Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1wDoei-003OdD-0q
	for pgsql-bugs@arkaria.postgresql.org;
	Fri, 17 Apr 2026 19:15:08 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1wDoeh-00AvjO-0q
	for pgsql-bugs@arkaria.postgresql.org;
	Fri, 17 Apr 2026 19:15:07 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1wDoeg-00AvjA-3C
	for pgsql-bugs@lists.postgresql.org;
	Fri, 17 Apr 2026 19:15:07 +0000
Received: from mail-qv1-xf33.google.com ([2607:f8b0:4864:20::f33])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.98.2)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1wDoec-00000001W84-0wqG
	for pgsql-bugs@lists.postgresql.org;
	Fri, 17 Apr 2026 19:15:03 +0000
Received: by mail-qv1-xf33.google.com with SMTP id 6a1803df08f44-8ac9ef74131so15045806d6.1
        for <pgsql-bugs@lists.postgresql.org>; Fri, 17 Apr 2026 12:15:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1776453301; cv=none;
        d=google.com; s=arc-20240605;
        b=lXXCfRvyX4/YcUw1RP6UskT6j4xhCreivQNbfYjUIrBgp146FCIyQbex8tT+GsaDFb
         PoC6rPAHTKeso4gbedQmOBlMaWqRkkMgI2yKwflLw17NmG2gYothtvbTv4V2hJ4+negJ
         tvjBIbMczVVeGlX5URwu69VD45ruZaSaoBg0gRHi/YmDKa5UpwjH5nFQqsALR0TA56h2
         AjCBWHvKwvegPCivxZ5rwzDT9lWjRZrES59VWjdmYxVRFlFcpVK/+EMp9NypKcpPLpDv
         /QAzzoMir+PZ0a7d/QbFWd6rSWZC5hpExGM0pYLUIdp6HJz6yXhE1WrdtlV/kdjTCrJP
         xMog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=GNgaQP+bCRfFwRvI9eAG3YDGEGi2kvcbRPUX4VPfrTk=;
        fh=yUzVDZqQtWITyxm8fi7acwgaI4ugbgOks67dQE4GdmQ=;
        b=BZgSM8GCGWLQ+/bRmA9cnnmlyo9p5EKvX0K8BYNrFVm2DFLAg2PmJBDPbtiAZQW+VR
         kWEPTes5qnZ0R19oKjbS/gP3pGQTBV1D5xvaEniQHG6s+BxEN74c1ttSXRHGOlBEmePE
         r9xWXkvGPtkpptACewRmB7rlrfD6ktkGBFDiipAnztBmgpuBvs2MBn9icEcnCezC9O/2
         CpA5JmPKlNwZNbgg6VZhcRQgr9BtWUGZNQSQXIN41l52dJ7rbLDg+a+HmSclk41/v87v
         GvLXtRC5n+1RNpem4KiNFjFS1J6GppmzpuUKmKJp6If0oIwg813n1r6WBmp2pRWjz3kM
         g8JA==;
        darn=lists.postgresql.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb.com; s=google; t=1776453301; x=1777058101; darn=lists.postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=GNgaQP+bCRfFwRvI9eAG3YDGEGi2kvcbRPUX4VPfrTk=;
        b=bHE82YaXutuo3HwTGmoc4VzrVIG/YWOxhpkEfQiWs3hu58NyUBs0Q0fcEzZ7yrlRr9
         TMeXm9uFWC+KD8c7lEc7HyDGPTIbXwNTwV8QhZTGn7mmzFyK+bnoNt7V59dyai86oUqe
         +S/B2HY4c4PpLayj2eYzntg2Zlyp/bCXEYJmcLvnVlbCVJWrPX/gJaI6V78Jfom+ZObh
         GoBByPVGpjw7hVuiW3t9OjvRGA6/NXfETfqLMGbM9tVCKIRfUXSVoKPKYgSxRP70R/oF
         aEbDkSQPv+OaDAyHPVhwfe3R7ikqacxr8NzI5wLf8HwyT8mmZsJ12xBKSKidLwrSFzOz
         ehtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776453301; x=1777058101;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=GNgaQP+bCRfFwRvI9eAG3YDGEGi2kvcbRPUX4VPfrTk=;
        b=NvQbkoByGwuH8q9Aid+VxggTDs3FLPZC68sfFQLoBaXxVcfFKd98U9sru7Q7wPUiuB
         cm+kKHJ0vEcq9A7U31vYWYX+u7XkztR6T6qG0JgfFUICP114cwERrHxDswKbRnizeV6D
         ax/rI5xgeWX8j3tYkBs/DxtaLUh5G5MBndw0cfuxNAMFagrxuCwGBZsoW+ydQDjcRPFq
         LL5igITG3R7wBOuKZW6eWy48YEmzFxWeGKXXfFTwLVIct9kxw5G7RZVqak6dB5S1I/Lv
         XRr2lUuAPizYr+CIp1eRyFqhLhGFOV/TWwvYutY/DVawxZPxeCa3p/J+TK9jVgYT56aa
         cHGA==
X-Gm-Message-State: AOJu0YyVkOLW0UwK4mbpV/wgmEkNavLpNoTbf7yAqkzOd3N7ATN7JqQi
	HBBrtKYuisJuKAMFjwZm4TNnkmhQ/KW9O2Zbu/Ao6zgL6dlYGQVHidV9r7P9jbgMQIpknVenHVo
	EmWOxOJffSze7DtaHfNO+FvwQyVvyKAkstaaq8NzCi4fWWMgKuPxQ4g==
X-Gm-Gg: AeBDies6dHzRMhneK5wkp0obq9tk4HN7G+B00nrE81MDYg5JB4HwSRHpNnrIfka2sed
	DiRrKBcrL5CPhT9qxz6ol0r820jUZqrge12/cIdBI/NQEcxW/nX4o58dAY6NCkKl9L6iXnHEViQ
	40I7QvqMGJg1nVBATadjZS6AuhNnluYAEnusXePHSYRSeObP0JflH2MDmSnhxtm4mGZEqV1VF4X
	4qVcJjKuYd+GszjnrMjzn1t5JaK7hkOnmLtX0WWH+96XK2uMvLrzQlxt906dDyIekpTSeyklKy7
	F5wDHQSD0wF5b1vxZc+E
X-Received: by 2002:a05:6214:4c8b:b0:89c:cacd:244a with SMTP id
 6a1803df08f44-8b028041b20mr61569226d6.5.1776453301479; Fri, 17 Apr 2026
 12:15:01 -0700 (PDT)
MIME-Version: 1.0
References: <f7fe39b3-7e99-4939-8852-07350549161d@hrz.tu-chemnitz.de>
In-Reply-To: <f7fe39b3-7e99-4939-8852-07350549161d@hrz.tu-chemnitz.de>
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Fri, 17 Apr 2026 12:14:49 -0700
X-Gm-Features: AQROBzAVEt3LsYZ84EOU6IwvQ1aVMucfBKXk2kSsuBIrB_OAT6LJrWjolwxVbp0
Message-ID: <CAOYmi+=e9bQQa1jgLqZ18m5w-7KA44VeL9FON6i2gd8bi=d5Jw@mail.gmail.com>
Subject: Re: PostgreSQL 17: Bug in libpq when libpq is dlopened/closed
 multiple times
To: Daniel Schreiber <daniel.schreiber@hrz.tu-chemnitz.de>
Cc: pgsql-bugs@lists.postgresql.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-bugs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-bugs@lists.postgresql.org>
List-Owner: <mailto:pgsql-bugs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-bugs>
Archived-At: <https://www.postgresql.org/message-id/CAOYmi%2B%3De9bQQa1jgLqZ18m5w-7KA44VeL9FON6i2gd8bi%3Dd5Jw%40mail.gmail.com>
Precedence: bulk

