Thread

  1. Re: BUG #18617: PostgreSQL Server Subprocess Crashes by the XPATH Function Expression with Crafted Arguments

    Erik Wienhold <ewie@ewie.name> — 2024-09-13T16:17:43Z

    On 2024-09-13 14:31 +0200, PG Bug reporting form wrote:
    > The following bug has been logged on the website:
    > 
    > Bug reference:      18617
    > Logged by:          Jingzhou Fu
    > Email address:      fuboat@outlook.com
    > PostgreSQL version: 17rc1
    > Operating system:   Ubuntu 20.04 with docker image &#x27;postgres:17rc1&#x27;
    > Description:        
    > 
    > PostgreSQL server 17rc1 subprocess crashes by the XPATH function expression
    > with crafted arguments. The Main process is not affected.
    > 
    > PoC:
    > ```
    > SELECT XPATH(REPEAT('(', 100000), '<root/>');
    > ```
    
    This looks a lot like https://gitlab.gnome.org/GNOME/libxml2/-/issues/137
    
    What is your libxml2 version?
    
    > Client Output:
    > ```
    > psql (17rc1 (Debian 17~rc1-1.pgdg120+1))
    > Type "help" for help.
    > postgres=# SELECT XPATH(REPEAT('(', 100000), '<root/>');
    > server closed the connection unexpectedly
    >         This probably means the server terminated abnormally
    >         before or while processing the request.
    > The connection to the server was lost. Attempting reset: Failed.
    > ```
    > 
    > GDB Backtrace (It seems to be a stack overflow):
    > ```
    > #0  0x00007a66b81a74b2 in ?? () from
    > target:/lib/x86_64-linux-gnu/libxml2.so.2
    > #1  0x00007a66b81a86d6 in ?? () from
    > target:/lib/x86_64-linux-gnu/libxml2.so.2
    > #2  0x00007a66b81a908d in ?? () from
    > target:/lib/x86_64-linux-gnu/libxml2.so.2
    > ...
    > #120767 0x00007a66b81a908d in ?? () from
    > target:/lib/x86_64-linux-gnu/libxml2.so.2
    > #120768 0x00007a66b81af062 in xmlXPathCompile () from
    > target:/lib/x86_64-linux-gnu/libxml2.so.2
    > #120769 0x00005a0ebb12c131 in ?? ()
    > #120770 0x00005a0ebb12cd4e in xpath ()
    > #120771 0x00005a0ebae4c67a in ?? ()
    > #120772 0x00005a0ebae7f6b3 in ?? ()
    > #120773 0x00005a0ebae50145 in standard_ExecutorRun ()
    > #120774 0x00005a0ebae5f2fd in fmgr_sql ()
    > #120775 0x00005a0ebae4c67a in ?? ()
    > #120776 0x00005a0ebaf46efc in evaluate_expr ()
    > #120777 0x00005a0ebaf47140 in ?? ()
    > #120778 0x00005a0ebaf480fd in ?? ()
    > #120779 0x00005a0ebaebe58b in expression_tree_mutator_impl ()
    > #120780 0x00005a0ebaebe495 in expression_tree_mutator_impl ()
    > #120781 0x00005a0ebaf48fc7 in eval_const_expressions ()
    > #120782 0x00005a0ebaf2c953 in ?? ()
    > #120783 0x00005a0ebaf34b02 in subquery_planner ()
    > #120784 0x00005a0ebaf35459 in standard_planner ()
    > #120785 0x00005a0ebb001440 in pg_plan_query ()
    > #120786 0x00005a0ebb001532 in pg_plan_queries ()
    > #120787 0x00005a0ebb001806 in ?? ()
    > #120788 0x00005a0ebb0033ee in PostgresMain ()
    > #120789 0x00005a0ebaffde7f in BackendMain ()
    > #120790 0x00005a0ebaf6bf2a in postmaster_child_launch ()
    > #120791 0x00005a0ebaf6fa39 in ?? ()
    > #120792 0x00005a0ebaf71958 in PostmasterMain ()
    > #120793 0x00005a0ebac96476 in main ()
    > ```
    
    I can reproduce it with libxml2 2.13.3 on 70d1c664f4:
    
    	Program received signal SIGSEGV, Segmentation fault.
    	0x00007a19bf209d62 in ?? () from /usr/lib/libxml2.so.2
    	#0  0x00007a19bf209d62 in ?? () from /usr/lib/libxml2.so.2
    	#1  0x00007a19bf208763 in ?? () from /usr/lib/libxml2.so.2
    	#2  0x00007a19bf209408 in ?? () from /usr/lib/libxml2.so.2
    	#3  0x00007a19bf209d96 in ?? () from /usr/lib/libxml2.so.2
    	[...snip...]
    	#104680 0x00007a19bf208763 in ?? () from /usr/lib/libxml2.so.2
    	#104681 0x00007a19bf209408 in ?? () from /usr/lib/libxml2.so.2
    	#104682 0x00007a19bf209d96 in ?? () from /usr/lib/libxml2.so.2
    	#104683 0x00007a19bf20d655 in xmlXPathCtxtCompile () from /usr/lib/libxml2.so.2
    	#104684 0x00005fcff7ca11fc in xpath_internal ()
    	#104685 0x00005fcff7ca1d5d in xpath ()
    	#104686 0x00005fcff79cc33e in ExecInterpExpr ()
    	#104687 0x00005fcff79fe8f0 in ExecResult ()
    	#104688 0x00005fcff79cfbda in standard_ExecutorRun ()
    	#104689 0x00005fcff79df013 in fmgr_sql ()
    	#104690 0x00005fcff79cc33e in ExecInterpExpr ()
    	#104691 0x00005fcff7abd798 in evaluate_expr ()
    	#104692 0x00005fcff7abd991 in simplify_function ()
    	#104693 0x00005fcff7abe8ed in eval_const_expressions_mutator ()
    	#104694 0x00005fcff7a35b69 in expression_tree_mutator_impl ()
    	#104695 0x00005fcff7a36262 in expression_tree_mutator_impl ()
    	#104696 0x00005fcff7abf836 in eval_const_expressions ()
    	#104697 0x00005fcff7aa38b1 in preprocess_expression ()
    	#104698 0x00005fcff7aab394 in subquery_planner ()
    	#104699 0x00005fcff7aabfbf in standard_planner ()
    	#104700 0x00005fcff7b7660a in pg_plan_query ()
    	#104701 0x00005fcff7b76713 in pg_plan_queries ()
    	#104702 0x00005fcff7b769e4 in exec_simple_query ()
    	#104703 0x00005fcff7b78791 in PostgresMain ()
    	#104704 0x00005fcff7b730df in BackendMain ()
    	#104705 0x00005fcff7ae2edb in postmaster_child_launch ()
    	#104706 0x00005fcff7ae61c1 in ServerLoop.isra.0 ()
    	#104707 0x00005fcff7ae7d6d in PostmasterMain ()
    	#104708 0x00005fcff78200c3 in main ()
    
    -- 
    Erik