Description:
PostgreSQL is a powerful, open source object-relational database system.
After the blog post of lcamtuf and hanno I tried to fuzz psql which is the PostgreSQL interactive terminal.
After make the first call on postgresql security contact they state that they don’t treat it as a security bug or maybe it is not a security bug at all because:
1) Is not safe/supposed that you pass untrusted input to psql;
2) The READ of size 1 and the conditions of the bug make it difficult to exploit and eventually cause damage.
The complete ASan output:
~ # psql -U ago -d ago -f query.sql
BEGIN
CREATE SCHEMA
COMMENT
CREATE TABLE
COMMENT
CREATE TABLE
CREATE INDEX
COMMENT
INSERT 0 1
INSERT 0 1
psql:query.sql:38: ERROR: invalid byte sequence for encoding "UTF8": 0xff
psql:query.sql:39: ERROR: current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:40: ERROR: current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:57: ERROR: syntax error at or near ""
RIGA 3: jobjclid int4 NOT NULL REFERENCE...
^
psql:query.sql:58: ERROR: current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:59: ERROR: current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:66: comando errato \LT
psql:query.sql:74: ERROR: invalid byte sequence for encoding "UTF8": 0x80
psql:query.sql:75: ERROR: current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:76: ERROR: current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:77: ERROR: current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:78: ERROR: current transaction is aborted, commands ignored until end of transaction block
=================================================================
==20648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000084bf at pc 0x000000520685 bp 0x7ffc1e04f410 sp 0x7ffc1e04f408
READ of size 1 at 0x6110000084bf thread T0
#0 0x520684 in gets_fromFile /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/input.c:221:7
#1 0x52cbfc in MainLoop /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/mainloop.c:140:11
#2 0x506cf7 in process_file /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/command.c:2249:11
#3 0x566dcd in main /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/startup.c:296:19
#4 0x7f6365eac61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#5 0x41b2d8 in _init (/usr/lib64/postgresql-9.5/bin/psql+0x41b2d8)
0x6110000084bf is located 1 bytes to the left of 256-byte region [0x6110000084c0,0x6110000085c0)
allocated by thread T0 here:
#0 0x4c2828 in malloc /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
#1 0x7f636705274e in initPQExpBuffer /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/interfaces/libpq/pqexpbuffer.c:91:23
#2 0x7f636705274e in createPQExpBuffer /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/interfaces/libpq/pqexpbuffer.c:77
#3 0x52cbfc in MainLoop /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/mainloop.c:140:11
#4 0x506cf7 in process_file /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/command.c:2249:11
#5 0x569ae0 in process_psqlrc_file /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/startup.c:684:10
#6 0x566d80 in main /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/startup.c:294:4
#7 0x7f6365eac61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/input.c:221:7 in gets_fromFile
Shadow bytes around the buggy address:
0x0c227fff9040: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c227fff9050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff9060: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c227fff9070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff9080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c227fff9090: fa fa fa fa fa fa fa[fa]00 00 00 00 00 00 00 00
0x0c227fff90a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff90b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c227fff90c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff90d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff90e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20648==ABORTING
Affected version:
All.
Tested on 9.4.8 and 9.5.3
Fixed version:
N/A
Commit fix:
https://github.com/postgres/postgres/commit/ed0b228d7a6b5186adc099f6a31dc33c499ff077
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
Timeline:
2016-07-10: bug discovered
2016-07-12: bug reported privately to upstream
2016-07-12: upstream response
2016-07-29: upstream fix
2016-07-29: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
postgresql: psql: heap-based buffer overflow in gets_fromFile (input.c)