Lists: | pgsql-hackers |
---|
From: | Sir Mordred The Traitor <mordred(at)s-mail(dot)com> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Subject: | @(#)Mordre Labs advisory 0x0005: Several buffer overruns in PostgreSQL |
Date: | 2002-08-28 09:51:31 |
Message-ID: | 3d6c9d23.e349d38e@s-mail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
//@(#) Mordred Labs advisory 0x0005
Release data: 23/08/02
Name: Several buffer overruns in PostgreSQL
Versions affected: all versions
Risk: from average to low
--[ Description:
PostgreSQL provides you with several builint geo types
(circle,polygon,box...etc).
Unfortunately the code for geo functions written in a very insecure style
and should be totally rewritten, as a quick search revealed this:
---[ Details:
1)
Upon invoking a polygon(integer, circle) function
a src/backend/utils/adt/geo_ops.c:circle_poly() function will gets called,
which suffers from a buffer overflow.
2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a buffer
overrun condition. It is called in multiple places, the most
interesting are path_out() and poly_out() functions.
3) Upon converting a char string to a path object, a
src/backend/utils/adt/geo_ops.c:path_in() function will gets called,
which suffers from a buffer overrun, caused by a very long argument.
4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to detect a
buffer
overrun condition caused by a very long argument.
5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect a
simple buffer
overrun.
6)
And finally, a truly dumb feature (not a security related though) in
postmaster:
$ postmaster -o `perl -e 'print "\x66" x 1200'`
Segmentation fault (core dumped)
--[ How to reproduce:
I only show how to reproduce a first buffer overrun condition, as the others
too memory consuming :-)
1)
template1=# select polygon(268435455,'((1,2),3)'::circle);
pqReadData() -- backend closed the channel unexpectedly.
This probably means the backend terminated abnormally
before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
!#
--[ Solution
Drop the vulnerable functions.
________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com/inf/en
From: | Neil Conway <neilc(at)samurai(dot)com> |
---|---|
To: | Sir Mordred The Traitor <mordred(at)s-mail(dot)com> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: @(#)Mordre Labs advisory 0x0005: Several buffer overruns in PostgreSQL |
Date: | 2002-08-28 19:10:57 |
Message-ID: | 87elcidcji.fsf@mailbox.samurai.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
Sir Mordred The Traitor <mordred(at)s-mail(dot)com> writes:
> Upon invoking a polygon(integer, circle) function a
> src/backend/utils/adt/geo_ops.c:circle_poly() function will gets
> called, which suffers from a buffer overflow.
>
> 2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a
> buffer overrun condition. It is called in multiple places, the most
> interesting are path_out() and poly_out() functions.
> 5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect
> a simple buffer overrun.
I've attached a patch which should fix these problems.
> 3) Upon converting a char string to a path object, a
> src/backend/utils/adt/geo_ops.c:path_in() function will gets called,
> which suffers from a buffer overrun, caused by a very long argument.
> 4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to
> detect a buffer overrun condition caused by a very long argument.
I wasn't able to reproduce either of these (wouldn't it require an
input string with several hundred thousand commas?), can you give me a
test-case?
Cheers,
Neil
--
Neil Conway <neilc(at)samurai(dot)com> || PGP Key ID: DB3C29FC
Attachment | Content-Type | Size |
---|---|---|
geo_fixes-1.patch | text/x-patch | 3.3 KB |
From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Neil Conway <neilc(at)samurai(dot)com> |
Cc: | Sir Mordred The Traitor <mordred(at)s-mail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: @(#)Mordre Labs advisory 0x0005: Several buffer overruns |
Date: | 2002-08-28 21:17:18 |
Message-ID: | 200208282117.g7SLHIh04126@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
Your patch has been added to the PostgreSQL unapplied patches list at:
http://candle.pha.pa.us/cgi-bin/pgpatches
I will try to apply it within the next 48 hours.
---------------------------------------------------------------------------
Neil Conway wrote:
> Sir Mordred The Traitor <mordred(at)s-mail(dot)com> writes:
> > Upon invoking a polygon(integer, circle) function a
> > src/backend/utils/adt/geo_ops.c:circle_poly() function will gets
> > called, which suffers from a buffer overflow.
> >
> > 2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a
> > buffer overrun condition. It is called in multiple places, the most
> > interesting are path_out() and poly_out() functions.
>
> > 5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect
> > a simple buffer overrun.
>
> I've attached a patch which should fix these problems.
>
> > 3) Upon converting a char string to a path object, a
> > src/backend/utils/adt/geo_ops.c:path_in() function will gets called,
> > which suffers from a buffer overrun, caused by a very long argument.
>
> > 4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to
> > detect a buffer overrun condition caused by a very long argument.
>
> I wasn't able to reproduce either of these (wouldn't it require an
> input string with several hundred thousand commas?), can you give me a
> test-case?
>
> Cheers,
>
> Neil
>
> --
> Neil Conway <neilc(at)samurai(dot)com> || PGP Key ID: DB3C29FC
[ Attachment, skipping... ]
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Neil Conway <neilc(at)samurai(dot)com> |
Cc: | Sir Mordred The Traitor <mordred(at)s-mail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: @(#)Mordre Labs advisory 0x0005: Several buffer overruns |
Date: | 2002-08-29 23:05:49 |
Message-ID: | 200208292305.g7TN5n308216@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
Patch applied. Thanks.
---------------------------------------------------------------------------
Neil Conway wrote:
> Sir Mordred The Traitor <mordred(at)s-mail(dot)com> writes:
> > Upon invoking a polygon(integer, circle) function a
> > src/backend/utils/adt/geo_ops.c:circle_poly() function will gets
> > called, which suffers from a buffer overflow.
> >
> > 2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a
> > buffer overrun condition. It is called in multiple places, the most
> > interesting are path_out() and poly_out() functions.
>
> > 5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect
> > a simple buffer overrun.
>
> I've attached a patch which should fix these problems.
>
> > 3) Upon converting a char string to a path object, a
> > src/backend/utils/adt/geo_ops.c:path_in() function will gets called,
> > which suffers from a buffer overrun, caused by a very long argument.
>
> > 4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to
> > detect a buffer overrun condition caused by a very long argument.
>
> I wasn't able to reproduce either of these (wouldn't it require an
> input string with several hundred thousand commas?), can you give me a
> test-case?
>
> Cheers,
>
> Neil
>
> --
> Neil Conway <neilc(at)samurai(dot)com> || PGP Key ID: DB3C29FC
[ Attachment, skipping... ]
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073