postgresql: psql: heap-based buffer overflow in gets_fromFile (input.c)

Description:
PostgreSQL is a powerful, open source object-relational database system.
After the blog post of lcamtuf and hanno I tried to fuzz psql which is the PostgreSQL interactive terminal.
After make the first call on postgresql security contact they state that they don’t treat it as a security bug or maybe it is not a security bug at all because:
1) Is not safe/supposed that you pass untrusted input to psql;
2) The READ of size 1 and the conditions of the bug make it difficult to exploit and eventually cause damage.

The complete ASan output:

~ # psql -U ago -d ago -f query.sql 
BEGIN
CREATE SCHEMA
COMMENT
CREATE TABLE
COMMENT
CREATE TABLE
CREATE INDEX
COMMENT
INSERT 0 1
INSERT 0 1
psql:query.sql:38: ERROR:  invalid byte sequence for encoding "UTF8": 0xff
psql:query.sql:39: ERROR:  current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:40: ERROR:  current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:57: ERROR:  syntax error at or near ""
RIGA 3: jobjclid            int4                 NOT NULL REFERENCE...
                         ^
psql:query.sql:58: ERROR:  current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:59: ERROR:  current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:66: comando errato \LT
psql:query.sql:74: ERROR:  invalid byte sequence for encoding "UTF8": 0x80
psql:query.sql:75: ERROR:  current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:76: ERROR:  current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:77: ERROR:  current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:78: ERROR:  current transaction is aborted, commands ignored until end of transaction block
=================================================================
==20648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000084bf at pc 0x000000520685 bp 0x7ffc1e04f410 sp 0x7ffc1e04f408
READ of size 1 at 0x6110000084bf thread T0
    #0 0x520684 in gets_fromFile /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/input.c:221:7
    #1 0x52cbfc in MainLoop /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/mainloop.c:140:11
    #2 0x506cf7 in process_file /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/command.c:2249:11
    #3 0x566dcd in main /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/startup.c:296:19
    #4 0x7f6365eac61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x41b2d8 in _init (/usr/lib64/postgresql-9.5/bin/psql+0x41b2d8)

0x6110000084bf is located 1 bytes to the left of 256-byte region [0x6110000084c0,0x6110000085c0)
allocated by thread T0 here:
    #0 0x4c2828 in malloc /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x7f636705274e in initPQExpBuffer /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/interfaces/libpq/pqexpbuffer.c:91:23
    #2 0x7f636705274e in createPQExpBuffer /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/interfaces/libpq/pqexpbuffer.c:77
    #3 0x52cbfc in MainLoop /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/mainloop.c:140:11
    #4 0x506cf7 in process_file /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/command.c:2249:11
    #5 0x569ae0 in process_psqlrc_file /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/startup.c:684:10
    #6 0x566d80 in main /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/startup.c:294:4
    #7 0x7f6365eac61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/input.c:221:7 in gets_fromFile
Shadow bytes around the buggy address:
  0x0c227fff9040: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fff9050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff9060: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c227fff9070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff9080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c227fff9090: fa fa fa fa fa fa fa[fa]00 00 00 00 00 00 00 00
  0x0c227fff90a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff90b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c227fff90c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff90d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff90e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20648==ABORTING

Affected version:
All.
Tested on 9.4.8 and 9.5.3

Fixed version:
N/A

Commit fix:
https://github.com/postgres/postgres/commit/ed0b228d7a6b5186adc099f6a31dc33c499ff077

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-07-10: bug discovered
2016-07-12: bug reported privately to upstream
2016-07-12: upstream response
2016-07-29: upstream fix
2016-07-29: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

postgresql: psql: heap-based buffer overflow in gets_fromFile (input.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.