When provided with malformed input, the issue described above occurs in the following program:
#include <stdio.h>
#include <stdarg.h>
#include <string.h>
#include <stdlib.h>
#include <pg_query.h>
int main(int argc, char *argv[])
{
FILE *f = fopen(argv[1], "rb");
fseek(f, 0, SEEK_END);
long size = ftell(f);
rewind(f);
char *v0 = (char*)malloc((size_t)size+1);
fread(v0, (size_t)size, 1, f);
v0[size] = '\0';
pg_query_normalize(v0);
return 0;
}
Extra details
A memcpy with a negative size parameter occurs in pg_query_normalize.c at line #272. Later down the road this leads to an munmap_chunk(): invalid pointer error in src_backend_utils_mmgr_aset.c at line #604. Below I've provided both the asan output and the stack trace without asan instrumentation.
Test Environment
Ubuntu 22.04.4, 64 bit
How to trigger
./filename poc
Version
latest: c3ed78b
POC File
https://github.com/gabe-sherman/bug-pocs/blob/main/pg_query/c1
Asan output
=================================================================
==1297162==ERROR: AddressSanitizer: negative-size-param: (size=-27)
#0 0x555555b07504 in __asan_memcpy (/home/gabriel/fuzzing-trials/pg_query/crashes/c1_minimized.out+0x5b3504) (BuildId: 9b01e93b727fad3f49af8a1eaf6bb33cca986804)
#1 0x555555b444e9 in generate_normalized_query /home/gabriel/fuzzing-trials/pg_query/lib_asan/src/pg_query_normalize.c:272:3
#2 0x555555b444e9 in pg_query_normalize /home/gabriel/fuzzing-trials/pg_query/lib_asan/src/pg_query_normalize.c:596:36
#3 0x555555b43277 in main (/home/gabriel/fuzzing-trials/pg_query/crashes/c1_minimized.out+0x5ef277) (BuildId: 9b01e93b727fad3f49af8a1eaf6bb33cca986804)
#4 0x7ffff7ca8d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#5 0x7ffff7ca8e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#6 0x555555a853f4 in _start (/home/gabriel/fuzzing-trials/pg_query/crashes/c1_minimized.out+0x5313f4) (BuildId: 9b01e93b727fad3f49af8a1eaf6bb33cca986804)
0x61b000000615 is located 1429 bytes inside of 1452-byte region [0x61b000000080,0x61b00000062c)
allocated by thread T0 here:
#0 0x555555b0823e in __interceptor_malloc (/home/gabriel/fuzzing-trials/pg_query/crashes/c1_minimized.out+0x5b423e) (BuildId: 9b01e93b727fad3f49af8a1eaf6bb33cca986804)
#1 0x555555b4317a in main (/home/gabriel/fuzzing-trials/pg_query/crashes/c1_minimized.out+0x5ef17a) (BuildId: 9b01e93b727fad3f49af8a1eaf6bb33cca986804)
#2 0x7ffff7ca8d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: negative-size-param (/home/gabriel/fuzzing-trials/pg_query/crashes/c1_minimized.out+0x5b3504) (BuildId: 9b01e93b727fad3f49af8a1eaf6bb33cca986804) in __asan_memcpy
==1297162==ABORTING
Backtrace
#0 0x00000000005e044c in pthread_kill ()
#1 0x00000000005cc2e6 in raise ()
#2 0x0000000000401209 in abort ()
#3 0x00000000005da086 in __libc_message ()
#4 0x00000000005e0f2c in malloc_printerr ()
#5 0x00000000005e120c in munmap_chunk ()
#6 0x00000000005e56ea in free ()
#7 0x00000000004fb874 in AllocSetReset (context=0x9f8340) at src/postgres/src_backend_utils_mmgr_aset.c:604
#8 0x0000000000412247 in MemoryContextResetOnly (context=context@entry=0x9f8340) at src/postgres/src_backend_utils_mmgr_mcxt.c:414
#9 0x00000000004fbad5 in AllocSetDelete (context=0x9f8340) at src/postgres/src_backend_utils_mmgr_aset.c:652
#10 0x0000000000402277 in pg_query_normalize (input=input@entry=0x9f1130 "DO'SELE", '\270' <repeats 193 times>...) at src/pg_query_normalize.c:619
#11 0x00000000004018c2 in main (argc=<optimized out>, argv=<optimized out>) at poc.c:17
When provided with malformed input, the issue described above occurs in the following program:
Extra details
A memcpy with a negative size parameter occurs in pg_query_normalize.c at line #272. Later down the road this leads to an munmap_chunk(): invalid pointer error in src_backend_utils_mmgr_aset.c at line #604. Below I've provided both the asan output and the stack trace without asan instrumentation.
Test Environment
Ubuntu 22.04.4, 64 bit
How to trigger
./filename pocVersion
latest: c3ed78b
POC File
https://github.com/gabe-sherman/bug-pocs/blob/main/pg_query/c1
Asan output
Backtrace