BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments
| От | PG Bug reporting form |
|---|---|
| Тема | BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments |
| Дата | |
| Msg-id | 18617-1cee4d2ed1f4e7ae@postgresql.org обсуждение исходный текст |
| Ответы |
Re: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments
Re: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments |
| Список | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 18617
Logged by: Jingzhou Fu
Email address: fuboat@outlook.com
PostgreSQL version: 17rc1
Operating system: Ubuntu 20.04 with docker image 'postgres:17rc1'
Description:
PostgreSQL server 17rc1 subprocess crashes by the XPATH function expression
with crafted arguments. The Main process is not affected.
PoC:
```
SELECT XPATH(REPEAT('(', 100000), '<root/>');
```
Client Output:
```
psql (17rc1 (Debian 17~rc1-1.pgdg120+1))
Type "help" for help.
postgres=# SELECT XPATH(REPEAT('(', 100000), '<root/>');
server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
```
GDB Backtrace (It seems to be a stack overflow):
```
#0 0x00007a66b81a74b2 in ?? () from
target:/lib/x86_64-linux-gnu/libxml2.so.2
#1 0x00007a66b81a86d6 in ?? () from
target:/lib/x86_64-linux-gnu/libxml2.so.2
#2 0x00007a66b81a908d in ?? () from
target:/lib/x86_64-linux-gnu/libxml2.so.2
...
#120767 0x00007a66b81a908d in ?? () from
target:/lib/x86_64-linux-gnu/libxml2.so.2
#120768 0x00007a66b81af062 in xmlXPathCompile () from
target:/lib/x86_64-linux-gnu/libxml2.so.2
#120769 0x00005a0ebb12c131 in ?? ()
#120770 0x00005a0ebb12cd4e in xpath ()
#120771 0x00005a0ebae4c67a in ?? ()
#120772 0x00005a0ebae7f6b3 in ?? ()
#120773 0x00005a0ebae50145 in standard_ExecutorRun ()
#120774 0x00005a0ebae5f2fd in fmgr_sql ()
#120775 0x00005a0ebae4c67a in ?? ()
#120776 0x00005a0ebaf46efc in evaluate_expr ()
#120777 0x00005a0ebaf47140 in ?? ()
#120778 0x00005a0ebaf480fd in ?? ()
#120779 0x00005a0ebaebe58b in expression_tree_mutator_impl ()
#120780 0x00005a0ebaebe495 in expression_tree_mutator_impl ()
#120781 0x00005a0ebaf48fc7 in eval_const_expressions ()
#120782 0x00005a0ebaf2c953 in ?? ()
#120783 0x00005a0ebaf34b02 in subquery_planner ()
#120784 0x00005a0ebaf35459 in standard_planner ()
#120785 0x00005a0ebb001440 in pg_plan_query ()
#120786 0x00005a0ebb001532 in pg_plan_queries ()
#120787 0x00005a0ebb001806 in ?? ()
#120788 0x00005a0ebb0033ee in PostgresMain ()
#120789 0x00005a0ebaffde7f in BackendMain ()
#120790 0x00005a0ebaf6bf2a in postmaster_child_launch ()
#120791 0x00005a0ebaf6fa39 in ?? ()
#120792 0x00005a0ebaf71958 in PostmasterMain ()
#120793 0x00005a0ebac96476 in main ()
```
В списке pgsql-bugs по дате отправления: