Use after free? in fe-connect.c:closePGconn - Mailing list pgsql-bugs
| From | Ranier VF |
|---|---|
| Subject | Use after free? in fe-connect.c:closePGconn |
| Date | |
| Msg-id | BLU183-W36C8721B5C151BC8DEFAA7E3550@phx.gbl Whole thread Raw |
| Responses |
Re: Use after free? in fe-connect.c:closePGconn
(Tom Lane <tgl@sss.pgh.pa.us>)
|
| List | pgsql-bugs |
Hi=2C
Postgresql 9.5.3 32 bits
client 32bits libpq.dll with libpq.pdb
All calls of PQfinish is protected by:
if (conn !=3D NULL) {
PQfinish(conn)=3B
}
In [d:\pginstaller.auto\postgres.windows\src\interfaces\libpq\fe-connect.c=
=2C
closePGconn(PGconn *conn):
Does not check if conn is NULL.
Use after free?
Best regards=2C
Ranier
---------------------------------------------------------------------------=
-------------------------------------
Error #1: UNINITIALIZED READ: reading 0x0012fbb4-0x0012fbbb 7 byte(s) withi=
n 0x0012fb78-0x0012fbbb
# 0 system call NtCreateFile parameter #9
# 1 ntdll.dll!ZwCreateFile +0xb (0x7c90d09=
c <ntdll.dll+0xd09c>)
# 2 MSWSOCK.dll!? +0x0 (0x71a149c=
0 <MSWSOCK.dll+0x49c0>)
# 3 WS2_32.dll!WSASocketW +0x9c (0x71a740e=
b <WS2_32.dll+0x40eb>)
# 4 ngx_open_listening_sockets [c:\msys\1.0\nginx-=
1.10\src\core\ngx_connection.c:448]
# 5 ngx_init_cycle [c:\msys\1.0\nginx-=
1.10\src\core\ngx_cycle.c:609]
# 6 main [c:\msys\1.0\nginx-=
1.10\src\core\nginx.c:276]
Note: @0:00:03.954 in thread 3124
Error #2: UNADDRESSABLE ACCESS of freed memory: reading 0x020afd3c-0x020afd=
40 4 byte(s)
# 0 LIBPQ.dll!closePGconn [d:\pginstaller.auto\postgres.wi=
ndows\src\interfaces\libpq\fe-connect.c:2957]
# 1 LIBPQ.dll!PQfinish [d:\pginstaller.auto\postgres.wi=
ndows\src\interfaces\libpq\fe-connect.c:3055]
# 2 dbd_pgsql_close [c:\usr\src\dbd\postgresql\dbd_p=
gsql.c:279]
# 3 dbd_pgsql_cleanup [c:\usr\src\dbd\postgresql\dbd_p=
gsql.c:297]
# 4 ngx_destroy_pool [c:\msys\1.0\nginx-1.10\src\core=
\ngx_palloc.c:57]
# 5 ngx_master_process_exit [c:\msys\1.0\nginx-1.10\src\os\w=
in32\ngx_process_cycle.c:562]
# 6 ngx_master_process_cycle [c:\msys\1.0\nginx-1.10\src\os\w=
in32\ngx_process_cycle.c:235]
# 7 main [c:\msys\1.0\nginx-1.10\src\core=
\nginx.c:367]
Note: @8:39:35.860 in thread 3124
Note: prev lower malloc: 0x020afcf8-0x020afd08
Note: 0x020afd3c-0x020afd40 overlaps memory 0x020afd28-0x020b0d28 that was =
freed here:
Note: # 0 replace_free [d:\drmemory_package\commo=
n\alloc_replace.c:2706]
Note: # 1 ngx_hash_init [c:\msys\1.0\nginx-1.10\sr=
c\core\ngx_hash.c:426]
Note: # 2 ngx_http_merge_types [c:\msys\1.0\nginx-1.10\sr=
c\http\ngx_http.c:2089]
Note: # 3 ngx_http_gzip_merge_conf [c:\msys\1.0\nginx-1.10\sr=
c\http\modules\ngx_http_gzip_filter_module.c:1168]
