Thread: Use after free? in fe-connect.c:closePGconn

Use after free? in fe-connect.c:closePGconn

From

Ranier VF

Date:

15 June 2016, 22:51:54

Hi=2C
Postgresql 9.5.3 32 bits
client 32bits libpq.dll with libpq.pdb

All calls of PQfinish is protected by:
if (conn !=3D NULL) {
   PQfinish(conn)=3B
}

In  [d:\pginstaller.auto\postgres.windows\src\interfaces\libpq\fe-connect.c=
=2C
closePGconn(PGconn *conn):
Does not check if conn is NULL.

Use after free?

Best regards=2C

Ranier

---------------------------------------------------------------------------=
-------------------------------------
Error #1: UNINITIALIZED READ: reading 0x0012fbb4-0x0012fbbb 7 byte(s) withi=
n 0x0012fb78-0x0012fbbb
# 0 system call NtCreateFile parameter #9
# 1 ntdll.dll!ZwCreateFile                             +0xb      (0x7c90d09=
c <ntdll.dll+0xd09c>)
# 2 MSWSOCK.dll!?                                      +0x0      (0x71a149c=
0 <MSWSOCK.dll+0x49c0>)
# 3 WS2_32.dll!WSASocketW                              +0x9c     (0x71a740e=
b <WS2_32.dll+0x40eb>)
# 4 ngx_open_listening_sockets                          [c:\msys\1.0\nginx-=
1.10\src\core\ngx_connection.c:448]
# 5 ngx_init_cycle                                      [c:\msys\1.0\nginx-=
1.10\src\core\ngx_cycle.c:609]
# 6 main                                                [c:\msys\1.0\nginx-=
1.10\src\core\nginx.c:276]
Note: @0:00:03.954 in thread 3124

Error #2: UNADDRESSABLE ACCESS of freed memory: reading 0x020afd3c-0x020afd=
40 4 byte(s)
# 0 LIBPQ.dll!closePGconn                  [d:\pginstaller.auto\postgres.wi=
ndows\src\interfaces\libpq\fe-connect.c:2957]
# 1 LIBPQ.dll!PQfinish                     [d:\pginstaller.auto\postgres.wi=
ndows\src\interfaces\libpq\fe-connect.c:3055]
# 2 dbd_pgsql_close                        [c:\usr\src\dbd\postgresql\dbd_p=
gsql.c:279]
# 3 dbd_pgsql_cleanup                      [c:\usr\src\dbd\postgresql\dbd_p=
gsql.c:297]
# 4 ngx_destroy_pool                       [c:\msys\1.0\nginx-1.10\src\core=
\ngx_palloc.c:57]
# 5 ngx_master_process_exit                [c:\msys\1.0\nginx-1.10\src\os\w=
in32\ngx_process_cycle.c:562]
# 6 ngx_master_process_cycle               [c:\msys\1.0\nginx-1.10\src\os\w=
in32\ngx_process_cycle.c:235]
# 7 main                                   [c:\msys\1.0\nginx-1.10\src\core=
\nginx.c:367]
Note: @8:39:35.860 in thread 3124
Note: prev lower malloc:  0x020afcf8-0x020afd08
Note: 0x020afd3c-0x020afd40 overlaps memory 0x020afd28-0x020b0d28 that was =
freed here:
Note: # 0 replace_free                           [d:\drmemory_package\commo=
n\alloc_replace.c:2706]
Note: # 1 ngx_hash_init                          [c:\msys\1.0\nginx-1.10\sr=
c\core\ngx_hash.c:426]
Note: # 2 ngx_http_merge_types                   [c:\msys\1.0\nginx-1.10\sr=
c\http\ngx_http.c:2089]
Note: # 3 ngx_http_gzip_merge_conf               [c:\msys\1.0\nginx-1.10\sr=
c\http\modules\ngx_http_gzip_filter_module.c:1168]
Note: # 4 ngx_http_merge_servers                 [c:\msys\1.0\nginx-1.10\sr=
c\http\ngx_http.c:596]
Note: # 5 ngx_http_block                         [c:\msys\1.0\nginx-1.10\sr=
c\http\ngx_http.c:268]
Note: instruction: cmp    0x000000b4(%esi) $0xffffffff

Error #3: UNADDRESSABLE ACCESS beyond heap bounds: reading 0x020afd10-0x020=
afd14 4 byte(s)
# 0 LIBPQ.dll!closePGconn                  [d:\pginstaller.auto\postgres.wi=
ndows\src\interfaces\libpq\fe-connect.c:2957]
# 1 LIBPQ.dll!PQfinish                     [d:\pginstaller.auto\postgres.wi=
ndows\src\interfaces\libpq\fe-connect.c:3055]
# 2 dbd_pgsql_close                        [c:\usr\src\dbd\postgresql\dbd_p=
gsql.c:279]
# 3 dbd_pgsql_cleanup                      [c:\usr\src\dbd\postgresql\dbd_p=
gsql.c:297]
# 4 ngx_destroy_pool                       [c:\msys\1.0\nginx-1.10\src\core=
\ngx_palloc.c:57]
# 5 ngx_master_process_exit                [c:\msys\1.0\nginx-1.10\src\os\w=
in32\ngx_process_cycle.c:562]
# 6 ngx_master_process_cycle               [c:\msys\1.0\nginx-1.10\src\os\w=
in32\ngx_process_cycle.c:235]
# 7 main                                   [c:\msys\1.0\nginx-1.10\src\core=
\nginx.c:367]
Note: @8:39:35.954 in thread 3124
Note: prev lower malloc:  0x020afcf8-0x020afd08
Note: instruction: cmp    0x00000088(%esi) $0x00000000

