Thread: BUG #4791: NULL value in function causes reproducible segmentation fault
BUG #4791: NULL value in function causes reproducible segmentation fault
From
"Sikkerhed.org ApS"
Date:
The following bug has been logged online: Bug reference: 4791 Logged by: Sikkerhed.org ApS Email address: support@sikkerhed.org PostgreSQL version: 8.3.7-0lenny1 Operating system: Debian GNU/Linux 5.0.1 stable (fully updated) Description: NULL value in function causes reproducible segmentation fault Details: We are using a couple of functions in PostgreSQL, namely CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS '$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C'; CREATE OR REPLACE FUNCTION sha1(text) RETURNS text AS 'SELECT ENCODE(DIGEST($1, ''sha1''), ''hex'') AS result' LANGUAGE 'SQL'; We experienced a bad crash on our production server, and narrowed it down to a reproducible test case. The following query will crash the server every time: SELECT SHA1(NULL); Please let us know if you require more information.
Re: BUG #4791: NULL value in function causes reproducible segmentation fault
From
Magnus Hagander
Date:
Sikkerhed.org ApS wrote: > The following bug has been logged online: > > Bug reference: 4791 > Logged by: Sikkerhed.org ApS > Email address: support@sikkerhed.org > PostgreSQL version: 8.3.7-0lenny1 > Operating system: Debian GNU/Linux 5.0.1 stable (fully updated) > Description: NULL value in function causes reproducible segmentation > fault > Details: > > We are using a couple of functions in PostgreSQL, namely > > CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS > '$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C'; This declaration is incorrect. The function is from pgcrypto, and the pgcrypto declaration is: CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS '$libdir/pgcrypto', 'pg_digest' LANGUAGE C IMMUTABLE STRICT; Notice the "immutable script" part that you are missing. Any particular reason why you are not using the pgcrypto installation script? //Magnus
Re: BUG #4791: NULL value in function causes reproducible segmentation fault
From
Christian Iversen
Date:
Magnus Hagander wrote: > Sikkerhed.org ApS wrote: >> The following bug has been logged online: >> >> Bug reference: 4791 >> Logged by: Sikkerhed.org ApS >> Email address: support@sikkerhed.org >> PostgreSQL version: 8.3.7-0lenny1 >> Operating system: Debian GNU/Linux 5.0.1 stable (fully updated) >> Description: NULL value in function causes reproducible segmentation >> fault >> Details: >> >> We are using a couple of functions in PostgreSQL, namely >> >> CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS >> '$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C'; > > This declaration is incorrect. The function is from pgcrypto, and the > pgcrypto declaration is: > CREATE OR REPLACE FUNCTION digest(text, text) > RETURNS bytea > AS '$libdir/pgcrypto', 'pg_digest' > LANGUAGE C IMMUTABLE STRICT; > > > Notice the "immutable script" part that you are missing. Ah, of course. It works now, thanks. > Any particular reason why you are not using the pgcrypto installation > script? Only that we hadn't heard of it. We have now updated our database structure files to reflect this more reasonable approach. Thank you very much for the quick fix. Should I do something to close the bug report? -- Med venlig hilsen / Best regards Christian Iversen Sikkerhed.org ApS Fuglebakkevej 88 E-mail: support@sikkerhed.org 1. sal Web: www.sikkerhed.org DK-2000 Frederiksberg Direkte: ci@sikkerhed.org
On 2009-05-05, Sikkerhed.org ApS <support@sikkerhed.org> wrote: > > The following bug has been logged online: > > Bug reference: 4791 > Logged by: Sikkerhed.org ApS > Email address: support@sikkerhed.org > PostgreSQL version: 8.3.7-0lenny1 > Operating system: Debian GNU/Linux 5.0.1 stable (fully updated) > Description: NULL value in function causes reproducible segmentation > fault > Details: > > We are using a couple of functions in PostgreSQL, namely > > CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS > '$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C'; > > CREATE OR REPLACE FUNCTION sha1(text) RETURNS text AS 'SELECT > ENCODE(DIGEST($1, ''sha1''), ''hex'') AS result' LANGUAGE 'SQL'; > > > We experienced a bad crash on our production server, and narrowed it down to > a reproducible test case. > > The following query will crash the server every time: > > SELECT SHA1(NULL); > > Please let us know if you require more information. AFAICT this exploits a documented feature of the 'C' language, namely if you crash the C the backend is compromised. the fix is easy: CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS '$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C' RETURNS NULL ON NULL INPUT ;