BUG #4791: NULL value in function causes reproducible segmentation fault

Sikkerhed.org ApS wrote:

The following bug has been logged online:

Bug reference: 4791
Logged by: Sikkerhed.org ApS
Email address: support@sikkerhed.org
PostgreSQL version: 8.3.7-0lenny1
Operating system: Debian GNU/Linux 5.0.1 stable (fully updated)
Description: NULL value in function causes reproducible segmentation
fault
Details:

We are using a couple of functions in PostgreSQL, namely

CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS
'$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C';

This declaration is incorrect. The function is from pgcrypto, and the
pgcrypto declaration is:
CREATE OR REPLACE FUNCTION digest(text, text)
RETURNS bytea
AS '$libdir/pgcrypto', 'pg_digest'
LANGUAGE C IMMUTABLE STRICT;

Notice the "immutable script" part that you are missing.

Any particular reason why you are not using the pgcrypto installation
script?

//Magnus

Magnus Hagander wrote:

Sikkerhed.org ApS wrote:

The following bug has been logged online:

Bug reference: 4791
Logged by: Sikkerhed.org ApS
Email address: support@sikkerhed.org
PostgreSQL version: 8.3.7-0lenny1
Operating system: Debian GNU/Linux 5.0.1 stable (fully updated)
Description: NULL value in function causes reproducible segmentation
fault
Details:

We are using a couple of functions in PostgreSQL, namely

CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS
'$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C';

This declaration is incorrect. The function is from pgcrypto, and the
pgcrypto declaration is:
CREATE OR REPLACE FUNCTION digest(text, text)
RETURNS bytea
AS '$libdir/pgcrypto', 'pg_digest'
LANGUAGE C IMMUTABLE STRICT;

Notice the "immutable script" part that you are missing.

Ah, of course. It works now, thanks.

Any particular reason why you are not using the pgcrypto installation
script?

Only that we hadn't heard of it. We have now updated our database
structure files to reflect this more reasonable approach.

Thank you very much for the quick fix.

Should I do something to close the bug report?

--
Med venlig hilsen / Best regards
Christian Iversen

Sikkerhed.org ApS
Fuglebakkevej 88 E-mail: support@sikkerhed.org
1. sal Web: www.sikkerhed.org
DK-2000 Frederiksberg Direkte: ci@sikkerhed.org

On 2009-05-05, Sikkerhed.org ApS <support@sikkerhed.org> wrote:

The following bug has been logged online:

Bug reference: 4791
Logged by: Sikkerhed.org ApS
Email address: support@sikkerhed.org
PostgreSQL version: 8.3.7-0lenny1
Operating system: Debian GNU/Linux 5.0.1 stable (fully updated)
Description: NULL value in function causes reproducible segmentation
fault
Details:

We are using a couple of functions in PostgreSQL, namely

CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS
'$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C';

CREATE OR REPLACE FUNCTION sha1(text) RETURNS text AS 'SELECT
ENCODE(DIGEST($1, ''sha1''), ''hex'') AS result' LANGUAGE 'SQL';

We experienced a bad crash on our production server, and narrowed it down to
a reproducible test case.

The following query will crash the server every time:

SELECT SHA1(NULL);

Please let us know if you require more information.

AFAICT this exploits a documented feature of the 'C' language, namely
if you crash the C the backend is compromised.

the fix is easy:

CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS
'$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C'
RETURNS NULL ON NULL INPUT ;