Note: # 4 ngx_http_merge_servers [c:\msys\1.0\nginx-1.10\sr=
c\http\ngx_http.c:596]
Note: # 5 ngx_http_block [c:\msys\1.0\nginx-1.10\sr=
c\http\ngx_http.c:268]
Note: instruction: cmp 0x000000b4(%esi) $0xffffffff
Error #3: UNADDRESSABLE ACCESS beyond heap bounds: reading 0x020afd10-0x020=
afd14 4 byte(s)
# 0 LIBPQ.dll!closePGconn [d:\pginstaller.auto\postgres.wi=
ndows\src\interfaces\libpq\fe-connect.c:2957]
# 1 LIBPQ.dll!PQfinish [d:\pginstaller.auto\postgres.wi=
ndows\src\interfaces\libpq\fe-connect.c:3055]
# 2 dbd_pgsql_close [c:\usr\src\dbd\postgresql\dbd_p=
gsql.c:279]
# 3 dbd_pgsql_cleanup [c:\usr\src\dbd\postgresql\dbd_p=
gsql.c:297]
# 4 ngx_destroy_pool [c:\msys\1.0\nginx-1.10\src\core=
\ngx_palloc.c:57]
# 5 ngx_master_process_exit [c:\msys\1.0\nginx-1.10\src\os\w=
in32\ngx_process_cycle.c:562]
# 6 ngx_master_process_cycle [c:\msys\1.0\nginx-1.10\src\os\w=
in32\ngx_process_cycle.c:235]
# 7 main [c:\msys\1.0\nginx-1.10\src\core=
\nginx.c:367]
Note: @8:39:35.954 in thread 3124
Note: prev lower malloc: 0x020afcf8-0x020afd08
Note: instruction: cmp 0x00000088(%esi) $0x00000000
Error #4: UNADDRESSABLE ACCESS of freed memory: writing 0x020afd2b-0x020afd=
2c 1 byte(s)
# 0 LIBPQ.dll!closePGconn [d:\pginstaller.auto\postgres.wi=
ndows\src\interfaces\libpq\fe-connect.c:2974]
# 1 LIBPQ.dll!PQfinish [d:\pginstaller.auto\postgres.wi=
ndows\src\interfaces\libpq\fe-connect.c:3055]
# 2 dbd_pgsql_close [c:\usr\src\dbd\postgresql\dbd_p=
gsql.c:279]
# 3 dbd_pgsql_cleanup [c:\usr\src\dbd\postgresql\dbd_p=
gsql.c:297]
# 4 ngx_destroy_pool [c:\msys\1.0\nginx-1.10\src\core=
\ngx_palloc.c:57]
# 5 ngx_master_process_exit [c:\msys\1.0\nginx-1.10\src\os\w=
in32\ngx_process_cycle.c:562]
# 6 ngx_master_process_cycle [c:\msys\1.0\nginx-1.10\src\os\w=
in32\ngx_process_cycle.c:235]
# 7 main [c:\msys\1.0\nginx-1.10\src\core=
\nginx.c:367]
Note: @8:39:35.969 in thread 3124
Note: prev lower malloc: 0x020afcf8-0x020afd08
Note: 0x020afd2b-0x020afd2c overlaps memory 0x020afd28-0x020b0d28 that was =
freed here:
Note: # 0 replace_free [d:\drmemory_package\commo=
n\alloc_replace.c:2706]
Note: # 1 ngx_hash_init [c:\msys\1.0\nginx-1.10\sr=
c\core\ngx_hash.c:426]
Note: # 2 ngx_http_merge_types [c:\msys\1.0\nginx-1.10\sr=
c\http\ngx_http.c:2089]
Note: # 3 ngx_http_gzip_merge_conf [c:\msys\1.0\nginx-1.10\sr=
c\http\modules\ngx_http_gzip_filter_module.c:1168]
Note: # 4 ngx_http_merge_servers [c:\msys\1.0\nginx-1.10\sr=
c\http\ngx_http.c:596]
Note: # 5 ngx_http_block [c:\msys\1.0\nginx-1.10\sr=
c\http\ngx_http.c:268]
Note: instruction: mov $0x00 -> 0x000000a3(%esi)
---------------------------------------------------------------------------=
--------------------------------------------
=
pgsql-bugs by date: