVP_CIPHER_CTX_free` on the already-freed EVP
context, producing a null pointer dereference (ASan: `SEGV in
EVP_CIPHER_CTX_reset`).

Server output:
```
WARNING:  AbortTransaction while in ABORT state
ERROR:  ResourceOwnerForget called for pgcrypto OpenSSL cipher handle after
release started
server closed the connection unexpectedly
```

ASan confirmation:
```
==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000659
    #0 EVP_CIPHER_CTX_reset  (libcrypto.so.3)
    #1 EVP_CIPHER_CTX_free   (libcrypto.so.3)
    #2 free_openssl_cipher   openssl.c:294
    #3 ResOwnerReleaseOSSLCipher openssl.c:835
    #4 ResourceOwnerReleaseAll  resowner.c:395
    #5 AbortTransaction       xact.c:3016
SUMMARY: AddressSanitizer: SEGV (EVP_CIPHER_CTX_reset)
```

The fix is to clear `od->owner` before calling `free_openssl_cipher` in
`ResOwnerReleaseOSSLCipher`:

```c
static void
ResOwnerReleaseOSSLCipher(Datum res)
{
    OSSLCipher *od = (OSSLCipher *) DatumGetPointer(res);
    od->owner = NULL;
    free_openssl_cipher(od);
}
```








view thread (2+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: BUG #19527: Double-Abort Crash in `ResOwnerReleaseOSSLCipher` via `encrypt_iv` with Oversized Input
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox