Participants
Bruce Momjian
Bruce Momjian
Sir Mordred The Traitor
Sir Mordred The Traitor
Neil Conway
Neil Conway
Attachments
Download Latest Patchset
+37-31
Show all attachments
Thread Outline
#1...#2
Sir Mordred The TraitorNeil Conway
Aug 28, 2002
#1Sir Mordred The TraitorSir Mordred The Traitor
Aug 28, 2002
#2Neil ConwayNeil Conwayto Sir Mordred The Traitor (#1)
Aug 28, 2002
#3Bruce MomjianBruce Momjianto Neil Conway (#2)
Aug 28, 2002
#4Bruce MomjianBruce Momjianto Neil Conway (#2)
Aug 29, 2002

@(#)Mordre Labs advisory 0x0005: Several buffer overruns in PostgreSQL

Started by Sir Mordred The Traitorover 23 years ago4 messageshackers
Jump to latest
#1Sir Mordred The Traitor
Sir Mordred The Traitor
mordred@s-mail.com

//@(#) Mordred Labs advisory 0x0005

Release data: 23/08/02
Name: Several buffer overruns in PostgreSQL
Versions affected: all versions
Risk: from average to low

--[ Description:

PostgreSQL provides you with several builint geo types
(circle,polygon,box...etc).
Unfortunately the code for geo functions written in a very insecure style
and should be totally rewritten, as a quick search revealed this:

---[ Details:

1)

Upon invoking a polygon(integer, circle) function
a src/backend/utils/adt/geo_ops.c:circle_poly() function will gets called,
which suffers from a buffer overflow.

2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a buffer
overrun condition. It is called in multiple places, the most
interesting are path_out() and poly_out() functions.

3) Upon converting a char string to a path object, a
src/backend/utils/adt/geo_ops.c:path_in() function will gets called,
which suffers from a buffer overrun, caused by a very long argument.

4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to detect a
buffer
overrun condition caused by a very long argument.

5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect a
simple buffer
overrun.

6)

And finally, a truly dumb feature (not a security related though) in
postmaster:
$ postmaster -o `perl -e 'print "\x66" x 1200'`
Segmentation fault (core dumped)

--[ How to reproduce:

I only show how to reproduce a first buffer overrun condition, as the others
too memory consuming :-)

1)

template1=# select polygon(268435455,'((1,2),3)'::circle);
pqReadData() -- backend closed the channel unexpectedly.
This probably means the backend terminated abnormally
before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
!#

--[ Solution

Drop the vulnerable functions.

________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com/inf/en

#2Neil Conway
Neil Conway
neilc@samurai.com
In reply to: Sir Mordred The Traitor (#1)
Re: @(#)Mordre Labs advisory 0x0005: Several buffer overruns in PostgreSQL

Sir Mordred The Traitor <mordred@s-mail.com> writes:

Upon invoking a polygon(integer, circle) function a
src/backend/utils/adt/geo_ops.c:circle_poly() function will gets
called, which suffers from a buffer overflow.

2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a
buffer overrun condition. It is called in multiple places, the most
interesting are path_out() and poly_out() functions.

5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect
a simple buffer overrun.

I've attached a patch which should fix these problems.

3) Upon converting a char string to a path object, a
src/backend/utils/adt/geo_ops.c:path_in() function will gets called,
which suffers from a buffer overrun, caused by a very long argument.

4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to
detect a buffer overrun condition caused by a very long argument.

I wasn't able to reproduce either of these (wouldn't it require an
input string with several hundred thousand commas?), can you give me a
test-case?

Cheers,

Neil

--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC

Attachments:

geo_fixes-1.patchtext/x-patchDownload+37-31
#3Bruce Momjian
Bruce Momjian
bruce@momjian.us
In reply to: Neil Conway (#2)
Re: @(#)Mordre Labs advisory 0x0005: Several buffer overruns

Your patch has been added to the PostgreSQL unapplied patches list at:

http://candle.pha.pa.us/cgi-bin/pgpatches

I will try to apply it within the next 48 hours.

---------------------------------------------------------------------------

Neil Conway wrote:

Sir Mordred The Traitor <mordred@s-mail.com> writes:

Upon invoking a polygon(integer, circle) function a
src/backend/utils/adt/geo_ops.c:circle_poly() function will gets
called, which suffers from a buffer overflow.

2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a
buffer overrun condition. It is called in multiple places, the most
interesting are path_out() and poly_out() functions.

5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect
a simple buffer overrun.

I've attached a patch which should fix these problems.

3) Upon converting a char string to a path object, a
src/backend/utils/adt/geo_ops.c:path_in() function will gets called,
which suffers from a buffer overrun, caused by a very long argument.

4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to
detect a buffer overrun condition caused by a very long argument.

I wasn't able to reproduce either of these (wouldn't it require an
input string with several hundred thousand commas?), can you give me a
test-case?

Cheers,

Neil

--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC

[ Attachment, skipping... ]

---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
#4Bruce Momjian
Bruce Momjian
bruce@momjian.us
In reply to: Neil Conway (#2)
Re: @(#)Mordre Labs advisory 0x0005: Several buffer overruns

Patch applied. Thanks.

---------------------------------------------------------------------------

Neil Conway wrote:

Sir Mordred The Traitor <mordred@s-mail.com> writes:

Upon invoking a polygon(integer, circle) function a
src/backend/utils/adt/geo_ops.c:circle_poly() function will gets
called, which suffers from a buffer overflow.

2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a
buffer overrun condition. It is called in multiple places, the most
interesting are path_out() and poly_out() functions.

5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect
a simple buffer overrun.

I've attached a patch which should fix these problems.

3) Upon converting a char string to a path object, a
src/backend/utils/adt/geo_ops.c:path_in() function will gets called,
which suffers from a buffer overrun, caused by a very long argument.

4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to
detect a buffer overrun condition caused by a very long argument.

I wasn't able to reproduce either of these (wouldn't it require an
input string with several hundred thousand commas?), can you give me a
test-case?

Cheers,

Neil

--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC

[ Attachment, skipping... ]

---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
← Back to Topics