{"id":372,"date":"2016-07-29T17:30:23","date_gmt":"2016-07-29T15:30:23","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=372"},"modified":"2016-09-07T14:36:08","modified_gmt":"2016-09-07T12:36:08","slug":"postgresql-psql-heap-based-buffer-overflow-in-gets_fromfile-input-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/07\/29\/postgresql-psql-heap-based-buffer-overflow-in-gets_fromfile-input-c\/","title":{"rendered":"postgresql: psql: heap-based buffer overflow in gets_fromFile (input.c)"},"content":{"rendered":"

Description<\/strong>:
\nPostgreSQL<\/a> is a powerful, open source object-relational database system.
\nAfter the blog post of lcamtuf<\/a> and hanno<\/a> I tried to fuzz psql which is the PostgreSQL interactive terminal.
\nAfter make the first call on postgresql security contact they state that they don’t treat it as a security bug or maybe it is not a security bug at all because:
\n1) Is not safe\/supposed that you pass untrusted input to psql;
\n2) The READ of size 1 and the conditions of the bug make it difficult to exploit and eventually cause damage.<\/p>\n

The complete ASan output:<\/p>\n

~ # psql -U ago -d ago -f query.sql \r\nBEGIN\r\nCREATE SCHEMA\r\nCOMMENT\r\nCREATE TABLE\r\nCOMMENT\r\nCREATE TABLE\r\nCREATE INDEX\r\nCOMMENT\r\nINSERT 0 1\r\nINSERT 0 1\r\npsql:query.sql:38: ERROR:  invalid byte sequence for encoding \"UTF8\": 0xff\r\npsql:query.sql:39: ERROR:  current transaction is aborted, commands ignored until end of transaction block\r\npsql:query.sql:40: ERROR:  current transaction is aborted, commands ignored until end of transaction block\r\npsql:query.sql:57: ERROR:  syntax error at or near \"\"\r\nRIGA 3: jobjclid            int4                 NOT NULL REFERENCE...\r\n                         ^\r\npsql:query.sql:58: ERROR:  current transaction is aborted, commands ignored until end of transaction block\r\npsql:query.sql:59: ERROR:  current transaction is aborted, commands ignored until end of transaction block\r\npsql:query.sql:66: comando errato \\LT\r\npsql:query.sql:74: ERROR:  invalid byte sequence for encoding \"UTF8\": 0x80\r\npsql:query.sql:75: ERROR:  current transaction is aborted, commands ignored until end of transaction block\r\npsql:query.sql:76: ERROR:  current transaction is aborted, commands ignored until end of transaction block\r\npsql:query.sql:77: ERROR:  current transaction is aborted, commands ignored until end of transaction block\r\npsql:query.sql:78: ERROR:  current transaction is aborted, commands ignored until end of transaction block\r\n=================================================================\r\n==20648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000084bf at pc 0x000000520685 bp 0x7ffc1e04f410 sp 0x7ffc1e04f408\r\nREAD of size 1 at 0x6110000084bf thread T0\r\n    #0 0x520684 in gets_fromFile \/var\/tmp\/portage\/dev-db\/postgresql-9.5.3\/work\/postgresql-9.5.3\/src\/bin\/psql\/input.c:221:7\r\n    #1 0x52cbfc in MainLoop \/var\/tmp\/portage\/dev-db\/postgresql-9.5.3\/work\/postgresql-9.5.3\/src\/bin\/psql\/mainloop.c:140:11\r\n    #2 0x506cf7 in process_file \/var\/tmp\/portage\/dev-db\/postgresql-9.5.3\/work\/postgresql-9.5.3\/src\/bin\/psql\/command.c:2249:11\r\n    #3 0x566dcd in main \/var\/tmp\/portage\/dev-db\/postgresql-9.5.3\/work\/postgresql-9.5.3\/src\/bin\/psql\/startup.c:296:19\r\n    #4 0x7f6365eac61f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #5 0x41b2d8 in _init (\/usr\/lib64\/postgresql-9.5\/bin\/psql+0x41b2d8)\r\n\r\n0x6110000084bf is located 1 bytes to the left of 256-byte region [0x6110000084c0,0x6110000085c0)\r\nallocated by thread T0 here:\r\n    #0 0x4c2828 in malloc \/var\/tmp\/portage\/sys-devel\/llvm-3.8.0-r3\/work\/llvm-3.8.0.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:52\r\n    #1 0x7f636705274e in initPQExpBuffer \/var\/tmp\/portage\/dev-db\/postgresql-9.5.3\/work\/postgresql-9.5.3\/src\/interfaces\/libpq\/pqexpbuffer.c:91:23\r\n    #2 0x7f636705274e in createPQExpBuffer \/var\/tmp\/portage\/dev-db\/postgresql-9.5.3\/work\/postgresql-9.5.3\/src\/interfaces\/libpq\/pqexpbuffer.c:77\r\n    #3 0x52cbfc in MainLoop \/var\/tmp\/portage\/dev-db\/postgresql-9.5.3\/work\/postgresql-9.5.3\/src\/bin\/psql\/mainloop.c:140:11\r\n    #4 0x506cf7 in process_file \/var\/tmp\/portage\/dev-db\/postgresql-9.5.3\/work\/postgresql-9.5.3\/src\/bin\/psql\/command.c:2249:11\r\n    #5 0x569ae0 in process_psqlrc_file \/var\/tmp\/portage\/dev-db\/postgresql-9.5.3\/work\/postgresql-9.5.3\/src\/bin\/psql\/startup.c:684:10\r\n    #6 0x566d80 in main \/var\/tmp\/portage\/dev-db\/postgresql-9.5.3\/work\/postgresql-9.5.3\/src\/bin\/psql\/startup.c:294:4\r\n    #7 0x7f6365eac61f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/dev-db\/postgresql-9.5.3\/work\/postgresql-9.5.3\/src\/bin\/psql\/input.c:221:7 in gets_fromFile\r\nShadow bytes around the buggy address:\r\n  0x0c227fff9040: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd\r\n  0x0c227fff9050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n  0x0c227fff9060: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa\r\n  0x0c227fff9070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n  0x0c227fff9080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n=>0x0c227fff9090: fa fa fa fa fa fa fa[fa]00 00 00 00 00 00 00 00\r\n  0x0c227fff90a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c227fff90b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa\r\n  0x0c227fff90c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n  0x0c227fff90d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n  0x0c227fff90e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==20648==ABORTING\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\nAll.
\nTested on 9.4.8 and 9.5.3<\/p>\n
Fixed version:<\/strong>
\nN\/A<\/p>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/postgres\/postgres\/commit\/ed0b228d7a6b5186adc099f6a31dc33c499ff077<\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
Timeline:<\/strong>
\n2016-07-10: bug discovered
\n2016-07-12: bug reported privately to upstream
\n2016-07-12: upstream response
\n2016-07-29: upstream fix
\n2016-07-29: blog post about the issue<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
postgresql: psql: heap-based buffer overflow in gets_fromFile (input.c)<\/a><\/p><\/blockquote>\n