Description:
PostgreSQL is a powerful, open source object-relational database system.
After the blog post of lcamtuf and hanno I tried to fuzz psql which is the PostgreSQL interactive terminal.
After make the first call on postgresql security contact they state that they don’t treat it as a security bug or maybe it is not a security bug at all because:
1) Is not safe/supposed that you pass untrusted input to psql;
2) The READ of size 1 and the conditions of the bug make it difficult to exploit and eventually cause damage.
The complete ASan output:
~ # psql -U ago -d ago -f query.sql BEGIN CREATE SCHEMA COMMENT CREATE TABLE COMMENT CREATE TABLE CREATE INDEX COMMENT INSERT 0 1 INSERT 0 1 psql:query.sql:38: ERROR: invalid byte sequence for encoding "UTF8": 0xff psql:query.sql:39: ERROR: current transaction is aborted, commands ignored until end of transaction block psql:query.sql:40: ERROR: current transaction is aborted, commands ignored until end of transaction block psql:query.sql:57: ERROR: syntax error at or near "" RIGA 3: jobjclid int4 NOT NULL REFERENCE... ^ psql:query.sql:58: ERROR: current transaction is aborted, commands ignored until end of transaction block psql:query.sql:59: ERROR: current transaction is aborted, commands ignored until end of transaction block psql:query.sql:66: comando errato \LT psql:query.sql:74: ERROR: invalid byte sequence for encoding "UTF8": 0x80 psql:query.sql:75: ERROR: current transaction is aborted, commands ignored until end of transaction block psql:query.sql:76: ERROR: current transaction is aborted, commands ignored until end of transaction block psql:query.sql:77: ERROR: current transaction is aborted, commands ignored until end of transaction block psql:query.sql:78: ERROR: current transaction is aborted, commands ignored until end of transaction block ================================================================= ==20648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000084bf at pc 0x000000520685 bp 0x7ffc1e04f410 sp 0x7ffc1e04f408 READ of size 1 at 0x6110000084bf thread T0 #0 0x520684 in gets_fromFile /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/input.c:221:7 #1 0x52cbfc in MainLoop /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/mainloop.c:140:11 #2 0x506cf7 in process_file /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/command.c:2249:11 #3 0x566dcd in main /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/startup.c:296:19 #4 0x7f6365eac61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #5 0x41b2d8 in _init (/usr/lib64/postgresql-9.5/bin/psql+0x41b2d8) 0x6110000084bf is located 1 bytes to the left of 256-byte region [0x6110000084c0,0x6110000085c0) allocated by thread T0 here: #0 0x4c2828 in malloc /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52 #1 0x7f636705274e in initPQExpBuffer /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/interfaces/libpq/pqexpbuffer.c:91:23 #2 0x7f636705274e in createPQExpBuffer /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/interfaces/libpq/pqexpbuffer.c:77 #3 0x52cbfc in MainLoop /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/mainloop.c:140:11 #4 0x506cf7 in process_file /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/command.c:2249:11 #5 0x569ae0 in process_psqlrc_file /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/startup.c:684:10 #6 0x566d80 in main /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/startup.c:294:4 #7 0x7f6365eac61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/input.c:221:7 in gets_fromFile Shadow bytes around the buggy address: 0x0c227fff9040: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c227fff9050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff9060: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c227fff9070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff9080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c227fff9090: fa fa fa fa fa fa fa[fa]00 00 00 00 00 00 00 00 0x0c227fff90a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff90b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c227fff90c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff90d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff90e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==20648==ABORTING
Affected version:
All.
Tested on 9.4.8 and 9.5.3
Fixed version:
N/A
Commit fix:
https://github.com/postgres/postgres/commit/ed0b228d7a6b5186adc099f6a31dc33c499ff077
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
Timeline:
2016-07-10: bug discovered
2016-07-12: bug reported privately to upstream
2016-07-12: upstream response
2016-07-29: upstream fix
2016-07-29: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
postgresql: psql: heap-based buffer overflow in gets_fromFile (input.c)