Re: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments

From: Erik Wienhold <ewie(at)ewie(dot)name>
To: fuboat(at)outlook(dot)com
Cc: pgsql-bugs(at)lists(dot)postgresql(dot)org
Subject: Re: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments
Date: 2024-09-13 16:17:43
Message-ID: 08a0ba98-2dec-4773-8bfd-9eaced528372@ewie.name
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

On 2024-09-13 14:31 +0200, PG Bug reporting form wrote:
> The following bug has been logged on the website:
>
> Bug reference: 18617
> Logged by: Jingzhou Fu
> Email address: fuboat(at)outlook(dot)com
> PostgreSQL version: 17rc1
> Operating system: Ubuntu 20.04 with docker image &#x27;postgres:17rc1&#x27;
> Description:
>
> PostgreSQL server 17rc1 subprocess crashes by the XPATH function expression
> with crafted arguments. The Main process is not affected.
>
> PoC:
> ```
> SELECT XPATH(REPEAT('(', 100000), '<root/>');
> ```

This looks a lot like https://gitlab.gnome.org/GNOME/libxml2/-/issues/137

What is your libxml2 version?

> Client Output:
> ```
> psql (17rc1 (Debian 17~rc1-1.pgdg120+1))
> Type "help" for help.
> postgres=# SELECT XPATH(REPEAT('(', 100000), '<root/>');
> server closed the connection unexpectedly
> This probably means the server terminated abnormally
> before or while processing the request.
> The connection to the server was lost. Attempting reset: Failed.
> ```
>
> GDB Backtrace (It seems to be a stack overflow):
> ```
> #0 0x00007a66b81a74b2 in ?? () from
> target:/lib/x86_64-linux-gnu/libxml2.so.2
> #1 0x00007a66b81a86d6 in ?? () from
> target:/lib/x86_64-linux-gnu/libxml2.so.2
> #2 0x00007a66b81a908d in ?? () from
> target:/lib/x86_64-linux-gnu/libxml2.so.2
> ...
> #120767 0x00007a66b81a908d in ?? () from
> target:/lib/x86_64-linux-gnu/libxml2.so.2
> #120768 0x00007a66b81af062 in xmlXPathCompile () from
> target:/lib/x86_64-linux-gnu/libxml2.so.2
> #120769 0x00005a0ebb12c131 in ?? ()
> #120770 0x00005a0ebb12cd4e in xpath ()
> #120771 0x00005a0ebae4c67a in ?? ()
> #120772 0x00005a0ebae7f6b3 in ?? ()
> #120773 0x00005a0ebae50145 in standard_ExecutorRun ()
> #120774 0x00005a0ebae5f2fd in fmgr_sql ()
> #120775 0x00005a0ebae4c67a in ?? ()
> #120776 0x00005a0ebaf46efc in evaluate_expr ()
> #120777 0x00005a0ebaf47140 in ?? ()
> #120778 0x00005a0ebaf480fd in ?? ()
> #120779 0x00005a0ebaebe58b in expression_tree_mutator_impl ()
> #120780 0x00005a0ebaebe495 in expression_tree_mutator_impl ()
> #120781 0x00005a0ebaf48fc7 in eval_const_expressions ()
> #120782 0x00005a0ebaf2c953 in ?? ()
> #120783 0x00005a0ebaf34b02 in subquery_planner ()
> #120784 0x00005a0ebaf35459 in standard_planner ()
> #120785 0x00005a0ebb001440 in pg_plan_query ()
> #120786 0x00005a0ebb001532 in pg_plan_queries ()
> #120787 0x00005a0ebb001806 in ?? ()
> #120788 0x00005a0ebb0033ee in PostgresMain ()
> #120789 0x00005a0ebaffde7f in BackendMain ()
> #120790 0x00005a0ebaf6bf2a in postmaster_child_launch ()
> #120791 0x00005a0ebaf6fa39 in ?? ()
> #120792 0x00005a0ebaf71958 in PostmasterMain ()
> #120793 0x00005a0ebac96476 in main ()
> ```

I can reproduce it with libxml2 2.13.3 on 70d1c664f4:

Program received signal SIGSEGV, Segmentation fault.
0x00007a19bf209d62 in ?? () from /usr/lib/libxml2.so.2
#0 0x00007a19bf209d62 in ?? () from /usr/lib/libxml2.so.2
#1 0x00007a19bf208763 in ?? () from /usr/lib/libxml2.so.2
#2 0x00007a19bf209408 in ?? () from /usr/lib/libxml2.so.2
#3 0x00007a19bf209d96 in ?? () from /usr/lib/libxml2.so.2
[...snip...]
#104680 0x00007a19bf208763 in ?? () from /usr/lib/libxml2.so.2
#104681 0x00007a19bf209408 in ?? () from /usr/lib/libxml2.so.2
#104682 0x00007a19bf209d96 in ?? () from /usr/lib/libxml2.so.2
#104683 0x00007a19bf20d655 in xmlXPathCtxtCompile () from /usr/lib/libxml2.so.2
#104684 0x00005fcff7ca11fc in xpath_internal ()
#104685 0x00005fcff7ca1d5d in xpath ()
#104686 0x00005fcff79cc33e in ExecInterpExpr ()
#104687 0x00005fcff79fe8f0 in ExecResult ()
#104688 0x00005fcff79cfbda in standard_ExecutorRun ()
#104689 0x00005fcff79df013 in fmgr_sql ()
#104690 0x00005fcff79cc33e in ExecInterpExpr ()
#104691 0x00005fcff7abd798 in evaluate_expr ()
#104692 0x00005fcff7abd991 in simplify_function ()
#104693 0x00005fcff7abe8ed in eval_const_expressions_mutator ()
#104694 0x00005fcff7a35b69 in expression_tree_mutator_impl ()
#104695 0x00005fcff7a36262 in expression_tree_mutator_impl ()
#104696 0x00005fcff7abf836 in eval_const_expressions ()
#104697 0x00005fcff7aa38b1 in preprocess_expression ()
#104698 0x00005fcff7aab394 in subquery_planner ()
#104699 0x00005fcff7aabfbf in standard_planner ()
#104700 0x00005fcff7b7660a in pg_plan_query ()
#104701 0x00005fcff7b76713 in pg_plan_queries ()
#104702 0x00005fcff7b769e4 in exec_simple_query ()
#104703 0x00005fcff7b78791 in PostgresMain ()
#104704 0x00005fcff7b730df in BackendMain ()
#104705 0x00005fcff7ae2edb in postmaster_child_launch ()
#104706 0x00005fcff7ae61c1 in ServerLoop.isra.0 ()
#104707 0x00005fcff7ae7d6d in PostmasterMain ()
#104708 0x00005fcff78200c3 in main ()

--
Erik

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Tom Lane 2024-09-13 16:18:58 Re: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments
Previous Message Pavel Borisov 2024-09-13 14:51:30 Re: BUG #18616: Long-running hash index build can not be interrupted