On Fri, Apr 17, 2026 at 7:33=E2=80=AFAM Daniel Schreiber
<daniel.schreiber@hrz.tu-chemnitz.de> wrote:
> my colleagues and I probably found a bug in libpq when libpq is dlopened
> and closed multiple times during the lifetime of a process. In our setup
> we use a PAM module which links to libpq. The process using PAM is
> linked against openssl, so openssl is loaded during the complete
> lifetime of the process whereas libpq is loaded only during PAM
> authentication (and unloaded when PAM has finished).
>
> [snip]
>
> According to our findings every time a connection is established after
> dlopening libpq one of the 127 available BIO_METHOD structures in
> OpenSSL is consumed:
> https://github.com/postgres/postgres/blob/REL_17_9/src/interfaces/libpq/f=
e-secure-openssl.c#L1987

Right. I think in this *particular* case, we should simply skip the
call to BIO_get_new_index(). We don't need it, IIUC.

But I think we may also need to set expectations on whether or not
infinite dlopen/dlclose loops are supported in general. If we ever
come across a situation in which a call to BIO_get_new_index() is
necessary, that leak just fundamentally can't be plugged. The same is
true for any third-party libraries (or their dependencies, or
theirs...) that require "one-time", irreversible calls which can't be
tracked after we're unloaded. And we can't push these concerns up to
the top level application developer, because they don't know we exist.

(I'd be surprised if this were the only such resource leak across all
supported versions and combinations of Kerberos, OpenSSL, OpenLDAP,
Curl, etc. etc. From a quick search, you're the first to report this
in the ten years since the leak was introduced, so there may be more
dragons where you're headed.)

--Jacob