A potential memory access violation in ecpg when using EXEC SQL INCLUDE

From: "Wu, Fei" <wufei(dot)fnst(at)cn(dot)fujitsu(dot)com>
To: "pgsql-bugs(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org>
Subject: A potential memory access violation in ecpg when using EXEC SQL INCLUDE
Date: 2019-03-08 02:18:32
Message-ID: 52E6E0843B9D774C8C73D6CF64402F05621EC58D@G08CNEXMBPEKD02.g08.fujitsu.local
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

Hi, everyone.

I have found a potential memory access violation in ecpg module. And I found that this problem happens in all postgres version.
Here is:
https://github.com/postgres/postgres/blob/REL9_5_16/src/interfaces/ecpg/preproc/pgc.l
----------------------------------------------------------------------------------------------------------------------------
1385 /* If file name is enclosed in '"' remove these and look only in '.' */
1386 /* Informix does look into all include paths though, except filename starts with '/' */
1387 if (yytext[0] == '"' && yytext[i] == '"' &&
1388 ((compat != ECPG_COMPAT_INFORMIX && compat != ECPG_COMPAT_INFORMIX_SE) || yytext[1] == '/'))
1389 {
1390 yytext[i] = '\0';
1391 memmove(yytext, yytext+1, strlen(yytext));
1392
1393 strlcpy(inc_file, yytext, sizeof(inc_file));
1394 yyin = fopen(inc_file, "r");
1395 if (!yyin)
1396 {
1397 if (strcmp(inc_file + strlen(inc_file) - 2, ".h") != 0) ★
1398 {
1399 strcat(inc_file, ".h");
1400 yyin = fopen(inc_file, "r");
1401 }
1402 }
1403
1404 }
----------------------------------------------------------------------------------------------------------------------------
When precompile ecpg program (running “ecpg xxx.pgc” is enough )which has below statement:
------------------------------------
EXEC SQL INCLUDE “a”
------------------------------------
(Here, “a” is short for “a.h” , this feature is documented at https://www.postgresql.org/docs/9.5/ecpg-preproc.html#ECPG-INCLUDE )
The ecpg command runs into above program fragment and inc_file’s value is string “a” which strlen(inc_file) is 1.
Here, ecpg first try to open head file named “a”,which does not exists. Obviously, failed.
Then,ecpg try to find out that if the given filename “a” has suffix “.h” in code line marked as ★ above.
Here, strlen(inc_file) is 1 ,so ecpg access the address inc_file C 1 . That means access the address out of inc_file.
It obviously is a potential problem which may does not lead to error or crash in most time.But it is a hidden danger which should be fixed.

Last, it is easy to fix, here is a minimum reproduction case and a solution patch.

--
Best Regards
-----------------------------------------------------
Wu Fei
DX3
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)
ADDR.: No.6 Wenzhu Road, Software Avenue,
Nanjing, 210012, China
TEL : +86+25-86630566-9356
COINS: 7998-9356
FAX: +86+25-83317685
MAIL:wufei(dot)fnst(at)cn(dot)fujitsu(dot)com
http://www.fujitsu.com/cn/fnst/
---------------------------------------------------

Attachment Content-Type Size
minimum_reproduction_case.pgc application/octet-stream 114 bytes
ecpg_include_memory_access_violation.patch application/octet-stream 418 bytes

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message PG Bug reporting form 2019-03-08 07:29:10 BUG #15677: Crash while deleting from partitioned table
Previous Message Michael Paquier 2019-03-08 01:39:40 Re: BUG #15667: "could not truncate file" error caused deleted rows to become visible