Postgres Pro
Downloads
Home   >   mailing lists

BUG #18701: Read of Bounds - elog.c - Mailing list pgsql-bugs

From PG Bug reporting form
Subject BUG #18701: Read of Bounds - elog.c
Date
Msg-id 18701-806fe12aba430a7d@postgresql.org
Whole thread Raw
List pgsql-bugs
Tree view 
The following bug has been logged on the website:

Bug reference:      18701
Logged by:          Stanislav Osipov
Email address:      stasos24@gmail.com
PostgreSQL version: 17.0
Operating system:   Ubuntu 22
Description:

ASAN Report:
```
 su postgres -c '/postgres/src/backend/postgres -D /tmp/data -c
"config_file=/tmp/2.conf"'
2024-11-12 09:19:18.631 GMT [12812] LOG:  skipping missing configuration
file "/tmp/..."
2024-11-12 09:19:18.632 GMT [12812] LOG:  skipping missing configuration
file "/tmp/..."
=================================================================
==12812==ERROR: AddressSanitizer: global-buffer-overflow on address
0x5616196d85c0 at pc 0x561616a5dff6 bp 0x7ffff7563840 sp 0x7ffff7563008
READ of size 129 at 0x5616196d85c0 thread T0


    
    #0 0x561616a5dff5 in strlen (/post2/src/backend/postgres+0x49dff5)
(BuildId: 5c4481a76e8e9a356f3acdae2b5b6360b5bb8fa4)
    #1 0x561618575098 in appendStringInfoString
/post2/src/common/stringinfo.c:184:33
    #2 0x56161841abe1 in log_status_format
/post2/src/backend/utils/error/elog.c:2997:6
    #3 0x56161841d483 in log_line_prefix
/post2/src/backend/utils/error/elog.c:2806:2
    #4 0x561618412686 in send_message_to_server_log
/post2/src/backend/utils/error/elog.c:3193:2
    #5 0x56161840c06c in EmitErrorReport
/post2/src/backend/utils/error/elog.c:1728:3
    #6 0x56161840ae7a in errfinish
/post2/src/backend/utils/error/elog.c:546:2
    #7 0x561617adbe19 in PostmasterMain
/post2/src/backend/postmaster/postmaster.c:1080:2
    #8 0x561617642421 in main /post2/src/backend/main/main.c:197:3
    #9 0x7f72e2871d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #10 0x7f72e2871e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #11 0x561616a47eb4 in _start (/post2/src/backend/postgres+0x487eb4)
(BuildId: 5c4481a76e8e9a356f3acdae2b5b6360b5bb8fa4)

0x5616196d85c0 is located 32 bytes to the left of global variable
'backtrace_function_list' defined in 'elog.c:118:14' (0x5616196d85e0) of
size 8
0x5616196d85c0 is located 0 bytes to the right of global variable
'formatted_log_time' defined in 'elog.c:164:13' (0x5616196d8540) of size 128

               
SUMMARY: AddressSanitizer: global-buffer-overflow
(/post2/src/backend/postgres+0x49dff5) (BuildId:
5c4481a76e8e9a356f3acdae2b5b6360b5bb8fa4) in strlen
                                                           
Shadow bytes around the buggy address:
  0x0ac3432d3060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac3432d3070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9
  0x0ac3432d3080: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0ac3432d3090: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0ac3432d30a0: 00 f9 f9 f9 01 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x0ac3432d30b0: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 00 f9 f9 f9
  0x0ac3432d30c0: 00 f9 f9 f9 01 f9 f9 f9 00 00 f9 f9 00 00 00 00
  0x0ac3432d30d0: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0ac3432d30e0: 00 f9 f9 f9 04 f9 f9 f9 00 04 f9 f9 00 f9 f9 f9
  0x0ac3432d30f0: 00 f9 f9 f9 04 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9
  0x0ac3432d3100: 00 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
```

2.conf:
```
max_connections = 100                   # (change requires restart)
shared_buffers = 128MB                  # min 128kB
dynamic_shared_memory_type = posix      # the default is usually the first
option
max_wal_size = 1GB
min_wal_size = 80MB
log_timezone =
'Etiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiic/UTCreserved_connections
= 3'
datestyle = 'iso, mdy'
timezone = 'Etc/UTC'
lc_messages = C                         # locale for system error message
lc_monetary = C                         # locale for monetary formatting
lc_numeric = C                          # locale for number formatting
lc_time = C                             # locale for time formatting
default_text_search_confiG = 'pg_catalog.english'
include_if_exists = '...'               # include file only if it exists
```

pgsql-bugs by date:

Previous
From: "Haifang Wang (Centific Technologies Inc)"
Date:
Subject: RE: [EXTERNAL] Re: Windows Application Issues | PostgreSQL | REF # 48475607
Next
From: PG Bug reporting form
Date:
Subject: BUG #18702: Critical & High Security vulnerability issue with Trivy Scan in postgres 16