| From: | <fjz22(at)mails(dot)tsinghua(dot)edu(dot)cn> |
|---|---|
| To: | <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
| Cc: | <ljiee(at)mail(dot)tsinghua(dot)edu(dot)cn>, <wuzy21(at)mails(dot)tsinghua(dot)edu(dot)cn> |
| Subject: | 7. PostgreSQL Server 15.2 (ASAN Enabled) Subprocess Went down at Function 'heap_form_tuple' |
| Date: | 2023-04-13 16:43:40 |
| Message-ID: | 00c301d96e27$1a7dc410$4f794c30$@mails.tsinghua.edu.cn |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Description: PostgreSQL Server (ASAN Enabled) Subprocess Went down at
Function 'heap_form_tuple'
PostgreSQL Server Version: PostgreSQL 15.2 on x86_64-pc-linux-gnu, compiled
by Ubuntu clang version 12.0.1, 64-bit
Discoverer: Jingzhou Fu, Jie Liang and Zhiyong Wu in WingTecher Lab of
Tsinghua University and Shuimuyulin ltd
Email address: fjz22(at)mails(dot)tsinghua(dot)edu(dot)cn , wuzy21(at)mails(dot)tsinghua(dot)edu(dot)cn
, ljiee(at)mail(dot)tsinghua(dot)edu(dot)cn
PoC:
```sql
SET allow_system_table_mods = on;
CREATE TABLE test_pg_dump_t1 (test_pg_dump_v1 int);
ALTER TABLE pg_description ADD COLUMN transaction_test6 int;
COMMENT ON COLUMN test_pg_dump_t1.test_pg_dump_v1 IS 'test_pg_dump_v1';
```
Backtrace:
```
==3273==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffdf0cd4484 at pc 0x00000059305c bp 0x7ffdf0cd4120 sp 0x7ffdf0cd4118
READ of size 1 at 0x7ffdf0cd4484 thread T0
#0 0x59305b in heap_form_tuple
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x59305b)
#1 0xbfb595 in CreateComments
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0xbfb595)
#2 0xbfa81b in CommentObject
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0xbfa81b)
#3 0x1705df5 in ProcessUtilitySlow
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x1705df5)
#4 0x16fc933 in standard_ProcessUtility
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x16fc933)
#5 0x16fa616 in ProcessUtility
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x16fa616)
#6 0x16f9666 in PortalRunUtility
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x16f9666)
#7 0x16f7605 in PortalRunMulti
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x16f7605)
#8 0x16f559a in PortalRun
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x16f559a)
#9 0x16e9693 in exec_simple_query
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x16e9693)
#10 0x16e7a62 in PostgresMain
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x16e7a62)
#11 0x144c17a in BackendRun
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x144c17a)
#12 0x144ad84 in BackendStartup
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x144ad84)
#13 0x14481e5 in ServerLoop
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x14481e5)
#14 0x1443e0e in PostmasterMain
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x1443e0e)
#15 0x106ebf1 in main
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x106ebf1)
#16 0x7f2f8fe4e082 in __libc_start_main
/build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#17 0x49fc0d in _start
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x49fc0d)
Address 0x7ffdf0cd4484 is located in stack of thread T0 at offset 388 in
frame
#0 0xbfafef in CreateComments
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0xbfafef)
This frame has 4 object(s):
[32, 248) 'skey'
[320, 352) 'values'
[384, 388) 'nulls' <== Memory access at offset 388 overflows this
variable
[400, 404) 'replaces'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/root/bin_original_asan/usr/local/pgsql/bin/postgres+0x59305b) in
heap_form_tuple
Shadow bytes around the buggy address:
0x10003e192840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003e192850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003e192860: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
0x10003e192870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2
0x10003e192880: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2
=>0x10003e192890:[04]f2 04 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10003e1928a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003e1928b0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10003e1928c0: 00 04 f2 f2 00 f2 f2 f2 f8 f8 f2 f2 00 00 f2 f2
0x10003e1928d0: 00 00 f2 f2 00 00 f3 f3 00 00 00 00 00 00 00 00
0x10003e1928e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3273==ABORTING
```
| From | Date | Subject | |
|---|---|---|---|
| Next Message | fjz22 | 2023-04-13 16:45:43 | 8. PostgreSQL Server 15.2 Subprocess Went down at function 'pg_detoast_datum_copy' |
| Previous Message | fjz22 | 2023-04-13 16:41:27 | 6. PostgreSQL Server Subprocess Went down at Function 'has_dangerous_join_using' |