BUG #18681: [ECPG] heap-read-out-of-bounds - Mailing list pgsql-bugs
| From | PG Bug reporting form |
|---|---|
| Subject | BUG #18681: [ECPG] heap-read-out-of-bounds |
| Date | |
| Msg-id | 18681-fd25f2e89b437ccd@postgresql.org Whole thread Raw |
| List | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 18681
Logged by: Stanislav Osipov
Email address: stasos24@gmail.com
PostgreSQL version: 17.0
Operating system: Ubuntu 22
Description:
"Date": "2024-10-31T12:09:36.204533+00:00",
"Uname": "Linux d5dbeabbf3a9 5.10.0-25-amd64 #1 SMP Debian 5.10.191-1
(2023-08-16) x86_64 x86_64 x86_64 GNU/Linux",
"OS": "Ubuntu",
"OSRelease": "22.04",
"Architecture": "amd64",
"ExecutablePath": "./src/interfaces/ecpg/preproc/ecpg",
"ProcCmdline": "./src/interfaces/ecpg/preproc/ecpg
/final/default/crashes/id:000034,sig:06,src:004259,time:60042406,execs:14167093,op:havoc,rep:8.sql",
"CrashSeverity": {
"Type": "NOT_EXPLOITABLE",
"ShortDescription": "heap-buffer-overflow(read)",
"Description": "Heap buffer overflow",
"Explanation": "The target reads data past the end, or before the
beginning, of the intended heap buffer."
},
"Stacktrace": [
" #0 0x540346 in find_variable
/postgres/src/interfaces/ecpg/preproc/variable.c:211:13",
" #1 0x506247 in base_yyparse
/postgres/src/interfaces/ecpg/preproc/preproc.y:19969:38",
" #2 0x4d3236 in main
/postgres/src/interfaces/ecpg/preproc/ecpg.c:483:5",
" #3 0x7ffff7caed8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16",
" #4 0x7ffff7caee3f in __libc_start_main
csu/../csu/libc-start.c:392:3",
" #5 0x420434 in _start
(/postgres/src/interfaces/ecpg/preproc/ecpg+0x420434)"
],
"Registers": {},
"Disassembly": [],
"Package": "",
"PackageVersion": "",
"PackageArchitecture": "",
"PackageDescription": "",
"AsanReport": [
"==2127==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x603000000085 at pc 0x000000540347 bp 0x7fffffff98d0 sp 0x7fffffff98c8",
"READ of size 1 at 0x603000000085 thread T0",
" #0 0x540346 in find_variable
/postgres/src/interfaces/ecpg/preproc/variable.c:211:13",
" #1 0x506247 in base_yyparse
/postgres/src/interfaces/ecpg/preproc/preproc.y:19969:38",
" #2 0x4d3236 in main
/postgres/src/interfaces/ecpg/preproc/ecpg.c:483:5",
" #3 0x7ffff7caed8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16",
" #4 0x7ffff7caee3f in __libc_start_main
csu/../csu/libc-start.c:392:3",
" #5 0x420434 in _start
(/postgres/src/interfaces/ecpg/preproc/ecpg+0x420434)",
"",
"0x603000000085 is located 0 bytes to the right of 21-byte region
[0x603000000070,0x603000000085)",
"allocated by thread T0 here:",
" #0 0x488ee4 in strdup
(/postgres/src/interfaces/ecpg/preproc/ecpg+0x488ee4)",
" #1 0x53bda2 in mm_strdup
/postgres/src/interfaces/ecpg/preproc/type.c:27:17",
" #2 0x4d59bd in filtered_base_yylex
/postgres/src/interfaces/ecpg/preproc/parser.c:74:15",
" #3 0x4e7300 in base_yyparse
/postgres/src/interfaces/ecpg/preproc/preproc.c:39493:16",
" #4 0x4d3236 in main
/postgres/src/interfaces/ecpg/preproc/ecpg.c:483:5",
" #5 0x7ffff7caed8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16",
"",
"SUMMARY: AddressSanitizer: heap-buffer-overflow
/postgres/src/interfaces/ecpg/preproc/variable.c:211:13 in find_variable",
"Shadow bytes around the buggy address:",
" 0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
" 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
" 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
" 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
" 0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00",
"=>0x0c067fff8010:[05]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
" 0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
" 0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
" 0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
" 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
" 0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
"Shadow byte legend (one shadow byte represents 8 application
bytes):",
" Addressable: 00",
" Partially addressable: 01 02 03 04 05 06 07",
" Heap left redzone: fa",
" Freed heap region: fd",
" Stack left redzone: f1",
" Stack mid redzone: f2",
" Stack right redzone: f3",
" Stack after return: f5",
" Stack use after scope: f8",
" Global redzone: f9",
" Global init order: f6",
" Poisoned by user: f7",
" Container overflow: fc",
" Array cookie: ac",
" Intra object redzone: bb",
" ASan internal: fe",
" Left alloca redzone: ca",
" Right alloca redzone: cb",
"==2127==ABORTING"
],
"UbsanReport": [],
"PythonReport": [],
"GoReport": [],
"JavaReport": [],
"RustReport": [],
"JsReport": [],
"CSharpReport": [],
"CrashLine": "/postgres/src/interfaces/ecpg/preproc/variable.c:211:13",
"Source": [
" 207 \t\t\t * up the characters",
" 208 \t\t\t */",
" 209 \t\t\tfor (count = 1, end = next + 1; count; end++)",
" 210 \t\t\t{",
"--->211 \t\t\t\tswitch (*end)",
" 212 \t\t\t\t{",
" 213 \t\t\t\t\tcase '[':",
" 214 \t\t\t\t\t\tcount++;",
" 215 \t\t\t\t\t\tbreak;",
" 216 \t\t\t\t\tcase ']':"
]
crash-input_file:
```
execSQL
select:r[[]
```
pgsql-bugs by date: