Re: Buffer overflow in psql

Tom Lane wrote:
> Jack Orenstein <jorenstein(at)archivas(dot)com> writes:
>> The problem has occurred again, and I've found a buffer overflow in
>> psql that explains it. Here is code from src/bin/psql/common.c, from
>> the PrintQueryResults function:
>
>> case PGRES_COMMAND_OK:
>> {
>> char buf[10];
>
>> success = true;
>> sprintf(buf, "%u", (unsigned int) PQoidValue(results));
>
> Good catch! What platform and compiler are you using exactly? I'd
> imagine that on most platforms, the size of that array is effectively
> rounded up to 12 bytes due to alignment/padding considerations, which
> would mask the mistake. Yours must somehow be putting something
> critical right after the array.

We're using gcc-4.0.2-8.fc4 on FC4 (intel). I believe that we didn't
just get lucky with the overflow. One of our Linux experts says that
our libc is doing memory bounds checking. Note that the stack
goes through __sprintf_chk:

/lib/libc.so.6(__chk_fail+0x41)[0xb7c0bbc5]
/lib/libc.so.6(__vsprintf_chk+0x0)[0xb7c0b490]
/lib/libc.so.6(_IO_default_xsputn+0x97)[0xb7b8e8d8]
/lib/libc.so.6(_IO_vfprintf+0x1aeb)[0xb7b6a2f7]
/lib/libc.so.6(__vsprintf_chk+0xa1)[0xb7c0b531]
/lib/libc.so.6(__sprintf_chk+0x30)[0xb7c0b484]
/usr/bin/psql[0x804ea63]
/usr/bin/psql[0x805195b]
/usr/bin/psql[0x804afdd]
/usr/bin/psql[0x804cde9]
/usr/bin/psql[0x804deb5]
/usr/bin/psql[0x80510cf]
/usr/bin/psql[0x805336d]
/lib/libc.so.6(__libc_start_main+0xdf)[0xb7b42d7f]
/usr/bin/psql[0x804a8e1]

Our Linux kernel is 2.6.17-1.2139

Jack Orenstein