Found a buffer-overflow defect in asynchronous database connection API PQconnectPoll - Mailing list pgsql-bugs
| From | Sudheer H R |
|---|---|
| Subject | Found a buffer-overflow defect in asynchronous database connection API PQconnectPoll |
| Date | |
| Msg-id | 5372B6D4-8276-42C0-B8FB-BD0918826FC3@tekenlight.com Whole thread Raw |
| Responses |
Re: Found a buffer-overflow defect in asynchronous database connection API PQconnectPoll
(Sudheer H R <sudheer.hr@tekenlight.com>)
Re: Found a buffer-overflow defect in asynchronous database connection API PQconnectPoll (Tom Lane <tgl@sss.pgh.pa.us>) |
| List | pgsql-bugs |
Hello,
I am trying to integrate the client library libpq with a server that is developed based on libev model on a Macbook PRO - maxOS Big Sur OSX version 11.4
While trying to sanitise the code for heap buffer overflows I compiled and linked the executable with clang -fsanitize=“address” option. The connection library indicates a buffer over flow in an internal source code of the module.
In order to isolate the problem, I tried writing a separate simple program as listed below, which also gives the same error report upon running.
Request you to please provide any guidance in this regard.
I am using the Mac ports based installation of PostgreSQL version 13.2 (or 3)
Any help in this regard is much appreciated
Regards,
Sudheer
Source code:
#include <unistd.h>
#include "libpq-fe.h"
int main()
{
PGconn *p = NULL;
const char* keywords[] = { "host", "dbname", "user", "password", NULL };
const char* values[] = { "localhost", "AAA", "gen", "GEN", NULL };
p = PQconnectStartParams(keywords, values, 0);
if (p == NULL) {
printf("COULD NOT ALLOCATE MEMORY\n");
exit(1);
}
else if (PQstatus(p) == CONNECTION_BAD) {
printf("COULD NOT CONNECT\n");
PQfinish(p);
p = NULL;
}
PostgresPollingStatusType ps;
ps = PQconnectPoll(p);
while (ps != PGRES_POLLING_FAILED && ps != PGRES_POLLING_OK) {
sleep(1);
ps = PQconnectPoll(p);
printf("open_connection_finalize[%d]\n", ps);
}
printf("DONE\n");
return 0;
}
#include "libpq-fe.h"
int main()
{
PGconn *p = NULL;
const char* keywords[] = { "host", "dbname", "user", "password", NULL };
const char* values[] = { "localhost", "AAA", "gen", "GEN", NULL };
p = PQconnectStartParams(keywords, values, 0);
if (p == NULL) {
printf("COULD NOT ALLOCATE MEMORY\n");
exit(1);
}
else if (PQstatus(p) == CONNECTION_BAD) {
printf("COULD NOT CONNECT\n");
PQfinish(p);
p = NULL;
}
PostgresPollingStatusType ps;
ps = PQconnectPoll(p);
while (ps != PGRES_POLLING_FAILED && ps != PGRES_POLLING_OK) {
sleep(1);
ps = PQconnectPoll(p);
printf("open_connection_finalize[%d]\n", ps);
}
printf("DONE\n");
return 0;
}
BUFFER OVERFLOW SANITIZER REPORT
open_connection_finalize[1]
=================================================================
==62203==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700001abd6 at pc 0x0001098118f4 bp 0x7ffee646d910 sp 0x7ffee646d0d0
READ of size 71 at 0x60700001abd6 thread T0
#0 0x1098118f3 in wrap_strlen+0x183 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x198f3)
#1 0x1097c37ea in dopr+0xe4 (libpq.5.dylib:x86_64+0x1c7ea)
#2 0x1097c36e2 in pg_vsnprintf+0x52 (libpq.5.dylib:x86_64+0x1c6e2)
#3 0x1097bbe91 in appendPQExpBufferVA+0x3e (libpq.5.dylib:x86_64+0x14e91)
#4 0x1097bbfae in appendPQExpBuffer+0xc4 (libpq.5.dylib:x86_64+0x14fae)
#5 0x1097beb64 in pg_GSS_error_int+0x5b (libpq.5.dylib:x86_64+0x17b64)
#6 0x1097beaf3 in pg_GSS_error+0x66 (libpq.5.dylib:x86_64+0x17af3)
#7 0x1097bf4fe in pqsecure_open_gss+0x334 (libpq.5.dylib:x86_64+0x184fe)
#8 0x1097ad40d in PQconnectPoll+0xac9 (libpq.5.dylib:x86_64+0x640d)
#9 0x109793a2c in main+0x46c (a:x86_64+0x100003a2c)
#10 0x7fff20563f5c in start+0x0 (libdyld.dylib:x86_64+0x15f5c)
0x60700001abd6 is located 0 bytes to the right of 70-byte region [0x60700001ab90,0x60700001abd6)
allocated by thread T0 here:
#0 0x109840460 in wrap_malloc+0xa0 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x48460)
#1 0x7fff2d8f7396 in _gss_mg_get_error+0x96 (GSS:x86_64+0x9396)
