Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL - Mailing list pgsql-hackers
| From | Bruce Momjian |
|---|---|
| Subject | Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL |
| Date | |
| Msg-id | 200208261659.g7QGx8s12557@candle.pha.pa.us Whole thread Raw |
| In response to | Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL (Tom Lane <tgl@sss.pgh.pa.us>) |
| Responses |
Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL
(Lamar Owen <lamar.owen@wgcr.org>)
|
| List | pgsql-hackers |
Tom Lane wrote: > Sir Mordred The Traitor <mordred@s-mail.com> writes: > > Note, that the size of palloced memory is taken from the user's input, > > which is stupid if you ask me. > > Beyond causing an "out of memory" error during the handshake, I fail to > see how there can be any problem. palloc is considerably more robust > than malloc. > > > I dont want to provide any tools to illustrate this vulnerability. > > Perhaps you haven't tried. > > It may indeed make sense to put a range check here, but I'm getting > tired of hearing the words "dos attack" applied to conditions that > cannot be exploited to cause any real problem. All you are > accomplishing is to spread FUD among people who aren't sufficiently > familiar with the code to evaluate the seriousness of problems... Sir-* does have a point. A valid host in pg_hba.conf can cause DOS by just connecting over and over, but allocating almost all of the memory on the machine would affect other applications running on the machine, even non-networked applications, as well as PostgreSQL, while a connection DOS effects only PostgreSQL. It isn't fun to have our code nit-picked apart, and Sir-* is over-hyping the vulnerability, but it is a valid concern. The length should probably be clipped to a reasonable length and a comment put in the code describing why. There are a whole host of vulnerability scenarios that we have not explored. In fact, with 7.2.2, we got into the data-based crash vs. query-based crash issue that we have not discussed before in detail. With this report, we have a non-authorized user causing possible memory exhaustion for all applications on the server. This is a greater vulnerability than the random query argument because in such cases the user is authorized to issue queries. So, Sir-* and others, please understand that databases have their own vulnerability envelope that is much more complex than a standard network application like ftp. There is almost an entirely new vocabulary for describing such vulnerabilities which we have been crafting as we discuss it. This vocabulary includes: connection-enabled hosts vs. any hostauthenticated vs. non-authenticated usersusers with data insertion accessusers withquery access I think the last group can not be protected from malevolent queries, but the former can be tightened, and Sir-* is working on that. Sir-*, when describing vulnerabilities, especially in public forums, please try to use this language so people are not overly agitated by your warnings. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania19073
pgsql-hackers by date: