Skip to content

Bugs in libpg standalone

Jump to bottom
thientc edited this page Nov 5, 2022 · 1 revision

libpq is a client library for creating connection to a posgresql server, make query, etc. Source code of libpq-standalone can be downloaded at: https://gitlab.com/sabelka/libpq-standalone or in the official repository of PostgreSQL

You can get the script for test at: https://github.com/thientc/Futag-tests/tree/main/libpq-standalone

  1. Heap-buffer-overflow in function dopr in file libpq/snprintf.c:444:20

Traceback:

==32440==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000000773 at pc 0x000000493624 bp 0x7ffdb1dc6110 sp 0x7ffdb1dc58d0
READ of size 116 at 0x60c000000773 thread T0
    #0 0x493623 in __interceptor_strlen.part.52 /Github/Futag/custom-llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:389
    #1 0x55cfc1 in dopr /Github/Futag-tests/libpq-standalone/libpq-standalone/libpq/snprintf.c:444:20
    #2 0x5603ea in pg_vfprintf /Github/Futag-tests/libpq-standalone/libpq-standalone/libpq/snprintf.c:257:2
    #3 0x560c56 in pg_printf /Github/Futag-tests/libpq-standalone/libpq-standalone/libpq/snprintf.c:288:8
    #4 0x55c238 in LLVMFuzzerTestOneInput /Github/Futag-tests/libpq-standalone/libpq-standalone/futag-fuzz-drivers/pg_printf/pg_printf1/pg_printf1.c:20:5
    #5 0x446ef6 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /Github/Futag/custom-llvm/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611
    #6 0x428c6a in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /Github/Futag/custom-llvm/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324
    #7 0x436621 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /Github/Futag/custom-llvm/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860
    #8 0x41f362 in main /Github/Futag/custom-llvm/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20
    #9 0x7f5b153c8c86 in __libc_start_main /build/glibc-uZu3wS/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41f3e9 in _start (/Github/Futag-tests/libpq-standalone/libpq-standalone/futag-fuzz-drivers/pg_printf/pg_printf1/pg_printf1.out+0x41f3e9)

image

  1. Heap-buffer-overflow in function dostr in file libpq/snprintf.c:1386:3

Traceback:

==4367==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000003111 at pc 0x00000050aa2d bp 0x7ffe3fd59e50 sp 0x7ffe3fd59610
WRITE of size 5 at 0x603000003111 thread T0
    #0 0x50aa2c in __asan_memmove /home/thientc/Github/Futag/custom-llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:30
    #1 0x562075 in dostr /home/thientc/Github/Futag-tests/libpq-standalone/libpq-standalone/libpq/snprintf.c:1386:3
    #2 0x55ce7d in dopr /home/thientc/Github/Futag-tests/libpq-standalone/libpq-standalone/libpq/snprintf.c:417:4
    #3 0x55feb7 in pg_vsprintf /home/thientc/Github/Futag-tests/libpq-standalone/libpq-standalone/libpq/snprintf.c:223:2
    #4 0x560261 in pg_sprintf /home/thientc/Github/Futag-tests/libpq-standalone/libpq-standalone/libpq/snprintf.c:236:8
    #5 0x55c499 in LLVMFuzzerTestOneInput /home/thientc/Github/Futag-tests/libpq-standalone/libpq-standalone/futag-fuzz-drivers/pg_sprintf/pg_sprintf1/pg_sprintf1.c:25:5
    #6 0x446ef6 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/thientc/Github/Futag/custom-llvm/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611
    #7 0x428c6a in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/thientc/Github/Futag/custom-llvm/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324
    #8 0x436621 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/thientc/Github/Futag/custom-llvm/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860
    #9 0x41f362 in main /home/thientc/Github/Futag/custom-llvm/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20
    #10 0x7f60a35d1c86 in __libc_start_main /build/glibc-uZu3wS/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x41f3e9 in _start (/home/thientc/Github/Futag-tests/libpq-standalone/libpq-standalone/futag-fuzz-drivers/pg_sprintf/pg_sprintf1/pg_sprintf1.out+0x41f3e9)

image

  1. Heap-buffer-overflow in function ** pg_utf8_islegal** in file wchar.c:1814:8

Traceback:

==8786==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002553 at pc 0x00000056ba6c bp 0x7ffcd4439200 sp 0x7ffcd44391f8
READ of size 1 at 0x602000002553 thread T0
    #0 0x56ba6b in pg_utf8_islegal /home/thientc/Github/Futag-tests/libpq-standalone/libpq-standalone/libpq/wchar.c:1814:8
    #1 0x565fe0 in pg_utf8_string_len /home/thientc/Github/Futag-tests/libpq-standalone/libpq-standalone/libpq/saslprep.c:1012:8
    #2 0x565033 in pg_saslprep /home/thientc/Github/Futag-tests/libpq-standalone/libpq-standalone/libpq/saslprep.c:1077:15
    #3 0x5601d1 in pg_fe_scram_build_secret /home/thientc/Github/Futag-tests/libpq-standalone/libpq-standalone/libpq/fe-auth-scram.c:884:7
    #4 0x55c26f in LLVMFuzzerTestOneInput /home/thientc/Github/Futag-tests/libpq-standalone/libpq-standalone/futag-fuzz-drivers/pg_fe_scram_build_secret/pg_fe_scram_build_secret1/pg_fe_scram_build_secret1.c:25:27
    #5 0x446f26 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/thientc/Github/Futag/custom-llvm/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611
    #6 0x428c9a in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/thientc/Github/Futag/custom-llvm/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324
    #7 0x436651 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/thientc/Github/Futag/custom-llvm/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860
    #8 0x41f392 in main /home/thientc/Github/Futag/custom-llvm/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20
    #9 0x7f9b16e19c86 in __libc_start_main /build/glibc-uZu3wS/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41f419 in _start (/home/thientc/Github/Futag-tests/libpq-standalone/libpq-standalone/futag-fuzz-drivers/pg_fe_scram_build_secret/pg_fe_scram_build_secret1/pg_fe_scram_build_secret1.out+0x41f419)

image

  1. Heap-buffer-overflow in function ** PQescapeStringInternal** in file libpq/fe-exec.c:3908:10

Traceback:

==18470==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002516 at pc 0x00000056f3b1 bp 0x7ffef7951d60 sp 0x7ffef7951d58
WRITE of size 1 at 0x602000002516 thread T0
    #0 0x56f3b0 in PQescapeStringInternal /home/thientc/Github/Futag-tests/libpq-standalone/libpq-standalone/libpq/fe-exec.c:3862:15
    #1 0x56f8b7 in PQescapeString /home/thientc/Github/Futag-tests/libpq-standalone/libpq-standalone/libpq/fe-exec.c:3937:9
    #2 0x55c9e9 in LLVMFuzzerTestOneInput /home/thientc/Github/Futag-tests/libpq-standalone/libpq-standalone/futag-fuzz-drivers/PQescapeString/PQescapeString1/PQescapeString1.c:33:5
    #3 0x447436 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/thientc/Github/Futag/custom-llvm/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611
    #4 0x4291aa in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/thientc/Github/Futag/custom-llvm/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324
    #5 0x436b61 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/thientc/Github/Futag/custom-llvm/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860
    #6 0x41f8a2 in main /home/thientc/Github/Futag/custom-llvm/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20
    #7 0x7fa39535ec86 in __libc_start_main /build/glibc-uZu3wS/glibc-2.27/csu/../csu/libc-start.c:310
    #8 0x41f929 in _start (/home/thientc/Github/Futag-tests/libpq-standalone/libpq-standalone/futag-fuzz-drivers/PQescapeString/PQescapeString1/PQescapeString1.out+0x41f929)

image

POC_scram_ClientKey_LibFuzzer.c.zip POC_PQescapeString_LibFuzzer.c.zip POC_pg_printf_LibFuzzer.c.zip POC_pg_fe_scram_build_secret_LibFuzzer.c.zip

Clone this wiki locally