BUG #19413: ASAN: stack-buffer-overflow in foldcase_options() with invalid ICU language tag
| От | PG Bug reporting form |
|---|---|
| Тема | BUG #19413: ASAN: stack-buffer-overflow in foldcase_options() with invalid ICU language tag |
| Дата | |
| Msg-id | 19413-cf98b0a31559b77b@postgresql.org обсуждение исходный текст |
| Список | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 19413
Logged by: Nikita Kalinin
Email address: n.kalinin@postgrespro.ru
PostgreSQL version: 18.2
Operating system: ubuntu 22.04
Description:
When building with ASAN:
CPPFLAGS="-O0 -ggdb3 -fno-omit-frame-pointer -fsanitize=address
-fsanitize=undefined -fno-sanitize-recover=all
-fno-sanitize=nonnull-attribute -fstack-protector"
LDFLAGS="-fsanitize=address -fsanitize=undefined"
Runtime ASAN options:
ASAN_OPTIONS=detect_leaks=0:abort_on_error=1:disable_coredump=0:strict_string_checks=1:check_initialization_order=1:strict_init_order=1:detct_odr_violation=0:detect_stack_use_after_return=0
The following queries:
CREATE COLLATION lt_insensitive (provider = icu, locale = 'enu-ks-level1',
deterministic = false);
CREATE COLLATION lt_insensitive (provider = icu, locale = 'en-u-ks-level1',
deterministic = false);
CREATE COLLATION x (provider = icu, locale = 'en-u-ks-level1', deterministic
= false);
CREATE COLLATION lt_insensitive (provider = icu, locale = 'en-u-ks-level1',
deterministic = false);
produce this in the log:
==206378==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffc4e1629c3 at pc 0x7025dbac6f8f bp 0x7ffc4e162960 sp 0x7ffc4e162108
READ of size 7 at 0x7ffc4e1629c3 thread T0
#0 0x7025dbac6f8e in strcmp
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:470
#1 0x5e20dd343a7b in foldcase_options
/home/test/test/postgres/src/backend/utils/adt/pg_locale_icu.c:1000
#2 0x5e20dd340b46 in pg_ucasemap_open
/home/test/test/postgres/src/backend/utils/adt/pg_locale_icu.c:523
#3 0x5e20dd3403b0 in create_pg_locale_icu
/home/test/test/postgres/src/backend/utils/adt/pg_locale_icu.c:385
#4 0x5e20dd337563 in create_pg_locale
/home/test/test/postgres/src/backend/utils/adt/pg_locale.c:1065
#5 0x5e20dd338ecd in pg_newlocale_from_collation
/home/test/test/postgres/src/backend/utils/adt/pg_locale.c:1233
#6 0x5e20dbc3f66b in DefineCollation
/home/test/test/postgres/src/backend/commands/collationcmds.c:387
#7 0x5e20dce94634 in ProcessUtilitySlow
/home/test/test/postgres/src/backend/tcop/utility.c:1441
#8 0x5e20dce90e19 in standard_ProcessUtility
/home/test/test/postgres/src/backend/tcop/utility.c:1068
#9 0x5e20dce8e5f8 in ProcessUtility
/home/test/test/postgres/src/backend/tcop/utility.c:525
#10 0x5e20dce8997b in PortalRunUtility
/home/test/test/postgres/src/backend/tcop/pquery.c:1148
#11 0x5e20dce8a6cb in PortalRunMulti
/home/test/test/postgres/src/backend/tcop/pquery.c:1306
#12 0x5e20dce87477 in PortalRun
/home/test/test/postgres/src/backend/tcop/pquery.c:783
#13 0x5e20dce70014 in exec_simple_query
/home/test/test/postgres/src/backend/tcop/postgres.c:1277
#14 0x5e20dce7f5b2 in PostgresMain
/home/test/test/postgres/src/backend/tcop/postgres.c:4809
#15 0x5e20dce60a21 in BackendMain
/home/test/test/postgres/src/backend/tcop/backend_startup.c:124
#16 0x5e20dc9daeb3 in postmaster_child_launch
/home/test/test/postgres/src/backend/postmaster/launch_backend.c:268
#17 0x5e20dc9ec38a in BackendStartup
/home/test/test/postgres/src/backend/postmaster/postmaster.c:3606
#18 0x5e20dc9e66af in ServerLoop
/home/test/test/postgres/src/backend/postmaster/postmaster.c:1713
#19 0x5e20dc9e5117 in PostmasterMain
/home/test/test/postgres/src/backend/postmaster/postmaster.c:1403
#20 0x5e20dc2ee164 in main
/home/test/test/postgres/src/backend/main/main.c:231
#21 0x7025da62a1c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#22 0x7025da62a28a in __libc_start_main_impl ../csu/libc-start.c:360
#23 0x5e20db2c4cf4 in _start (/tmp/pg/bin/postgres+0x339bcf4) (BuildId:
1e8e5e00d069d99fbf1e4d1d7e56eeb0ddec1ca0)
Address 0x7ffc4e1629c3 is located in stack of thread T0 at offset 51 in
frame
#0 0x5e20dd34394f in foldcase_options
/home/test/test/postgres/src/backend/utils/adt/pg_locale_icu.c:988
The issue occurs only when strict_string_checks=1 is enabled.
If this option is removed from ASAN_OPTIONS, the problem disappears.
It reproduces only on master. I was not able to reproduce it on
REL_18_STABLE.
Is this expected behavior, or is the real issue that strcmp receives an
invalid argument — lang is not a null-terminated string?
Note: the web form only allowed selecting 18.2, but the issue reproduces on
current git master (future 19) and not on REL_18_STABLE.
В списке pgsql-bugs по дате отправления: