Bug in jsonb_in function (14 & 15 version are affected)

Nikolay Shaplov Mon, 13 Mar 2023 07:18:30 -0700

Hi!

I found a bug in jsonb_in function (it converts json from sting representation
 into jsonb internal representation).


To reproduce this bug (the way I found it) you should get 8bit instance of 
postgres db:

1. add en_US locale (dpkg-reconfigure locales in debian)
2. initdb with latin1 encoding: 

LANG=en_US ./initdb --encoding=LATIN1 -D my_pg_data

3. run database and execute the query:

SELECT 
E'{\x0a"\x5cb\x5c"\x5c\x5c\x5c/\x5cb\x5cf\x5cn\x5cr\x5ct\x5c"\x5c\x5c\x5c\x5crZt\x5c"\x5c\x5c\x5c/\x5cb\x5c"\x5c\x5c\x5c/\x5cb\x5c"\x5cu000f0\x5cu000f0000000000000000000000000000000000000000000000000000000\x5cuDFFF000000000000000000000000000000000000000000000000000000000000"0000000000000000000000000000000\x5cu0000000000000000000\xb4\x5cuDBFF\x5cuDFFF00000000000000000002000000000000000000000000000000000000000000000000000000000000000\x5cuDBFF'::jsonb;

In postgres 14 and 15, the backend will crash.

The packtrace produce with ASan is in the attached file.

This bug was found while fuzzing postgres input functions, using AFL++.
For now we are using lightweight wrapper around input functions that 
create minimal environment for these functions to run conversion, and run the, 
in fuzzer.


My colleagues (they will come here shortly) have narrowed down this query to 

SELECT E'\n"\\u00000"'::jsonb;

and says that is crashes even in utf8 locale.

They also have a preliminary version of patch to fix it. They will tell about 
it soon, I hope.

-- 
Nikolay Shaplov aka Nataraj
Fuzzing Engineer at Postgres Professional
Matrix IM: @dhyan:nataraj.su

=================================================================
==90012==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x533f04 in __asan_memcpy 
(/home/nataraj/dev/.install/default/bin/postgres+0x533f04)
    #1 0x102145a in report_json_context 
/home/nataraj/dev/postgrespro/src/backend/utils/adt/jsonfuncs.c:685:2
    #2 0x1020a32 in json_ereport_error 
/home/nataraj/dev/postgrespro/src/backend/utils/adt/jsonfuncs.c:631:3
    #3 0x1020976 in pg_parse_json_or_ereport 
/home/nataraj/dev/postgrespro/src/backend/utils/adt/jsonfuncs.c:511:3
    #4 0x1009176 in jsonb_from_cstring 
/home/nataraj/dev/postgrespro/src/backend/utils/adt/jsonb.c:265:2
    #5 0x1008f3b in jsonb_in 
/home/nataraj/dev/postgrespro/src/backend/utils/adt/jsonb.c:81:9
    #6 0x121d547 in InputFunctionCall 
/home/nataraj/dev/postgrespro/src/backend/utils/fmgr/fmgr.c:1533:11
    #7 0x121dd10 in OidInputFunctionCall 
/home/nataraj/dev/postgrespro/src/backend/utils/fmgr/fmgr.c:1636:9
    #8 0x8cbd0e in stringTypeDatum 
/home/nataraj/dev/postgrespro/src/backend/parser/parse_type.c:662:9
    #9 0x87eb68 in coerce_type 
/home/nataraj/dev/postgrespro/src/backend/parser/parse_coerce.c
    #10 0x87dec1 in coerce_to_target_type 
/home/nataraj/dev/postgrespro/src/backend/parser/parse_coerce.c:105:11
    #11 0x891b40 in transformTypeCast 
/home/nataraj/dev/postgrespro/src/backend/parser/parse_expr.c:2717:11
    #12 0x88f0b8 in transformExprRecurse 
/home/nataraj/dev/postgrespro/src/backend/parser/parse_expr.c:168:13
    #13 0x88efb1 in transformExpr 
/home/nataraj/dev/postgrespro/src/backend/parser/parse_expr.c:126:11
    #14 0x8c358b in transformTargetEntry 
/home/nataraj/dev/postgrespro/src/backend/parser/parse_target.c:96:11
    #15 0x8c37c2 in transformTargetList 
/home/nataraj/dev/postgrespro/src/backend/parser/parse_target.c:184:10
    #16 0x83a583 in transformSelectStmt 
/home/nataraj/dev/postgrespro/src/backend/parser/analyze.c:1317:20
    #17 0x836ad4 in transformStmt 
/home/nataraj/dev/postgrespro/src/backend/parser/analyze.c:366:15
    #18 0x836d5e in transformOptionalSelectInto 
/home/nataraj/dev/postgrespro/src/backend/parser/analyze.c:306:9
    #19 0x8364d4 in transformTopLevelStmt 
/home/nataraj/dev/postgrespro/src/backend/parser/analyze.c:256:11
    #20 0x83640e in parse_analyze_fixedparams 
/home/nataraj/dev/postgrespro/src/backend/parser/analyze.c:124:10
    #21 0xef9c4b in pg_analyze_and_rewrite_fixedparams 
/home/nataraj/dev/postgrespro/src/backend/tcop/postgres.c:659:10
    #22 0xefe818 in exec_simple_query 
/home/nataraj/dev/postgrespro/src/backend/tcop/postgres.c:1169:20
    #23 0xefd92d in PostgresMain 
/home/nataraj/dev/postgrespro/src/backend/tcop/postgres.c
    #24 0xd837f0 in BackendRun 
/home/nataraj/dev/postgrespro/src/backend/postmaster/postmaster.c:4538:2
    #25 0xd82e6f in BackendStartup 
/home/nataraj/dev/postgrespro/src/backend/postmaster/postmaster.c:4266:3
    #26 0xd816b3 in ServerLoop 
/home/nataraj/dev/postgrespro/src/backend/postmaster/postmaster.c:1833:7
    #27 0xd7e8e0 in PostmasterMain 
/home/nataraj/dev/postgrespro/src/backend/postmaster/postmaster.c:1505:11
    #28 0xb7ddc2 in main 
/home/nataraj/dev/postgrespro/src/backend/main/main.c:209:3
    #29 0x7ffff7190d09 in __libc_start_main csu/../csu/libc-start.c:308:16
    #30 0x4baa99 in _start 
(/home/nataraj/dev/.install/default/bin/postgres+0x4baa99)0x625000006e9a is 
located 7578 bytes inside of 8192-byte region [0x625000005100,0x625000007100)
allocated by thread T0 here:
    #0 0x534b0d in malloc 
(/home/nataraj/dev/.install/default/bin/postgres+0x534b0d)
    #1 0x1262fac in AllocSetContextCreateInternal 
/home/nataraj/dev/postgrespro/src/backend/utils/mmgr/aset.c:471:19SUMMARY: 
AddressSanitizer: negative-size-param 
(/home/nataraj/dev/.install/default/bin/postgres+0x533f04) in __asan_memcpy
==90012==ABORTING

signature.asc
Description: This is a digitally signed message part.

Bug in jsonb_in function (14 & 15 version are affected)

Reply via email to