| From: | Evgeniy Gorbanyov <gorbanyoves(at)basealt(dot)ru> |
|---|---|
| To: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Buffer overflow in zic |
| Date: | 2025-02-06 07:38:30 |
| Message-ID: | fdbcb11d-c8e7-4c95-862c-d9bfe0714a12@basealt.ru |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hello.
Ifyou compilezicwithASAN,you cangetthe following(notethiswill
delete/etc/localtime):
|$ sudo ./zic -l fff
=================================================================
==5528==ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000053103f at pc 0x000000501ceb bp 0x7ffe9fbe6510 sp 0x7ffe9fbe6508
READ of size 1 at 0x00000053103f thread T0
#0 0x501cea in relname /artifacts/postgres/src/timezone/zic.c:978:36
#1 0x50081b in dolink /artifacts/postgres/src/timezone/zic.c:1045:42
#2 0x4fab14 in main /artifacts/postgres/src/timezone/zic.c:846:3
#3 0x7ff25975fefc in __libc_start_main (/lib64/libc.so.6+0x27efc)
#4 0x41c459 in _start
/usr/src/RPM/BUILD/glibc-2.32-alt5.p10.3/csu/../sysdeps/x86_64/start.S:120
| |
0x00000053103f is located 33 bytes to the left of global variable
'<string literal>' defined in 'zic.c:841:14' (0x531060) of size 13
'<string literal>' is ascii string 'link to link'
0x00000053103f is located 1 bytes to the left of global variable
'<string literal>' defined in 'zic.c:806:15' (0x531040) of size 15
'<string literal>' is ascii string '/etc/localtime'
0x00000053103f is located 26 bytes to the right of global variable
'<string literal>' defined in 'zic.c:804:15' (0x531020) of size 5
'<string literal>' is ascii string 'data'
SUMMARY: AddressSanitizer: global-buffer-overflow
/artifacts/postgres/src/timezone/zic.c:978:36 in relname
Shadow bytes around the buggy address:
0x00008009e1b0: 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x00008009e1c0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9
0x00008009e1d0: f9 f9 f9 f9 00 03 f9 f9 00 00 00 00 07 f9 f9 f9
0x00008009e1e0: f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9
0x00008009e1f0: 00 00 00 04 f9 f9 f9 f9 00 03 f9 f9 02 f9 f9 f9
=>0x00008009e200: 05 f9 f9 f9 05 f9 f9[f9]00 07 f9 f9 00 05 f9 f9
0x00008009e210: 00 05 f9 f9 00 03 f9 f9 00 02 f9 f9 00 00 f9 f9
0x00008009e220: 01 f9 f9 f9 02 f9 f9 f9 03 f9 f9 f9 00 00 00 00
0x00008009e230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009e240: 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9
0x00008009e250: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 00 00 00 03
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5528==ABORTING|
Patch is included in the attachment.
Best regards,
Evgeniy Gorbanyov
| Attachment | Content-Type | Size |
|---|---|---|
| buffer-overflow-in-zic.patch | text/x-patch | 510 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrei Lepikhov | 2025-02-06 07:42:12 | Re: Implement waiting for wal lsn replay: reloaded |
| Previous Message | Bertrand Drouvot | 2025-02-06 07:32:01 | Re: Show WAL write and fsync stats in pg_stat_io |