Participants
Ranier Vilela
Ranier Vilela
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1Ranier VilelaRanier Vilela
Jun 15, 2016
#2Tom LaneTom Laneto Ranier Vilela (#1)
Jun 15, 2016
#3Ranier VilelaRanier Vilelato Tom Lane (#2)
Jun 16, 2016

Use after free? in fe-connect.c:closePGconn

Started by Ranier Vilelaalmost 10 years ago3 messagesbugs
Jump to latest
#1Ranier Vilela
Ranier Vilela
ranier.vf@gmail.com

Hi,
Postgresql 9.5.3 32 bits
client 32bits libpq.dll with libpq.pdb

All calls of PQfinish is protected by:
if (conn != NULL) {
PQfinish(conn);
}

In [d:\pginstaller.auto\postgres.windows\src\interfaces\libpq\fe-connect.c,
closePGconn(PGconn *conn):
Does not check if conn is NULL.

Use after free?

Best regards,

Ranier

----------------------------------------------------------------------------------------------------------------
Error #1: UNINITIALIZED READ: reading 0x0012fbb4-0x0012fbbb 7 byte(s) within 0x0012fb78-0x0012fbbb
# 0 system call NtCreateFile parameter #9
# 1 ntdll.dll!ZwCreateFile +0xb (0x7c90d09c <ntdll.dll+0xd09c>)
# 2 MSWSOCK.dll!? +0x0 (0x71a149c0 <MSWSOCK.dll+0x49c0>)
# 3 WS2_32.dll!WSASocketW +0x9c (0x71a740eb <WS2_32.dll+0x40eb>)
# 4 ngx_open_listening_sockets [c:\msys\1.0\nginx-1.10\src\core\ngx_connection.c:448]
# 5 ngx_init_cycle [c:\msys\1.0\nginx-1.10\src\core\ngx_cycle.c:609]
# 6 main [c:\msys\1.0\nginx-1.10\src\core\nginx.c:276]
Note: @0:00:03.954 in thread 3124

Error #2: UNADDRESSABLE ACCESS of freed memory: reading 0x020afd3c-0x020afd40 4 byte(s)
# 0 LIBPQ.dll!closePGconn [d:\pginstaller.auto\postgres.windows\src\interfaces\libpq\fe-connect.c:2957]
# 1 LIBPQ.dll!PQfinish [d:\pginstaller.auto\postgres.windows\src\interfaces\libpq\fe-connect.c:3055]
# 2 dbd_pgsql_close [c:\usr\src\dbd\postgresql\dbd_pgsql.c:279]
# 3 dbd_pgsql_cleanup [c:\usr\src\dbd\postgresql\dbd_pgsql.c:297]
# 4 ngx_destroy_pool [c:\msys\1.0\nginx-1.10\src\core\ngx_palloc.c:57]
# 5 ngx_master_process_exit [c:\msys\1.0\nginx-1.10\src\os\win32\ngx_process_cycle.c:562]
# 6 ngx_master_process_cycle [c:\msys\1.0\nginx-1.10\src\os\win32\ngx_process_cycle.c:235]
# 7 main [c:\msys\1.0\nginx-1.10\src\core\nginx.c:367]
Note: @8:39:35.860 in thread 3124
Note: prev lower malloc: 0x020afcf8-0x020afd08
Note: 0x020afd3c-0x020afd40 overlaps memory 0x020afd28-0x020b0d28 that was freed here:
Note: # 0 replace_free [d:\drmemory_package\common\alloc_replace.c:2706]
Note: # 1 ngx_hash_init [c:\msys\1.0\nginx-1.10\src\core\ngx_hash.c:426]
Note: # 2 ngx_http_merge_types [c:\msys\1.0\nginx-1.10\src\http\ngx_http.c:2089]
Note: # 3 ngx_http_gzip_merge_conf [c:\msys\1.0\nginx-1.10\src\http\modules\ngx_http_gzip_filter_module.c:1168]
Note: # 4 ngx_http_merge_servers [c:\msys\1.0\nginx-1.10\src\http\ngx_http.c:596]
Note: # 5 ngx_http_block [c:\msys\1.0\nginx-1.10\src\http\ngx_http.c:268]
Note: instruction: cmp 0x000000b4(%esi) $0xffffffff

Error #3: UNADDRESSABLE ACCESS beyond heap bounds: reading 0x020afd10-0x020afd14 4 byte(s)
# 0 LIBPQ.dll!closePGconn [d:\pginstaller.auto\postgres.windows\src\interfaces\libpq\fe-connect.c:2957]
# 1 LIBPQ.dll!PQfinish [d:\pginstaller.auto\postgres.windows\src\interfaces\libpq\fe-connect.c:3055]
# 2 dbd_pgsql_close [c:\usr\src\dbd\postgresql\dbd_pgsql.c:279]
# 3 dbd_pgsql_cleanup [c:\usr\src\dbd\postgresql\dbd_pgsql.c:297]
# 4 ngx_destroy_pool [c:\msys\1.0\nginx-1.10\src\core\ngx_palloc.c:57]
# 5 ngx_master_process_exit [c:\msys\1.0\nginx-1.10\src\os\win32\ngx_process_cycle.c:562]
# 6 ngx_master_process_cycle [c:\msys\1.0\nginx-1.10\src\os\win32\ngx_process_cycle.c:235]
# 7 main [c:\msys\1.0\nginx-1.10\src\core\nginx.c:367]
Note: @8:39:35.954 in thread 3124
Note: prev lower malloc: 0x020afcf8-0x020afd08
Note: instruction: cmp 0x00000088(%esi) $0x00000000

