public inbox for [email protected]
help / color / mirror / Atom feedFrom: Ayush Tiwari <[email protected]>
To: [email protected]
Subject: Re: [PATCH] Fix NULL dereference in pg_get_database_ddl()
Date: Fri, 10 Apr 2026 19:43:10 +0530
Message-ID: <CAJTYsWXA0QBaMRZG_TK4K9sK59snU6YZC6+raT00Y=oMdYCT7A@mail.gmail.com> (raw)
In-Reply-To: <CAJTYsWWzqpoRYxyA4ukjYpMPGEDgK2Za4t4wu9GdWOAtT8v-SQ@mail.gmail.com>
References: <CAJTYsWWzqpoRYxyA4ukjYpMPGEDgK2Za4t4wu9GdWOAtT8v-SQ@mail.gmail.com>
On Fri, 10 Apr 2026 at 19:27, Ayush Tiwari <[email protected]>
wrote:
> Hi,
>
> pg_get_database_ddl_internal() can dereference a NULL pointer when
> pg_database.dattablespace points to a tablespace OID that no longer
> exists.
>
> The immediate issue is that get_tablespace_name() may return NULL, but
> the result is passed directly to pg_strcasecmp():
>
> spcname = get_tablespace_name(dbform->dattablespace);
> if (pg_strcasecmp(spcname, "pg_default") != 0)
> ...
>
> That leads to a backend crash. I reproduced it on current master as a
> SIGSEGV with crash recovery.
>
> This function was introduced by commit a4f774cf1c7.
>
> Deterministic reproduction:
>
> CREATE DATABASE regression_testdb;
> SET allow_system_table_mods = on;
> UPDATE pg_database
> SET dattablespace = 99999
> WHERE datname = 'regression_testdb';
> RESET allow_system_table_mods;
>
> SELECT * FROM pg_get_database_ddl('regression_testdb');
>
> The attached patch fixes this by checking for NULL before calling
> pg_strcasecmp(). In that case, pg_get_database_ddl() simply omits the
> TABLESPACE clause.
>
> I also added a regression test in database_ddl.sql that exercises this
> case by setting dattablespace to a non-existent OID and verifying that
> the function returns successfully.
>
> Patch attached. Please review and let me know if it needs any edits.
> Thanks!
>
> Regards,
> Ayush Tiwari
>
Re-attaching patch without trailing white-space
Regards,
Ayush
Attachments:
[application/octet-stream] 0001-Fix-NULL-dereference-in-pg_get_database_ddl.patch (4.7K, 3-0001-Fix-NULL-dereference-in-pg_get_database_ddl.patch)
download | inline diff:
From 2d358ac48c94520628682df1f36661fd24292e76 Mon Sep 17 00:00:00 2001
From: Ayush Tiwari <[email protected]>
Date: Fri, 10 Apr 2026 19:17:12 +0530
Subject: [PATCH] Fix NULL dereference in pg_get_database_ddl()
pg_get_database_ddl_internal() can dereference a NULL pointer when
pg_database.dattablespace points to a tablespace OID that no longer
exists.
The immediate issue is that get_tablespace_name() may return NULL, but
the result is passed directly to pg_strcasecmp():
spcname = get_tablespace_name(dbform->dattablespace);
if (pg_strcasecmp(spcname, "pg_default") != 0)
...
That leads to a backend crash (SIGSEGV).
This function was introduced by commit a4f774cf1c7.
The patch fixes this by checking for NULL before calling
pg_strcasecmp(). In that case, pg_get_database_ddl() simply omits the
TABLESPACE clause.
A regression test is added in database_ddl.sql that exercises this
case by setting dattablespace to a non-existent OID and verifying that
the function returns successfully without crashing.
