Participants
David Geier
David Geier
Daniel Gustafsson
Daniel Gustafsson
Attachments
Thread Outline
#1David GeierDavid Geier
Jun 10, 2025
#2Daniel GustafssonDaniel Gustafssonto David Geier (#1)
Jun 10, 2025
#3David GeierDavid Geierto Daniel Gustafsson (#2)
Jun 10, 2025
#4David GeierDavid Geierto David Geier (#3)
Jun 10, 2025

Buffer overflow in SerializeLibraryState() found by Address Sanitizer

Started by David Geier7 months ago4 messages
#1David Geier
David Geier
geidav.pg@gmail.com
1 attachment(s)

Hi hackers!

SerializeLibraryState() writes 1 byte too much into the buffer pointed
to by start_address. This is the very last '\0' it writes after the
loop. Attached is a patch that fixes the problem by accounting for that
extra byte in EstimateLibraryStateSpace()

--
David Geier
(ServiceNow)

Attachments:

0001-Fix-buffer-overflow-in-SerializeLibraryState.patchtext/plain; charset=UTF-8; name=0001-Fix-buffer-overflow-in-SerializeLibraryState.patchDownload
From d0ddfe09e4264f449ac75cd95d6312b44240cfbb Mon Sep 17 00:00:00 2001
From: David Geier <geidav.pg@gmail.com>
Date: Tue, 10 Jun 2025 14:54:25 +0200
Subject: [PATCH] Fix buffer overflow in SerializeLibraryState()

---
 src/backend/utils/fmgr/dfmgr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/backend/utils/fmgr/dfmgr.c b/src/backend/utils/fmgr/dfmgr.c
index 4bb84ff7087..e3901a63b41 100644
--- a/src/backend/utils/fmgr/dfmgr.c
+++ b/src/backend/utils/fmgr/dfmgr.c
@@ -702,7 +702,7 @@ EstimateLibraryStateSpace(void)
 		 file_scanner = file_scanner->next)
 		size = add_size(size, strlen(file_scanner->filename) + 1);
 
-	return size;
+	return size + 1; /* Additional byte for final \0 byte */
 }
 
 /*
-- 
2.34.1
#2Daniel Gustafsson
Daniel Gustafsson
daniel@yesql.se
In reply to: David Geier (#1)
Re: Buffer overflow in SerializeLibraryState() found by Address Sanitizer

On 10 Jun 2025, at 14:59, David Geier <geidav.pg@gmail.com> wrote:

Hi hackers!

SerializeLibraryState() writes 1 byte too much into the buffer pointed to by start_address. This is the very last '\0' it writes after the loop. Attached is a patch that fixes the problem by accounting for that extra byte in EstimateLibraryStateSpace()

The last '\0' written isn't performed in relation to the size, but at a fixed
index in the buffer:

...
}
start_address[0] = '\0';

How would that cause a buffer overflow?

--
Daniel Gustafsson

#3David Geier
David Geier
geidav.pg@gmail.com
In reply to: Daniel Gustafsson (#2)
Re: Buffer overflow in SerializeLibraryState() found by Address Sanitizer

The loop advances the pointer via start_address += len.

--
David Geier
(ServiceNow

On 6/10/2025 3:06 PM, Daniel Gustafsson wrote:

On 10 Jun 2025, at 14:59, David Geier <geidav.pg@gmail.com> wrote:

Hi hackers!

SerializeLibraryState() writes 1 byte too much into the buffer pointed to by start_address. This is the very last '\0' it writes after the loop. Attached is a patch that fixes the problem by accounting for that extra byte in EstimateLibraryStateSpace()

The last '\0' written isn't performed in relation to the size, but at a fixed
index in the buffer:

...
}
start_address[0] = '\0';

How would that cause a buffer overflow?

--
Daniel Gustafsson

--
David Geier
(ServiceNow)

#4David Geier
David Geier
geidav.pg@gmail.com
In reply to: David Geier (#3)
Re: Buffer overflow in SerializeLibraryState() found by Address Sanitizer

But just seeing now that size in EstimateLibraryState() is initialized
to 1. So that total size should actually be fine. Weird that the patch
makes the sanitizer error disappear.

On 6/10/2025 4:21 PM, David Geier wrote:

The loop advances the pointer via start_address += len.

--
David Geier
(ServiceNow)

← Back to Topics