Error #4: UNADDRESSABLE ACCESS of freed memory: writing 0x020afd2b-0x020afd2c 1 byte(s)
# 0 LIBPQ.dll!closePGconn [d:\pginstaller.auto\postgres.windows\src\interfaces\libpq\fe-connect.c:2974]
# 1 LIBPQ.dll!PQfinish [d:\pginstaller.auto\postgres.windows\src\interfaces\libpq\fe-connect.c:3055]
# 2 dbd_pgsql_close [c:\usr\src\dbd\postgresql\dbd_pgsql.c:279]
# 3 dbd_pgsql_cleanup [c:\usr\src\dbd\postgresql\dbd_pgsql.c:297]
# 4 ngx_destroy_pool [c:\msys\1.0\nginx-1.10\src\core\ngx_palloc.c:57]
# 5 ngx_master_process_exit [c:\msys\1.0\nginx-1.10\src\os\win32\ngx_process_cycle.c:562]
# 6 ngx_master_process_cycle [c:\msys\1.0\nginx-1.10\src\os\win32\ngx_process_cycle.c:235]
# 7 main [c:\msys\1.0\nginx-1.10\src\core\nginx.c:367]
Note: @8:39:35.969 in thread 3124
Note: prev lower malloc: 0x020afcf8-0x020afd08
Note: 0x020afd2b-0x020afd2c overlaps memory 0x020afd28-0x020b0d28 that was freed here:
Note: # 0 replace_free [d:\drmemory_package\common\alloc_replace.c:2706]
Note: # 1 ngx_hash_init [c:\msys\1.0\nginx-1.10\src\core\ngx_hash.c:426]
Note: # 2 ngx_http_merge_types [c:\msys\1.0\nginx-1.10\src\http\ngx_http.c:2089]
Note: # 3 ngx_http_gzip_merge_conf [c:\msys\1.0\nginx-1.10\src\http\modules\ngx_http_gzip_filter_module.c:1168]
Note: # 4 ngx_http_merge_servers [c:\msys\1.0\nginx-1.10\src\http\ngx_http.c:596]
Note: # 5 ngx_http_block [c:\msys\1.0\nginx-1.10\src\http\ngx_http.c:268]
Note: instruction: mov $0x00 -> 0x000000a3(%esi)
-----------------------------------------------------------------------------------------------------------------------

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Ranier Vilela (#1)
Re: Use after free? in fe-connect.c:closePGconn

Ranier VF <ranier_gyn@hotmail.com> writes:

In [d:\pginstaller.auto\postgres.windows\src\interfaces\libpq\fe-connect.c,
closePGconn(PGconn *conn):
Does not check if conn is NULL.

All the callers do, so I don't entirely see your point.

The stack traces you show look to me like the fault is probably in
the caller, ie, calling PQfinish twice on the same "conn".

regards, tom lane

--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs

#3Ranier Vilela
Ranier Vilela
ranier.vf@gmail.com
In reply to: Tom Lane (#2)
Re: Use after free? in fe-connect.c:closePGconn

Hi Tom,

All the callers do, so I don't entirely see your point.

Well, I still confuse...

The stack traces you show look to me like the fault is probably in
the caller, ie, calling PQfinish twice on the same "conn".

patch from dbd_pgsql_close function:
275 if (dbd->conn != NULL) {
276 #if defined(DEBUG) && !defined(_WIN32)
277 PQuntrace(dbd->conn);
278 #endif
279 PQfinish(dbd->conn);
280 dbd->conn = NULL;
281 }
282 FREE(dbd);
283 dbd = NULL;

IHMO, the caller of PQfinish can´t call twice.

Best regards,

Ranier

From: tgl@sss.pgh.pa.us
To: ranier_gyn@hotmail.com
CC: pgsql-bugs@postgresql.org
Subject: Re: [BUGS] Use after free? in fe-connect.c:closePGconn
Date: Wed, 15 Jun 2016 19:05:53 -0400

Ranier VF <ranier_gyn@hotmail.com> writes:

In [d:\pginstaller.auto\postgres.windows\src\interfaces\libpq\fe-connect.c,
closePGconn(PGconn *conn):
Does not check if conn is NULL.

All the callers do, so I don't entirely see your point.

The stack traces you show look to me like the fault is probably in
the caller, ie, calling PQfinish twice on the same "conn".

regards, tom lane

Livre de vírus. www.avast.com.

← Back to Topics