public inbox for [email protected]
help / color / mirror / Atom feedBUG #19527: Double-Abort Crash in `ResOwnerReleaseOSSLCipher` via `encrypt_iv` with Oversized Input
2+ messages / 2 participants
[nested] [flat]
* BUG #19527: Double-Abort Crash in `ResOwnerReleaseOSSLCipher` via `encrypt_iv` with Oversized Input
@ 2026-06-18 18:17 PG Bug reporting form <[email protected]>
2026-06-22 16:37 ` Re: BUG #19527: Double-Abort Crash in `ResOwnerReleaseOSSLCipher` via `encrypt_iv` with Oversized Input Tom Lane <[email protected]>
0 siblings, 1 reply; 2+ messages in thread
From: PG Bug reporting form @ 2026-06-18 18:17 UTC (permalink / raw)
To: [email protected]; +Cc: [email protected]
The following bug has been logged on the website:
Bug reference: 19527
Logged by: Yuelin Wang
Email address: [email protected]
PostgreSQL version: 19beta1
Operating system: Linux (Ubuntu 24.04, x86_64)
Description:
**Component**: `contrib/pgcrypto/openssl.c`, `ResOwnerReleaseOSSLCipher`
(line 833), `free_openssl_cipher` (line 291)
Any role with `EXECUTE` on `encrypt_iv` (granted by default when pgcrypto is
installed) can crash the backend with a single statement:
```sql
CREATE EXTENSION IF NOT EXISTS pgcrypto;
SELECT encrypt_iv(
repeat('A', 1073741308)::bytea,
decode('00112233445566778899aabbccddeeff', 'hex'),
decode('000102030405060708090a0b0c0d0e0f', 'hex'),
'aes'
);
```
Expected vs actual output:
| Step | Expected | Actual |
|---|---|---|
| `encrypt_iv(...)` | `ERROR: invalid memory alloc request size ...` then
clean abort | `WARNING: AbortTransaction while in ABORT state` followed by
`ERROR: ResourceOwnerForget called for pgcrypto OpenSSL cipher handle after
release started` then backend crash |
| Server state after | Normal | `FATAL: the database system is in recovery
mode` (postmaster restarted) |
`1073741308 + 512 + 4 = 1073741824 = 0x40000000 > MaxAllocSize
(0x3FFFFFFF)`, so `palloc` throws `ERROR` and longjmps past `px_combo_free`,
leaving the `OSSLCipher` registered with the current `ResourceOwner`. When
`AbortTransaction` calls `ResourceOwnerRelease`, `ResOwnerReleaseOSSLCipher`
calls `free_openssl_cipher` with `od->owner` still set.
`free_openssl_cipher` then calls `ResourceOwnerForgetOSSLCipher`, which
checks `owner->releasing == true` and throws `elog(ERROR, ...)`. An ERROR
thrown inside `AbortTransaction` re-enters `AbortCurrentTransaction`,
calling `ResourceOwnerRelease` a second time on the already-released owner.
The second call invokes `EVP_CIPHER_CTX_free` on the already-freed EVP
context, producing a null pointer dereference (ASan: `SEGV in
EVP_CIPHER_CTX_reset`).
Server output:
```
WARNING: AbortTransaction while in ABORT state
ERROR: ResourceOwnerForget called for pgcrypto OpenSSL cipher handle after
release started
server closed the connection unexpectedly
```
ASan confirmation:
```
==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000659
#0 EVP_CIPHER_CTX_reset (libcrypto.so.3)
#1 EVP_CIPHER_CTX_free (libcrypto.so.3)
#2 free_openssl_cipher openssl.c:294
#3 ResOwnerReleaseOSSLCipher openssl.c:835
#4 ResourceOwnerReleaseAll resowner.c:395
#5 AbortTransaction xact.c:3016
SUMMARY: AddressSanitizer: SEGV (EVP_CIPHER_CTX_reset)
```
The fix is to clear `od->owner` before calling `free_openssl_cipher` in
`ResOwnerReleaseOSSLCipher`:
```c
static void
ResOwnerReleaseOSSLCipher(Datum res)
{
OSSLCipher *od = (OSSLCipher *) DatumGetPointer(res);
od->owner = NULL;
free_openssl_cipher(od);
}
```
^ permalink raw reply [nested|flat] 2+ messages in thread
* Re: BUG #19527: Double-Abort Crash in `ResOwnerReleaseOSSLCipher` via `encrypt_iv` with Oversized Input
2026-06-18 18:17 BUG #19527: Double-Abort Crash in `ResOwnerReleaseOSSLCipher` via `encrypt_iv` with Oversized Input PG Bug reporting form <[email protected]>
@ 2026-06-22 16:37 ` Tom Lane <[email protected]>
0 siblings, 0 replies; 2+ messages in thread
From: Tom Lane @ 2026-06-22 16:37 UTC (permalink / raw)
To: [email protected]; +Cc: [email protected]
PG Bug reporting form <[email protected]> writes:
> Any role with `EXECUTE` on `encrypt_iv` (granted by default when pgcrypto is
> installed) can crash the backend with a single statement:
> ```sql
> CREATE EXTENSION IF NOT EXISTS pgcrypto;
> SELECT encrypt_iv(
> repeat('A', 1073741308)::bytea,
> decode('00112233445566778899aabbccddeeff', 'hex'),
> decode('000102030405060708090a0b0c0d0e0f', 'hex'),
> 'aes'
> );
> ```
> The fix is to clear `od->owner` before calling `free_openssl_cipher` in
> `ResOwnerReleaseOSSLCipher`:
Good catch, thanks for the report!
regards, tom lane
^ permalink raw reply [nested|flat] 2+ messages in thread
end of thread, other threads:[~2026-06-22 16:37 UTC | newest]
Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2026-06-18 18:17 BUG #19527: Double-Abort Crash in `ResOwnerReleaseOSSLCipher` via `encrypt_iv` with Oversized Input PG Bug reporting form <[email protected]>
2026-06-22 16:37 ` Tom Lane <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox