| From: | Flavien GUEDEZ <flav(dot)pg(at)oopacity(dot)net> |
|---|---|
| To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Insufficient memory access checks in pglz_decompress |
| Date: | 2023-10-18 14:21:57 |
| Message-ID: | 01fc0593-e31e-463d-902c-dd43174acee2@oopacity.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Hi,
After some investigations about very corrupted toast data in one
postgres instance, I found that the pglz_decompress function (in
common/pg_lzcompress.c) does not check correctly where it copies data
from using memcpy(), which could result in segfault.
In this function, there are other checks to ensure that we do not copy
after the destination end, but not if we copy data from "before the
beginning".
Apologize, I am not a C developer and I am not used to submitting patches.
Though I have tried and attached kind of PoC with a relatively random
corrupted payload (it was beginning with those bytes in my storage for
obscure reasons).
Also attached a simple patch of what could be done just before the
memcpy calls.
Regards,
Flavien
| Attachment | Content-Type | Size |
|---|---|---|
| check_for_corrupted.patch | text/x-patch | 822 bytes |
| poc.c | text/x-csrc | 671 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2023-10-18 15:14:27 | Re: Insufficient memory access checks in pglz_decompress |
| Previous Message | Richard Guo | 2023-10-18 06:57:37 | Re: Assert failure when CREATE TEMP TABLE |