Postgres Pro
Downloads
Home   >   mailing lists

Re: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments - Mailing list pgsql-bugs

From Erik Wienhold
Subject Re: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments
Date
Msg-id 08a0ba98-2dec-4773-8bfd-9eaced528372@ewie.name
Whole thread Raw
In response to BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments  (PG Bug reporting form <noreply@postgresql.org>)
Responses Re: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments
List pgsql-bugs
Tree view 
On 2024-09-13 14:31 +0200, PG Bug reporting form wrote:
> The following bug has been logged on the website:
> 
> Bug reference:      18617
> Logged by:          Jingzhou Fu
> Email address:      fuboat@outlook.com
> PostgreSQL version: 17rc1
> Operating system:   Ubuntu 20.04 with docker image 'postgres:17rc1'
> Description:        
> 
> PostgreSQL server 17rc1 subprocess crashes by the XPATH function expression
> with crafted arguments. The Main process is not affected.
> 
> PoC:
> ```
> SELECT XPATH(REPEAT('(', 100000), '<root/>');
> ```

This looks a lot like https://gitlab.gnome.org/GNOME/libxml2/-/issues/137

What is your libxml2 version?

> Client Output:
> ```
> psql (17rc1 (Debian 17~rc1-1.pgdg120+1))
> Type "help" for help.
> postgres=# SELECT XPATH(REPEAT('(', 100000), '<root/>');
> server closed the connection unexpectedly
>         This probably means the server terminated abnormally
>         before or while processing the request.
> The connection to the server was lost. Attempting reset: Failed.
> ```
> 
> GDB Backtrace (It seems to be a stack overflow):
> ```
> #0  0x00007a66b81a74b2 in ?? () from
> target:/lib/x86_64-linux-gnu/libxml2.so.2
> #1  0x00007a66b81a86d6 in ?? () from
> target:/lib/x86_64-linux-gnu/libxml2.so.2
> #2  0x00007a66b81a908d in ?? () from
> target:/lib/x86_64-linux-gnu/libxml2.so.2
> ...
> #120767 0x00007a66b81a908d in ?? () from
> target:/lib/x86_64-linux-gnu/libxml2.so.2
> #120768 0x00007a66b81af062 in xmlXPathCompile () from
> target:/lib/x86_64-linux-gnu/libxml2.so.2
> #120769 0x00005a0ebb12c131 in ?? ()
> #120770 0x00005a0ebb12cd4e in xpath ()
> #120771 0x00005a0ebae4c67a in ?? ()
> #120772 0x00005a0ebae7f6b3 in ?? ()
> #120773 0x00005a0ebae50145 in standard_ExecutorRun ()
> #120774 0x00005a0ebae5f2fd in fmgr_sql ()
> #120775 0x00005a0ebae4c67a in ?? ()
> #120776 0x00005a0ebaf46efc in evaluate_expr ()
> #120777 0x00005a0ebaf47140 in ?? ()
> #120778 0x00005a0ebaf480fd in ?? ()
> #120779 0x00005a0ebaebe58b in expression_tree_mutator_impl ()
> #120780 0x00005a0ebaebe495 in expression_tree_mutator_impl ()
> #120781 0x00005a0ebaf48fc7 in eval_const_expressions ()
> #120782 0x00005a0ebaf2c953 in ?? ()
> #120783 0x00005a0ebaf34b02 in subquery_planner ()
> #120784 0x00005a0ebaf35459 in standard_planner ()
> #120785 0x00005a0ebb001440 in pg_plan_query ()
> #120786 0x00005a0ebb001532 in pg_plan_queries ()
> #120787 0x00005a0ebb001806 in ?? ()
> #120788 0x00005a0ebb0033ee in PostgresMain ()
> #120789 0x00005a0ebaffde7f in BackendMain ()
> #120790 0x00005a0ebaf6bf2a in postmaster_child_launch ()
> #120791 0x00005a0ebaf6fa39 in ?? ()
> #120792 0x00005a0ebaf71958 in PostmasterMain ()
> #120793 0x00005a0ebac96476 in main ()
> ```

I can reproduce it with libxml2 2.13.3 on 70d1c664f4:

    Program received signal SIGSEGV, Segmentation fault.
    0x00007a19bf209d62 in ?? () from /usr/lib/libxml2.so.2
    #0  0x00007a19bf209d62 in ?? () from /usr/lib/libxml2.so.2
    #1  0x00007a19bf208763 in ?? () from /usr/lib/libxml2.so.2
    #2  0x00007a19bf209408 in ?? () from /usr/lib/libxml2.so.2
    #3  0x00007a19bf209d96 in ?? () from /usr/lib/libxml2.so.2
    [...snip...]
    #104680 0x00007a19bf208763 in ?? () from /usr/lib/libxml2.so.2
    #104681 0x00007a19bf209408 in ?? () from /usr/lib/libxml2.so.2
    #104682 0x00007a19bf209d96 in ?? () from /usr/lib/libxml2.so.2
    #104683 0x00007a19bf20d655 in xmlXPathCtxtCompile () from /usr/lib/libxml2.so.2
    #104684 0x00005fcff7ca11fc in xpath_internal ()
    #104685 0x00005fcff7ca1d5d in xpath ()
    #104686 0x00005fcff79cc33e in ExecInterpExpr ()
    #104687 0x00005fcff79fe8f0 in ExecResult ()
    #104688 0x00005fcff79cfbda in standard_ExecutorRun ()
    #104689 0x00005fcff79df013 in fmgr_sql ()
    #104690 0x00005fcff79cc33e in ExecInterpExpr ()
    #104691 0x00005fcff7abd798 in evaluate_expr ()
    #104692 0x00005fcff7abd991 in simplify_function ()
    #104693 0x00005fcff7abe8ed in eval_const_expressions_mutator ()
    #104694 0x00005fcff7a35b69 in expression_tree_mutator_impl ()
    #104695 0x00005fcff7a36262 in expression_tree_mutator_impl ()
    #104696 0x00005fcff7abf836 in eval_const_expressions ()
    #104697 0x00005fcff7aa38b1 in preprocess_expression ()
    #104698 0x00005fcff7aab394 in subquery_planner ()
    #104699 0x00005fcff7aabfbf in standard_planner ()
    #104700 0x00005fcff7b7660a in pg_plan_query ()
    #104701 0x00005fcff7b76713 in pg_plan_queries ()
    #104702 0x00005fcff7b769e4 in exec_simple_query ()
    #104703 0x00005fcff7b78791 in PostgresMain ()
    #104704 0x00005fcff7b730df in BackendMain ()
    #104705 0x00005fcff7ae2edb in postmaster_child_launch ()
    #104706 0x00005fcff7ae61c1 in ServerLoop.isra.0 ()
    #104707 0x00005fcff7ae7d6d in PostmasterMain ()
    #104708 0x00005fcff78200c3 in main ()

-- 
Erik

pgsql-bugs by date:

Previous
From: PG Bug reporting form
Date:
Subject: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments
Next
From: Tom Lane
Date:
Subject: Re: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments