Thread: BUG #4791: NULL value in function causes reproducible segmentation fault

BUG #4791: NULL value in function causes reproducible segmentation fault

From
"Sikkerhed.org ApS"
Date:
The following bug has been logged online:

Bug reference:      4791
Logged by:          Sikkerhed.org ApS
Email address:      support@sikkerhed.org
PostgreSQL version: 8.3.7-0lenny1
Operating system:   Debian GNU/Linux 5.0.1 stable (fully updated)
Description:        NULL value in function causes reproducible segmentation
fault
Details:

We are using a couple of functions in PostgreSQL, namely

CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS
'$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C';

CREATE OR REPLACE FUNCTION sha1(text) RETURNS text AS 'SELECT
ENCODE(DIGEST($1, ''sha1''), ''hex'') AS result' LANGUAGE 'SQL';


We experienced a bad crash on our production server, and narrowed it down to
a reproducible test case.

The following query will crash the server every time:

SELECT SHA1(NULL);

Please let us know if you require more information.

Re: BUG #4791: NULL value in function causes reproducible segmentation fault

From
Magnus Hagander
Date:
Sikkerhed.org ApS wrote:
> The following bug has been logged online:
>
> Bug reference:      4791
> Logged by:          Sikkerhed.org ApS
> Email address:      support@sikkerhed.org
> PostgreSQL version: 8.3.7-0lenny1
> Operating system:   Debian GNU/Linux 5.0.1 stable (fully updated)
> Description:        NULL value in function causes reproducible segmentation
> fault
> Details:
>
> We are using a couple of functions in PostgreSQL, namely
>
> CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS
> '$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C';

This declaration is incorrect. The function is from pgcrypto, and the
pgcrypto declaration is:
CREATE OR REPLACE FUNCTION digest(text, text)
RETURNS bytea
AS '$libdir/pgcrypto', 'pg_digest'
LANGUAGE C IMMUTABLE STRICT;


Notice the "immutable script" part that you are missing.

Any particular reason why you are not using the pgcrypto installation
script?

//Magnus

Re: BUG #4791: NULL value in function causes reproducible segmentation fault

From
Christian Iversen
Date:
Magnus Hagander wrote:
> Sikkerhed.org ApS wrote:
>> The following bug has been logged online:
>>
>> Bug reference:      4791
>> Logged by:          Sikkerhed.org ApS
>> Email address:      support@sikkerhed.org
>> PostgreSQL version: 8.3.7-0lenny1
>> Operating system:   Debian GNU/Linux 5.0.1 stable (fully updated)
>> Description:        NULL value in function causes reproducible segmentation
>> fault
>> Details:
>>
>> We are using a couple of functions in PostgreSQL, namely
>>
>> CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS
>> '$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C';
>
> This declaration is incorrect. The function is from pgcrypto, and the
> pgcrypto declaration is:
> CREATE OR REPLACE FUNCTION digest(text, text)
> RETURNS bytea
> AS '$libdir/pgcrypto', 'pg_digest'
> LANGUAGE C IMMUTABLE STRICT;
>
>
> Notice the "immutable script" part that you are missing.

Ah, of course. It works now, thanks.

> Any particular reason why you are not using the pgcrypto installation
> script?

Only that we hadn't heard of it. We have now updated our database
structure files to reflect this more reasonable approach.

Thank you very much for the quick fix.

Should I do something to close the bug report?

--
Med venlig hilsen / Best regards
Christian Iversen

Sikkerhed.org ApS
Fuglebakkevej 88                       E-mail:  support@sikkerhed.org
1. sal                                 Web:     www.sikkerhed.org
DK-2000 Frederiksberg                  Direkte: ci@sikkerhed.org
On 2009-05-05, Sikkerhed.org ApS <support@sikkerhed.org> wrote:
>
> The following bug has been logged online:
>
> Bug reference:      4791
> Logged by:          Sikkerhed.org ApS
> Email address:      support@sikkerhed.org
> PostgreSQL version: 8.3.7-0lenny1
> Operating system:   Debian GNU/Linux 5.0.1 stable (fully updated)
> Description:        NULL value in function causes reproducible segmentation
> fault
> Details:
>
> We are using a couple of functions in PostgreSQL, namely
>
> CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS
> '$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C';
>
> CREATE OR REPLACE FUNCTION sha1(text) RETURNS text AS 'SELECT
> ENCODE(DIGEST($1, ''sha1''), ''hex'') AS result' LANGUAGE 'SQL';
>
>
> We experienced a bad crash on our production server, and narrowed it down to
> a reproducible test case.
>
> The following query will crash the server every time:
>
> SELECT SHA1(NULL);
>
> Please let us know if you require more information.

AFAICT this exploits a documented feature of the 'C' language, namely
if you crash the C the backend is compromised.

the fix is easy:

 CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS
 '$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C'
 RETURNS NULL ON NULL INPUT ;