Hi,

It was reported to pgsql-security that it's possible to crash
pg_walsummary by constructing a WAL summary file which purports to
contain chunks of a size greater than MAX_ENTRIES_PER_CHUNK. It may
also be possible to crash the server in some contrived scenario. The
security team does not think this qualifies as a security issue, but
it is a bug. The solution is to insert error checks that catch
out-of-bounds chunk sizes. It turns out that we should have similar
checks for out-of-bounds fork numbers, else similar kinds of bad
things can happen. The attached patch adds those checks, and should be
back-patched to v17 where the WAL summarizer first appeared.

The reason why the impact of this is pretty limited is that WAL
summary files are only supposed to exist in $PGDATA, and if an
adversary has write access to $PGDATA, they will probably do something
much worse than introduce a maliciously-constructed WAL summary file.
As a practical matter, the main benefit of this fix is to contain the
damage in case of an *accidentally* corrupted WAL summary file. Of
course, such a file won't be usable for its intended purpose with or
without this fix, but with this fix, the outcome is more likely to be
an error and less likely to be a crash, either of the server or of
pg_walsummary.

-- 
Robert Haas
EDB: http://www.enterprisedb.com

Attachment: v1-0001-Add-additional-sanity-checks-when-reading-a-blkre.patch
Description: Binary data

Reply via email to