Hi, It was reported to pgsql-security that it's possible to crash pg_walsummary by constructing a WAL summary file which purports to contain chunks of a size greater than MAX_ENTRIES_PER_CHUNK. It may also be possible to crash the server in some contrived scenario. The security team does not think this qualifies as a security issue, but it is a bug. The solution is to insert error checks that catch out-of-bounds chunk sizes. It turns out that we should have similar checks for out-of-bounds fork numbers, else similar kinds of bad things can happen. The attached patch adds those checks, and should be back-patched to v17 where the WAL summarizer first appeared.
The reason why the impact of this is pretty limited is that WAL summary files are only supposed to exist in $PGDATA, and if an adversary has write access to $PGDATA, they will probably do something much worse than introduce a maliciously-constructed WAL summary file. As a practical matter, the main benefit of this fix is to contain the damage in case of an *accidentally* corrupted WAL summary file. Of course, such a file won't be usable for its intended purpose with or without this fix, but with this fix, the outcome is more likely to be an error and less likely to be a crash, either of the server or of pg_walsummary. -- Robert Haas EDB: http://www.enterprisedb.com
v1-0001-Add-additional-sanity-checks-when-reading-a-blkre.patch
Description: Binary data
