| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Ken Ashcraft <ken(at)coverity(dot)com> |
| Cc: | pgsql-hackers(at)postgreSQL(dot)org |
| Subject: | Re: Probably security hole in postgresql-7.4.1 |
| Date: | 2004-05-11 20:22:15 |
| Message-ID: | 14690.1084306935@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Ken Ashcraft <ken(at)coverity(dot)com> writes:
> I work at Coverity where we use static analysis to find bugs in
> software. I ran a security checker over postgresql-7.4.1 and I think I
> found a security hole.
>
> In the code below, fld_size gets copied in from a user specified file.
> It is passed as the 'needed' parameter to enlargeStringInfo(). If
> needed is a very large positive value, the addition 'needed += str->len
> + 1;' could cause an overflow, making needed a negative number.
I've applied a patch that fixes this issue, as well as the related one
that enlargeStringInfo could go into an infinite loop.
Although the path of control you identify doesn't seem very threatening
(since one must already be superuser to execute COPY from a file), the
same sort of problem could be triggered by sending a malformed data
packet, thus opening up the problem to anyone who can get past the
initial postmaster authentication check. So this is more severe than we
first thought.
If you are looking to improve your checker, you might want to look into
why it only found this path for bad data, and not the path leading from
the client connection socket. Seems like it should've found that too.
Thanks for the report!
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2004-05-11 20:23:18 | Re: Adding MERGE to the TODO list (resend with subject) |
| Previous Message | Mike Mascari | 2004-05-11 19:38:41 | Re: SPI and bytea columns |