Postgres Pro
Downloads
Home   >   mailing lists

7. PostgreSQL Server 15.2 (ASAN Enabled) Subprocess Went down at Function 'heap_form_tuple' - Mailing list pgsql-bugs

From
Subject 7. PostgreSQL Server 15.2 (ASAN Enabled) Subprocess Went down at Function 'heap_form_tuple'
Date
Msg-id 00c301d96e27$1a7dc410$4f794c30$@mails.tsinghua.edu.cn
Whole thread Raw
List pgsql-bugs
Tree view

Description: PostgreSQL Server (ASAN Enabled) Subprocess Went down at Function ‘heap_form_tuple’

PostgreSQL Server Version: PostgreSQL 15.2 on x86_64-pc-linux-gnu, compiled by Ubuntu clang version 12.0.1, 64-bit

Discoverer: Jingzhou Fu, Jie Liang and Zhiyong Wu in WingTecher Lab of Tsinghua University and Shuimuyulin ltd

Email address: fjz22@mails.tsinghua.edu.cn  ,   wuzy21@mails.tsinghua.edu.cn  ,  ljiee@mail.tsinghua.edu.cn

 

PoC:

```sql

SET allow_system_table_mods = on;

CREATE TABLE test_pg_dump_t1 (test_pg_dump_v1 int);

ALTER TABLE pg_description ADD COLUMN transaction_test6 int;

COMMENT ON COLUMN test_pg_dump_t1.test_pg_dump_v1 IS 'test_pg_dump_v1';

```

 

Backtrace:

```

==3273==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdf0cd4484 at pc 0x00000059305c bp 0x7ffdf0cd4120 sp 0x7ffdf0cd4118

READ of size 1 at 0x7ffdf0cd4484 thread T0

    #0 0x59305b in heap_form_tuple (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x59305b)

    #1 0xbfb595 in CreateComments (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0xbfb595)

    #2 0xbfa81b in CommentObject (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0xbfa81b)

    #3 0x1705df5 in ProcessUtilitySlow (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x1705df5)

    #4 0x16fc933 in standard_ProcessUtility (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x16fc933)

    #5 0x16fa616 in ProcessUtility (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x16fa616)

    #6 0x16f9666 in PortalRunUtility (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x16f9666)

    #7 0x16f7605 in PortalRunMulti (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x16f7605)

    #8 0x16f559a in PortalRun (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x16f559a)

    #9 0x16e9693 in exec_simple_query (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x16e9693)

    #10 0x16e7a62 in PostgresMain (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x16e7a62)

    #11 0x144c17a in BackendRun (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x144c17a)

    #12 0x144ad84 in BackendStartup (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x144ad84)

    #13 0x14481e5 in ServerLoop (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x14481e5)

    #14 0x1443e0e in PostmasterMain (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x1443e0e)

    #15 0x106ebf1 in main (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x106ebf1)

    #16 0x7f2f8fe4e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

    #17 0x49fc0d in _start (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x49fc0d)

 

Address 0x7ffdf0cd4484 is located in stack of thread T0 at offset 388 in frame

    #0 0xbfafef in CreateComments (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0xbfafef)

 

  This frame has 4 object(s):

    [32, 248) 'skey'

    [320, 352) 'values'

    [384, 388) 'nulls' <== Memory access at offset 388 overflows this variable

    [400, 404) 'replaces'

HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork

      (longjmp and C++ exceptions *are* supported)

SUMMARY: AddressSanitizer: stack-buffer-overflow (/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x59305b) in heap_form_tuple

Shadow bytes around the buggy address:

  0x10003e192840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x10003e192850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x10003e192860: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00

  0x10003e192870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2

  0x10003e192880: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2

=>0x10003e192890:[04]f2 04 f3 00 00 00 00 00 00 00 00 00 00 00 00

  0x10003e1928a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x10003e1928b0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1

  0x10003e1928c0: 00 04 f2 f2 00 f2 f2 f2 f8 f8 f2 f2 00 00 f2 f2

  0x10003e1928d0: 00 00 f2 f2 00 00 f3 f3 00 00 00 00 00 00 00 00

  0x10003e1928e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==3273==ABORTING

```

 

pgsql-bugs by date:

Previous
From:
Date:
Subject: 6. PostgreSQL Server Subprocess Went down at Function 'has_dangerous_join_using'
Next
From:
Date:
Subject: 8. PostgreSQL Server 15.2 Subprocess Went down at function 'pg_detoast_datum_copy'