Error #4: UNADDRESSABLE ACCESS of freed memory: writing 0x020afd2b-0x020afd=
2c 1 byte(s)
# 0 LIBPQ.dll!closePGconn                  [d:\pginstaller.auto\postgres.wi=
ndows\src\interfaces\libpq\fe-connect.c:2974]
# 1 LIBPQ.dll!PQfinish                     [d:\pginstaller.auto\postgres.wi=
ndows\src\interfaces\libpq\fe-connect.c:3055]
# 2 dbd_pgsql_close                        [c:\usr\src\dbd\postgresql\dbd_p=
gsql.c:279]
# 3 dbd_pgsql_cleanup                      [c:\usr\src\dbd\postgresql\dbd_p=
gsql.c:297]
# 4 ngx_destroy_pool                       [c:\msys\1.0\nginx-1.10\src\core=
\ngx_palloc.c:57]
# 5 ngx_master_process_exit                [c:\msys\1.0\nginx-1.10\src\os\w=
in32\ngx_process_cycle.c:562]
# 6 ngx_master_process_cycle               [c:\msys\1.0\nginx-1.10\src\os\w=
in32\ngx_process_cycle.c:235]
# 7 main                                   [c:\msys\1.0\nginx-1.10\src\core=
\nginx.c:367]
Note: @8:39:35.969 in thread 3124
Note: prev lower malloc:  0x020afcf8-0x020afd08
Note: 0x020afd2b-0x020afd2c overlaps memory 0x020afd28-0x020b0d28 that was =
freed here:
Note: # 0 replace_free                           [d:\drmemory_package\commo=
n\alloc_replace.c:2706]
Note: # 1 ngx_hash_init                          [c:\msys\1.0\nginx-1.10\sr=
c\core\ngx_hash.c:426]
Note: # 2 ngx_http_merge_types                   [c:\msys\1.0\nginx-1.10\sr=
c\http\ngx_http.c:2089]
Note: # 3 ngx_http_gzip_merge_conf               [c:\msys\1.0\nginx-1.10\sr=
c\http\modules\ngx_http_gzip_filter_module.c:1168]
Note: # 4 ngx_http_merge_servers                 [c:\msys\1.0\nginx-1.10\sr=
c\http\ngx_http.c:596]
Note: # 5 ngx_http_block                         [c:\msys\1.0\nginx-1.10\sr=
c\http\ngx_http.c:268]
Note: instruction: mov    $0x00 -> 0x000000a3(%esi)
---------------------------------------------------------------------------=
--------------------------------------------
                           =

Re: Use after free? in fe-connect.c:closePGconn

From

Tom Lane

Date:

15 June 2016, 23:05:58

Ranier VF <ranier_gyn@hotmail.com> writes:
> In  [d:\pginstaller.auto\postgres.windows\src\interfaces\libpq\fe-connect.c,
> closePGconn(PGconn *conn):
> Does not check if conn is NULL.

All the callers do, so I don't entirely see your point.

The stack traces you show look to me like the fault is probably in
the caller, ie, calling PQfinish twice on the same "conn".

            regards, tom lane

Re: Use after free? in fe-connect.c:closePGconn

From

Ranier VF

Date:

16 June 2016, 17:23:10

Hi Tom=2C

> All the callers do=2C so I don't entirely see your point.
Well=2C I still confuse...

> The stack traces you show look to me like the fault is probably in
> the caller=2C ie=2C calling PQfinish twice on the same "conn".
patch from dbd_pgsql_close function:
275       if (dbd->conn !=3D NULL) {
276          #if defined(DEBUG) && !defined(_WIN32)
277          PQuntrace(dbd->conn)=3B
278          #endif
279          PQfinish(dbd->conn)=3B
280          dbd->conn =3D NULL=3B
281       }
282       FREE(dbd)=3B
283       dbd =3D NULL=3B

IHMO=2C the caller of PQfinish can=B4t call twice.

Best regards=2C

Ranier

> From: tgl@sss.pgh.pa.us
> To: ranier_gyn@hotmail.com
> CC: pgsql-bugs@postgresql.org
> Subject: Re: [BUGS] Use after free? in fe-connect.c:closePGconn
> Date: Wed=2C 15 Jun 2016 19:05:53 -0400
>=20
> Ranier VF <ranier_gyn@hotmail.com> writes:
> > In  [d:\pginstaller.auto\postgres.windows\src\interfaces\libpq\fe-conne=
ct.c=2C
> > closePGconn(PGconn *conn):
> > Does not check if conn is NULL.
>=20
> All the callers do=2C so I don't entirely see your point.
>=20
> The stack traces you show look to me like the fault is probably in
> the caller=2C ie=2C calling PQfinish twice on the same "conn".
>=20
>             regards=2C tom lane
=20
=09
     =20
        Livre de v=EDrus. www.avast.com.     =09
=09

                           =