| From: | PG Bug reporting form <noreply(at)postgresql(dot)org> |
|---|---|
| To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Cc: | fuboat(at)outlook(dot)com |
| Subject: | BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments |
| Date: | 2024-09-13 12:31:20 |
| Message-ID: | 18617-1cee4d2ed1f4e7ae@postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 18617
Logged by: Jingzhou Fu
Email address: fuboat(at)outlook(dot)com
PostgreSQL version: 17rc1
Operating system: Ubuntu 20.04 with docker image 'postgres:17rc1'
Description:
PostgreSQL server 17rc1 subprocess crashes by the XPATH function expression
with crafted arguments. The Main process is not affected.
PoC:
```
SELECT XPATH(REPEAT('(', 100000), '<root/>');
```
Client Output:
```
psql (17rc1 (Debian 17~rc1-1.pgdg120+1))
Type "help" for help.
postgres=# SELECT XPATH(REPEAT('(', 100000), '<root/>');
server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
```
GDB Backtrace (It seems to be a stack overflow):
```
#0 0x00007a66b81a74b2 in ?? () from
target:/lib/x86_64-linux-gnu/libxml2.so.2
#1 0x00007a66b81a86d6 in ?? () from
target:/lib/x86_64-linux-gnu/libxml2.so.2
#2 0x00007a66b81a908d in ?? () from
target:/lib/x86_64-linux-gnu/libxml2.so.2
...
#120767 0x00007a66b81a908d in ?? () from
target:/lib/x86_64-linux-gnu/libxml2.so.2
#120768 0x00007a66b81af062 in xmlXPathCompile () from
target:/lib/x86_64-linux-gnu/libxml2.so.2
#120769 0x00005a0ebb12c131 in ?? ()
#120770 0x00005a0ebb12cd4e in xpath ()
#120771 0x00005a0ebae4c67a in ?? ()
#120772 0x00005a0ebae7f6b3 in ?? ()
#120773 0x00005a0ebae50145 in standard_ExecutorRun ()
#120774 0x00005a0ebae5f2fd in fmgr_sql ()
#120775 0x00005a0ebae4c67a in ?? ()
#120776 0x00005a0ebaf46efc in evaluate_expr ()
#120777 0x00005a0ebaf47140 in ?? ()
#120778 0x00005a0ebaf480fd in ?? ()
#120779 0x00005a0ebaebe58b in expression_tree_mutator_impl ()
#120780 0x00005a0ebaebe495 in expression_tree_mutator_impl ()
#120781 0x00005a0ebaf48fc7 in eval_const_expressions ()
#120782 0x00005a0ebaf2c953 in ?? ()
#120783 0x00005a0ebaf34b02 in subquery_planner ()
#120784 0x00005a0ebaf35459 in standard_planner ()
#120785 0x00005a0ebb001440 in pg_plan_query ()
#120786 0x00005a0ebb001532 in pg_plan_queries ()
#120787 0x00005a0ebb001806 in ?? ()
#120788 0x00005a0ebb0033ee in PostgresMain ()
#120789 0x00005a0ebaffde7f in BackendMain ()
#120790 0x00005a0ebaf6bf2a in postmaster_child_launch ()
#120791 0x00005a0ebaf6fa39 in ?? ()
#120792 0x00005a0ebaf71958 in PostmasterMain ()
#120793 0x00005a0ebac96476 in main ()
```
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pavel Borisov | 2024-09-13 14:51:30 | Re: BUG #18616: Long-running hash index build can not be interrupted |
| Previous Message | Vinay Oli | 2024-09-13 11:20:13 | Re: Reg: Size difference |