---
src/backend/utils/adt/ddlutils.c | 2 +-
src/test/regress/expected/database_ddl.out | 22 ++++++++++++++++++++++
src/test/regress/sql/database_ddl.sql | 17 +++++++++++++++++
3 files changed, 40 insertions(+), 1 deletion(-)
diff --git a/src/backend/utils/adt/ddlutils.c b/src/backend/utils/adt/ddlutils.c
index b16c277d000..c5885b18958 100644
--- a/src/backend/utils/adt/ddlutils.c
+++ b/src/backend/utils/adt/ddlutils.c
@@ -976,7 +976,7 @@ pg_get_database_ddl_internal(Oid dbid, bool pretty,
{
char *spcname = get_tablespace_name(dbform->dattablespace);
- if (pg_strcasecmp(spcname, "pg_default") != 0)
+ if (spcname != NULL && pg_strcasecmp(spcname, "pg_default") != 0)
append_ddl_option(&buf, pretty, 4, "TABLESPACE = %s",
quote_identifier(spcname));
}
diff --git a/src/test/regress/expected/database_ddl.out b/src/test/regress/expected/database_ddl.out
index 97657e52cfa..00ec1bdc1f9 100644
--- a/src/test/regress/expected/database_ddl.out
+++ b/src/test/regress/expected/database_ddl.out
@@ -83,6 +83,28 @@ ERROR: permission denied for database regression_database_ddl
RESET ROLE;
GRANT CONNECT ON DATABASE regression_database_ddl TO PUBLIC;
DROP ROLE regress_db_ddl_noaccess;
+-- Test for dropped tablespace: dattablespace pointing to a non-existent OID
+-- should not crash (see commit fixing NULL deref in pg_get_database_ddl_internal)
+CREATE DATABASE regression_database_ddl2
+ ENCODING utf8 LC_COLLATE "C" LC_CTYPE "C" TEMPLATE template0
+ OWNER regress_datdba;
+SET allow_system_table_mods = on;
+UPDATE pg_database SET dattablespace = 99999
+ WHERE datname = 'regression_database_ddl2';
+RESET allow_system_table_mods;
+SELECT ddl_filter(pg_get_database_ddl) FROM pg_get_database_ddl('regression_database_ddl2');
+ ddl_filter
+---------------------------------------------------------------------------------------
+ CREATE DATABASE regression_database_ddl2 WITH TEMPLATE = template0 ENCODING = 'UTF8';
+ ALTER DATABASE regression_database_ddl2 OWNER TO regress_datdba;
+(2 rows)
+
+SET allow_system_table_mods = on;
+UPDATE pg_database SET dattablespace =
+ (SELECT oid FROM pg_tablespace WHERE spcname = 'pg_default')
+ WHERE datname = 'regression_database_ddl2';
+RESET allow_system_table_mods;
+DROP DATABASE regression_database_ddl2;
DROP DATABASE regression_database_ddl;
DROP FUNCTION ddl_filter(text);
DROP ROLE regress_datdba;
diff --git a/src/test/regress/sql/database_ddl.sql b/src/test/regress/sql/database_ddl.sql
index 89753ac6411..0792a4a9f35 100644
--- a/src/test/regress/sql/database_ddl.sql
+++ b/src/test/regress/sql/database_ddl.sql
@@ -61,6 +61,23 @@ RESET ROLE;
GRANT CONNECT ON DATABASE regression_database_ddl TO PUBLIC;
DROP ROLE regress_db_ddl_noaccess;
+-- Test for dropped tablespace: dattablespace pointing to a non-existent OID
+-- should not crash (see commit fixing NULL deref in pg_get_database_ddl_internal)
+CREATE DATABASE regression_database_ddl2
+ ENCODING utf8 LC_COLLATE "C" LC_CTYPE "C" TEMPLATE template0
+ OWNER regress_datdba;
+SET allow_system_table_mods = on;
+UPDATE pg_database SET dattablespace = 99999
+ WHERE datname = 'regression_database_ddl2';
+RESET allow_system_table_mods;
+SELECT ddl_filter(pg_get_database_ddl) FROM pg_get_database_ddl('regression_database_ddl2');
+SET allow_system_table_mods = on;
+UPDATE pg_database SET dattablespace =
+ (SELECT oid FROM pg_tablespace WHERE spcname = 'pg_default')
+ WHERE datname = 'regression_database_ddl2';
+RESET allow_system_table_mods;
+DROP DATABASE regression_database_ddl2;
+
DROP DATABASE regression_database_ddl;
DROP FUNCTION ddl_filter(text);
DROP ROLE regress_datdba;
--
2.34.1
view thread (4+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected]
Subject: Re: [PATCH] Fix NULL dereference in pg_get_database_ddl()
In-Reply-To: <CAJTYsWXA0QBaMRZG_TK4K9sK59snU6YZC6+raT00Y=oMdYCT7A@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox