PG19 ri_FastPath* FK fast-path: three reachable defects (public bug report)#44
Draft
NikolayS wants to merge 5 commits into
Draft
PG19 ri_FastPath* FK fast-path: three reachable defects (public bug report)#44NikolayS wants to merge 5 commits into
NikolayS wants to merge 5 commits into
Conversation
Combines three reachable defects in the new PG19 foreign-key fast-path (ri_FastPath* in src/backend/utils/adt/ri_triggers.c), all stemming from running user-defined cast/operator code inside the deferred batch flush: - re-entrancy -> out-of-bounds heap write (memory safety / crash) - buffered FK checks dropped on subtransaction abort (integrity bypass) - EndBatch cross-table re-entrancy silently drops a check (integrity bypass) All three are reachable by an unprivileged table owner via an owned IMPLICIT cast. PG19-only (present in REL_19_BETA1, absent from 18/17); pre-GA, so pgsql-hackers material rather than a CVE. https://claude.ai/code/session_01SkJVZ9jWs8tgaaAJcsSciX
Terse, technical -hackers-style write-up of the three FK fast-path defects with exact, runnable reproductions for each, grounded in REL_19_BETA1 ri_triggers.c line numbers. Notes PG19-only (present in beta1, absent from 18/17) and pre-GA (pgsql-hackers, not security@). https://claude.ai/code/session_01SkJVZ9jWs8tgaaAJcsSciX
…E + -O2 caveat - line numbers anchored on function names, marked approximate (beta1 may differ) - [2] transcript now shows convalidated=t and a passing VALIDATE with orphans remaining - [1] notes -O2 is an OOB write of undefined effect (clean run does not disprove) https://claude.ai/code/session_01SkJVZ9jWs8tgaaAJcsSciX
NikolayS
force-pushed
the
claude/postgres-security-pr-repost-sDOG5
branch
from
c0676e8 to
ce6b7a8
Compare
… leak note - de-hedge all line numbers to exact REL_19_BETA1 values (commit 4b0bf07) - Defect 1: corrected repro -- single re-entrant row only stomps batch_count; crash requires the re-entrant insert to itself force a nested flush (>=64 rows); added gdb crash evidence - Defect 2: note whole batch is dropped (not just aborting row) + resource-leak WARNING observed on the abort path https://claude.ai/code/session_01SkJVZ9jWs8tgaaAJcsSciX
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Reposts (into this public Postgres fork) the combined bug report originally drafted in a private security-audit workspace. Adds
audit/findings/ri-fastpath-public-issue.md— a single, public-ready report combining three PG19ri_FastPath*FK fast-path defects:Common root cause: the new PG19 FK existence-check fast path runs user-defined cast/operator code inside the deferred batch flush. All three are reachable by an unprivileged table owner via an owned
IMPLICITcast (no superuser, no contrib).Upstream verification
Checked directly against
github.com/postgres/postgres:src/backend/utils/adt/ri_triggers.cis byte-identical to upstream master (193a4ded).ri_FastPathBatchAdd(write-before-bound-check) andri_FastPathSubXactCallback(NULLs the cache) are present verbatim in master, with noflushingguard upstream.REL_19_BETA1(stamped 2026-06-05) is identical to master for this file → the bug shipped into PG19 beta1.ri_FastPathis absent fromREL_18_4andREL_17_6→ PG19-only (pre-GA).Disclosure note
PG19 is unreleased (now
REL_19_BETA1), so these are pre-GA bugs for the patch author / pgsql-hackers, notsecurity@postgresql.orgCVEs. This fork is a read-only mirror that PostgreSQL does not triage; the channel PG actually reads is pgsql-hackers / pgsql-bugs. This PR exists to hold the public-ready draft for review before it goes to that channel.Draft for review.
Generated by Claude Code