#2 0x7fff2d8f71e6 in gss_display_status+0x176 (GSS:x86_64+0x91e6)
#3 0x1097beb4b in pg_GSS_error_int+0x42 (libpq.5.dylib:x86_64+0x17b4b)
#4 0x1097beaf3 in pg_GSS_error+0x66 (libpq.5.dylib:x86_64+0x17af3)
#5 0x1097bf4fe in pqsecure_open_gss+0x334 (libpq.5.dylib:x86_64+0x184fe)
#6 0x1097ad40d in PQconnectPoll+0xac9 (libpq.5.dylib:x86_64+0x640d)
#7 0x109793a2c in main+0x46c (a:x86_64+0x100003a2c)
#8 0x7fff20563f5c in start+0x0 (libdyld.dylib:x86_64+0x15f5c)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x198f3) in wrap_strlen+0x183
Shadow bytes around the buggy address:
0x1c0e00003520: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x1c0e00003530: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x1c0e00003540: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c0e00003550: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
0x1c0e00003560: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
=>0x1c0e00003570: fa fa 00 00 00 00 00 00 00 00[06]fa fa fa fa fa
0x1c0e00003580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0e00003590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0e000035a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0e000035b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0e000035c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==62203==ABORTING
Abort
=================================================================
==62203==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700001abd6 at pc 0x0001098118f4 bp 0x7ffee646d910 sp 0x7ffee646d0d0
READ of size 71 at 0x60700001abd6 thread T0
#0 0x1098118f3 in wrap_strlen+0x183 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x198f3)
#1 0x1097c37ea in dopr+0xe4 (libpq.5.dylib:x86_64+0x1c7ea)
#2 0x1097c36e2 in pg_vsnprintf+0x52 (libpq.5.dylib:x86_64+0x1c6e2)
#3 0x1097bbe91 in appendPQExpBufferVA+0x3e (libpq.5.dylib:x86_64+0x14e91)
#4 0x1097bbfae in appendPQExpBuffer+0xc4 (libpq.5.dylib:x86_64+0x14fae)
#5 0x1097beb64 in pg_GSS_error_int+0x5b (libpq.5.dylib:x86_64+0x17b64)
#6 0x1097beaf3 in pg_GSS_error+0x66 (libpq.5.dylib:x86_64+0x17af3)
#7 0x1097bf4fe in pqsecure_open_gss+0x334 (libpq.5.dylib:x86_64+0x184fe)
#8 0x1097ad40d in PQconnectPoll+0xac9 (libpq.5.dylib:x86_64+0x640d)
#9 0x109793a2c in main+0x46c (a:x86_64+0x100003a2c)
#10 0x7fff20563f5c in start+0x0 (libdyld.dylib:x86_64+0x15f5c)
0x60700001abd6 is located 0 bytes to the right of 70-byte region [0x60700001ab90,0x60700001abd6)
allocated by thread T0 here:
#0 0x109840460 in wrap_malloc+0xa0 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x48460)
#1 0x7fff2d8f7396 in _gss_mg_get_error+0x96 (GSS:x86_64+0x9396)
#2 0x7fff2d8f71e6 in gss_display_status+0x176 (GSS:x86_64+0x91e6)
#3 0x1097beb4b in pg_GSS_error_int+0x42 (libpq.5.dylib:x86_64+0x17b4b)
#4 0x1097beaf3 in pg_GSS_error+0x66 (libpq.5.dylib:x86_64+0x17af3)
#5 0x1097bf4fe in pqsecure_open_gss+0x334 (libpq.5.dylib:x86_64+0x184fe)
#6 0x1097ad40d in PQconnectPoll+0xac9 (libpq.5.dylib:x86_64+0x640d)
#7 0x109793a2c in main+0x46c (a:x86_64+0x100003a2c)
#8 0x7fff20563f5c in start+0x0 (libdyld.dylib:x86_64+0x15f5c)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x198f3) in wrap_strlen+0x183
Shadow bytes around the buggy address:
0x1c0e00003520: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x1c0e00003530: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x1c0e00003540: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c0e00003550: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
0x1c0e00003560: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
=>0x1c0e00003570: fa fa 00 00 00 00 00 00 00 00[06]fa fa fa fa fa
0x1c0e00003580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0e00003590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0e000035a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0e000035b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0e000035c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==62203==ABORTING
Abort
pgsql-bugs by date: