Re: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Erik Wienhold <ewie(at)ewie(dot)name>
Cc: fuboat(at)outlook(dot)com, pgsql-bugs(at)lists(dot)postgresql(dot)org
Subject: Re: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments
Date: 2024-09-14 17:07:54
Message-ID: 356363.1726333674@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

I wrote:
> Based on Nick Wellnhofer's response there, I've experimented with the
> attached WIP patch, and it does seem to prevent the problem as long as
> you have a non-ancient libxml2. This is only WIP because there are
> other xmlXPathCompile calls we'd have to fix.

Here's a fleshed-out patch. I first thought that the XmlTableRoutine
code might need significant surgery, but it turns out not to be a
problem as long as we're willing to assume that XmlTableSetDocument
is called before XmlTableSetRowFilter or XmlTableSetColumnFilter.
Since the sole caller does it like that, this doesn't seem too
onerous. I put in Asserts to check that, though.

> Nick also suggested that we not bother with a separate xmlXPathCompile
> call if we're just going to throw away the compiled expression after
> one use. Perhaps that's good cleanup, not sure. I don't know if
> anyone has serious ambitions of re-using the compiled XPath
> expressions.

I looked at this but realized that it'd cause a user-visible change
in error messages. For instance, in xpath_internal we have

xpathcomp = xmlXPathCtxtCompile(xpathctx, xpath_expr);
if (xpathcomp == NULL || xmlerrcxt->err_occurred)
xml_ereport(xmlerrcxt, ERROR, ERRCODE_INTERNAL_ERROR,
"invalid XPath expression");

xpathobj = xmlXPathCompiledEval(xpathcomp, xpathctx);
if (xpathobj == NULL || xmlerrcxt->err_occurred)
xml_ereport(xmlerrcxt, ERROR, ERRCODE_INTERNAL_ERROR,
"could not create XPath object");

So syntax errors in the XPath expression draw "invalid XPath
expression", but if we merged these into one they'd draw
"could not create XPath object", or at least the same message
as execution-time errors. That seems strictly worse for users,
and even if it were OK it's not the sort of thing I'd like to
change in minor releases. So I think we're best off just doing
the minimum change s/xmlXPathCompile/xmlXPathCtxtCompile/.

I would have liked to include a regression test case showing
that the stack overflow is prevented, but I think we can't
since it would fail with pre-2.9.11 libxml2.

BTW, surely ERRCODE_INTERNAL_ERROR is the wrong errcode to use
here? But that's a matter for a different patch.

regards, tom lane

Attachment Content-Type Size
prevent-libxml2-stack-overrun.patch text/x-diff 2.7 KB

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Leo Volin 2024-09-14 21:27:35 Case clause doesn't report syntactic error
Previous Message Muralikrishna Bandaru 2024-09-14 16:59:25 Re: pl/perl extension fails on Windows