Обсуждение: @(#)Mordre Labs advisory 0x0005: Several buffer overruns in PostgreSQL
@(#)Mordre Labs advisory 0x0005: Several buffer overruns in PostgreSQL
От
Sir Mordred The Traitor
Дата:
//@(#) Mordred Labs advisory 0x0005 Release data: 23/08/02 Name: Several buffer overruns in PostgreSQL Versions affected: all versions Risk: from average to low --[ Description: PostgreSQL provides you with several builint geo types (circle,polygon,box...etc). Unfortunately the code for geo functions written in a very insecure style and should be totally rewritten, as a quick search revealed this: ---[ Details: 1) Upon invoking a polygon(integer, circle) function a src/backend/utils/adt/geo_ops.c:circle_poly() function will gets called, which suffers from a buffer overflow. 2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a buffer overrun condition. It is called in multiple places, the most interesting are path_out() and poly_out() functions. 3) Upon converting a char string to a path object, a src/backend/utils/adt/geo_ops.c:path_in() function will gets called, which suffers from a buffer overrun, caused by a very long argument. 4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to detect a buffer overrun condition caused by a very long argument. 5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect a simple buffer overrun. 6) And finally, a truly dumb feature (not a security related though) in postmaster: $ postmaster -o `perl -e 'print "\x66" x 1200'` Segmentation fault (core dumped) --[ How to reproduce: I only show how to reproduce a first buffer overrun condition, as the others too memory consuming :-) 1) template1=# select polygon(268435455,'((1,2),3)'::circle); pqReadData() -- backend closed the channel unexpectedly. This probably means the backend terminated abnormally before or while processing the request. The connection to the server was lost. Attempting reset: Failed. !# --[ Solution Drop the vulnerable functions. ________________________________________________________________________ This letter has been delivered unencrypted. We'd like to remind you that the full protection of e-mail correspondence is provided by S-mail encryption mechanisms if only both, Sender and Recipient use S-mail. Register at S-mail.com: http://www.s-mail.com/inf/en
Sir Mordred The Traitor <mordred@s-mail.com> writes: > Upon invoking a polygon(integer, circle) function a > src/backend/utils/adt/geo_ops.c:circle_poly() function will gets > called, which suffers from a buffer overflow. > > 2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a > buffer overrun condition. It is called in multiple places, the most > interesting are path_out() and poly_out() functions. > 5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect > a simple buffer overrun. I've attached a patch which should fix these problems. > 3) Upon converting a char string to a path object, a > src/backend/utils/adt/geo_ops.c:path_in() function will gets called, > which suffers from a buffer overrun, caused by a very long argument. > 4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to > detect a buffer overrun condition caused by a very long argument. I wasn't able to reproduce either of these (wouldn't it require an input string with several hundred thousand commas?), can you give me a test-case? Cheers, Neil -- Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC
Вложения
Your patch has been added to the PostgreSQL unapplied patches list at: http://candle.pha.pa.us/cgi-bin/pgpatches I will try to apply it within the next 48 hours. --------------------------------------------------------------------------- Neil Conway wrote: > Sir Mordred The Traitor <mordred@s-mail.com> writes: > > Upon invoking a polygon(integer, circle) function a > > src/backend/utils/adt/geo_ops.c:circle_poly() function will gets > > called, which suffers from a buffer overflow. > > > > 2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a > > buffer overrun condition. It is called in multiple places, the most > > interesting are path_out() and poly_out() functions. > > > 5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect > > a simple buffer overrun. > > I've attached a patch which should fix these problems. > > > 3) Upon converting a char string to a path object, a > > src/backend/utils/adt/geo_ops.c:path_in() function will gets called, > > which suffers from a buffer overrun, caused by a very long argument. > > > 4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to > > detect a buffer overrun condition caused by a very long argument. > > I wasn't able to reproduce either of these (wouldn't it require an > input string with several hundred thousand commas?), can you give me a > test-case? > > Cheers, > > Neil > > -- > Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 6: Have you searched our list archives? > > http://archives.postgresql.org -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania19073
Patch applied. Thanks. --------------------------------------------------------------------------- Neil Conway wrote: > Sir Mordred The Traitor <mordred@s-mail.com> writes: > > Upon invoking a polygon(integer, circle) function a > > src/backend/utils/adt/geo_ops.c:circle_poly() function will gets > > called, which suffers from a buffer overflow. > > > > 2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a > > buffer overrun condition. It is called in multiple places, the most > > interesting are path_out() and poly_out() functions. > > > 5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect > > a simple buffer overrun. > > I've attached a patch which should fix these problems. > > > 3) Upon converting a char string to a path object, a > > src/backend/utils/adt/geo_ops.c:path_in() function will gets called, > > which suffers from a buffer overrun, caused by a very long argument. > > > 4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to > > detect a buffer overrun condition caused by a very long argument. > > I wasn't able to reproduce either of these (wouldn't it require an > input string with several hundred thousand commas?), can you give me a > test-case? > > Cheers, > > Neil > > -- > Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 6: Have you searched our list archives? > > http://archives.postgresql.org -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania19073