Postgres Pro
Downloads
Home   >   mailing lists

Thread: BUG #18681: [ECPG] heap-read-out-of-bounds

BUG #18681: [ECPG] heap-read-out-of-bounds

From
PG Bug reporting form
Date:
The following bug has been logged on the website:

Bug reference:      18681
Logged by:          Stanislav Osipov
Email address:      stasos24@gmail.com
PostgreSQL version: 17.0
Operating system:   Ubuntu 22
Description:

"Date": "2024-10-31T12:09:36.204533+00:00",
  "Uname": "Linux d5dbeabbf3a9 5.10.0-25-amd64 #1 SMP Debian 5.10.191-1
(2023-08-16) x86_64 x86_64 x86_64 GNU/Linux",
  "OS": "Ubuntu",
  "OSRelease": "22.04",
  "Architecture": "amd64",
  "ExecutablePath": "./src/interfaces/ecpg/preproc/ecpg",
  "ProcCmdline": "./src/interfaces/ecpg/preproc/ecpg
/final/default/crashes/id:000034,sig:06,src:004259,time:60042406,execs:14167093,op:havoc,rep:8.sql",
  "CrashSeverity": {
    "Type": "NOT_EXPLOITABLE",
    "ShortDescription": "heap-buffer-overflow(read)",
    "Description": "Heap buffer overflow",
    "Explanation": "The target reads data past the end, or before the
beginning, of the intended heap buffer."
  },
  "Stacktrace": [
    "    #0 0x540346 in find_variable
/postgres/src/interfaces/ecpg/preproc/variable.c:211:13",
    "    #1 0x506247 in base_yyparse
/postgres/src/interfaces/ecpg/preproc/preproc.y:19969:38",
    "    #2 0x4d3236 in main
/postgres/src/interfaces/ecpg/preproc/ecpg.c:483:5",
    "    #3 0x7ffff7caed8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16",
    "    #4 0x7ffff7caee3f in __libc_start_main
csu/../csu/libc-start.c:392:3",
    "    #5 0x420434 in _start
(/postgres/src/interfaces/ecpg/preproc/ecpg+0x420434)"
  ],
  "Registers": {},
  "Disassembly": [],
  "Package": "",
  "PackageVersion": "",
  "PackageArchitecture": "",
  "PackageDescription": "",
  "AsanReport": [
    "==2127==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x603000000085 at pc 0x000000540347 bp 0x7fffffff98d0 sp 0x7fffffff98c8",
    "READ of size 1 at 0x603000000085 thread T0",
    "    #0 0x540346 in find_variable
/postgres/src/interfaces/ecpg/preproc/variable.c:211:13",
    "    #1 0x506247 in base_yyparse
/postgres/src/interfaces/ecpg/preproc/preproc.y:19969:38",
    "    #2 0x4d3236 in main
/postgres/src/interfaces/ecpg/preproc/ecpg.c:483:5",
    "    #3 0x7ffff7caed8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16",
    "    #4 0x7ffff7caee3f in __libc_start_main
csu/../csu/libc-start.c:392:3",
    "    #5 0x420434 in _start
(/postgres/src/interfaces/ecpg/preproc/ecpg+0x420434)",
    "",
    "0x603000000085 is located 0 bytes to the right of 21-byte region
[0x603000000070,0x603000000085)",
    "allocated by thread T0 here:",
    "    #0 0x488ee4 in strdup
(/postgres/src/interfaces/ecpg/preproc/ecpg+0x488ee4)",
    "    #1 0x53bda2 in mm_strdup
/postgres/src/interfaces/ecpg/preproc/type.c:27:17",
    "    #2 0x4d59bd in filtered_base_yylex
/postgres/src/interfaces/ecpg/preproc/parser.c:74:15",
    "    #3 0x4e7300 in base_yyparse
/postgres/src/interfaces/ecpg/preproc/preproc.c:39493:16",
    "    #4 0x4d3236 in main
/postgres/src/interfaces/ecpg/preproc/ecpg.c:483:5",
    "    #5 0x7ffff7caed8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16",
    "",
    "SUMMARY: AddressSanitizer: heap-buffer-overflow
/postgres/src/interfaces/ecpg/preproc/variable.c:211:13 in find_variable",
    "Shadow bytes around the buggy address:",
    "  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
    "  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
    "  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
    "  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
    "  0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00",
    "=>0x0c067fff8010:[05]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
    "  0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
    "  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
    "  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
    "  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
    "  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa",
    "Shadow byte legend (one shadow byte represents 8 application
bytes):",
    "  Addressable:           00",
    "  Partially addressable: 01 02 03 04 05 06 07",
    "  Heap left redzone:       fa",
    "  Freed heap region:       fd",
    "  Stack left redzone:      f1",
    "  Stack mid redzone:       f2",
    "  Stack right redzone:     f3",
    "  Stack after return:      f5",
    "  Stack use after scope:   f8",
    "  Global redzone:          f9",
    "  Global init order:       f6",
    "  Poisoned by user:        f7",
    "  Container overflow:      fc",
    "  Array cookie:            ac",
    "  Intra object redzone:    bb",
    "  ASan internal:           fe",
    "  Left alloca redzone:     ca",
    "  Right alloca redzone:    cb",
    "==2127==ABORTING"
  ],
  "UbsanReport": [],
  "PythonReport": [],
  "GoReport": [],
  "JavaReport": [],
  "RustReport": [],
  "JsReport": [],
  "CSharpReport": [],
  "CrashLine": "/postgres/src/interfaces/ecpg/preproc/variable.c:211:13",
  "Source": [
    "    207    \t\t\t * up the characters",
    "    208    \t\t\t */",
    "    209    \t\t\tfor (count = 1, end = next + 1; count; end++)",
    "    210    \t\t\t{",
    "--->211    \t\t\t\tswitch (*end)",
    "    212    \t\t\t\t{",
    "    213    \t\t\t\t\tcase '[':",
    "    214    \t\t\t\t\t\tcount++;",
    "    215    \t\t\t\t\t\tbreak;",
    "    216    \t\t\t\t\tcase ']':"
  ]

crash-input_file:
```
execSQL
select:r[[]
```