diff options
Diffstat (limited to 'meta-oe/recipes-dbs/postgresql/files/CVE-2023-5869.patch')
-rw-r--r-- | meta-oe/recipes-dbs/postgresql/files/CVE-2023-5869.patch | 294 |
1 files changed, 294 insertions, 0 deletions
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5869.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5869.patch new file mode 100644 index 0000000000..cef2ab2253 --- /dev/null +++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5869.patch @@ -0,0 +1,294 @@ +From 18b585155a891784ca8985f595ebc0dde94e0d43 Mon Sep 17 00:00:00 2001 +From: Tom Lane <tgl@sss.pgh.pa.us> +Date: Tue, 21 Nov 2023 11:43:00 +0000 +Subject: [PATCH] Detect integer overflow while computing new array dimensions. + +array_set_element() and related functions allow an array to be +enlarged by assigning to subscripts outside the current array bounds. +While these places were careful to check that the new bounds are +allowable, they neglected to consider the risk of integer overflow +in computing the new bounds. In edge cases, we could compute new +bounds that are invalid but get past the subsequent checks, +allowing bad things to happen. Memory stomps that are potentially +exploitable for arbitrary code execution are possible, and so is +disclosure of server memory. + +To fix, perform the hazardous computations using overflow-detecting +arithmetic routines, which fortunately exist in all still-supported +branches. + +The test cases added for this generate (after patching) errors that +mention the value of MaxArraySize, which is platform-dependent. +Rather than introduce multiple expected-files, use psql's VERBOSITY +parameter to suppress the printing of the message text. v11 psql +lacks that parameter, so omit the tests in that branch. + +Our thanks to Pedro Gallegos for reporting this problem. + +Security: CVE-2023-5869 + +CVE: CVE-2023-5869 +Upstream-Status: Backport [https://github.com/postgres/postgres/commit/18b585155a891784ca8985f595ebc0dde94e0d43] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> + +--- + src/backend/utils/adt/arrayfuncs.c | 85 ++++++++++++++++++++++------ + src/backend/utils/adt/arrayutils.c | 6 -- + src/include/utils/array.h | 7 +++ + src/test/regress/expected/arrays.out | 17 ++++++ + src/test/regress/sql/arrays.sql | 19 +++++++ + 5 files changed, 110 insertions(+), 24 deletions(-) + +diff --git a/src/backend/utils/adt/arrayfuncs.c b/src/backend/utils/adt/arrayfuncs.c +index 949737d..0071f7d 100644 +--- a/src/backend/utils/adt/arrayfuncs.c ++++ b/src/backend/utils/adt/arrayfuncs.c +@@ -19,6 +19,7 @@ + + #include "access/htup_details.h" + #include "catalog/pg_type.h" ++#include "common/int.h" + #include "funcapi.h" + #include "libpq/pqformat.h" + #include "nodes/nodeFuncs.h" +@@ -2334,22 +2335,38 @@ array_set_element(Datum arraydatum, + addedbefore = addedafter = 0; + + /* +- * Check subscripts ++ * Check subscripts. We assume the existing subscripts passed ++ * ArrayCheckBounds, so that dim[i] + lb[i] can be computed without ++ * overflow. But we must beware of other overflows in our calculations of ++ * new dim[] values. + */ + if (ndim == 1) + { + if (indx[0] < lb[0]) + { +- addedbefore = lb[0] - indx[0]; +- dim[0] += addedbefore; ++ /* addedbefore = lb[0] - indx[0]; */ ++ /* dim[0] += addedbefore; */ ++ if (pg_sub_s32_overflow(lb[0], indx[0], &addedbefore) || ++ pg_add_s32_overflow(dim[0], addedbefore, &dim[0])) ++ ereport(ERROR, ++ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), ++ errmsg("array size exceeds the maximum allowed (%d)", ++ (int) MaxArraySize))); + lb[0] = indx[0]; + if (addedbefore > 1) + newhasnulls = true; /* will insert nulls */ + } + if (indx[0] >= (dim[0] + lb[0])) + { +- addedafter = indx[0] - (dim[0] + lb[0]) + 1; +- dim[0] += addedafter; ++ /* addedafter = indx[0] - (dim[0] + lb[0]) + 1; */ ++ /* dim[0] += addedafter; */ ++ if (pg_sub_s32_overflow(indx[0], dim[0] + lb[0], &addedafter) || ++ pg_add_s32_overflow(addedafter, 1, &addedafter) || ++ pg_add_s32_overflow(dim[0], addedafter, &dim[0])) ++ ereport(ERROR, ++ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), ++ errmsg("array size exceeds the maximum allowed (%d)", ++ (int) MaxArraySize))); + if (addedafter > 1) + newhasnulls = true; /* will insert nulls */ + } +@@ -2595,14 +2612,23 @@ array_set_element_expanded(Datum arraydatum, + addedbefore = addedafter = 0; + + /* +- * Check subscripts (this logic matches original array_set_element) ++ * Check subscripts (this logic must match array_set_element). We assume ++ * the existing subscripts passed ArrayCheckBounds, so that dim[i] + lb[i] ++ * can be computed without overflow. But we must beware of other ++ * overflows in our calculations of new dim[] values. + */ + if (ndim == 1) + { + if (indx[0] < lb[0]) + { +- addedbefore = lb[0] - indx[0]; +- dim[0] += addedbefore; ++ /* addedbefore = lb[0] - indx[0]; */ ++ /* dim[0] += addedbefore; */ ++ if (pg_sub_s32_overflow(lb[0], indx[0], &addedbefore) || ++ pg_add_s32_overflow(dim[0], addedbefore, &dim[0])) ++ ereport(ERROR, ++ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), ++ errmsg("array size exceeds the maximum allowed (%d)", ++ (int) MaxArraySize))); + lb[0] = indx[0]; + dimschanged = true; + if (addedbefore > 1) +@@ -2610,8 +2636,15 @@ array_set_element_expanded(Datum arraydatum, + } + if (indx[0] >= (dim[0] + lb[0])) + { +- addedafter = indx[0] - (dim[0] + lb[0]) + 1; +- dim[0] += addedafter; ++ /* addedafter = indx[0] - (dim[0] + lb[0]) + 1; */ ++ /* dim[0] += addedafter; */ ++ if (pg_sub_s32_overflow(indx[0], dim[0] + lb[0], &addedafter) || ++ pg_add_s32_overflow(addedafter, 1, &addedafter) || ++ pg_add_s32_overflow(dim[0], addedafter, &dim[0])) ++ ereport(ERROR, ++ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), ++ errmsg("array size exceeds the maximum allowed (%d)", ++ (int) MaxArraySize))); + dimschanged = true; + if (addedafter > 1) + newhasnulls = true; /* will insert nulls */ +@@ -2894,7 +2927,10 @@ array_set_slice(Datum arraydatum, + addedbefore = addedafter = 0; + + /* +- * Check subscripts ++ * Check subscripts. We assume the existing subscripts passed ++ * ArrayCheckBounds, so that dim[i] + lb[i] can be computed without ++ * overflow. But we must beware of other overflows in our calculations of ++ * new dim[] values. + */ + if (ndim == 1) + { +@@ -2909,18 +2945,31 @@ array_set_slice(Datum arraydatum, + errmsg("upper bound cannot be less than lower bound"))); + if (lowerIndx[0] < lb[0]) + { +- if (upperIndx[0] < lb[0] - 1) +- newhasnulls = true; /* will insert nulls */ +- addedbefore = lb[0] - lowerIndx[0]; +- dim[0] += addedbefore; ++ /* addedbefore = lb[0] - lowerIndx[0]; */ ++ /* dim[0] += addedbefore; */ ++ if (pg_sub_s32_overflow(lb[0], lowerIndx[0], &addedbefore) || ++ pg_add_s32_overflow(dim[0], addedbefore, &dim[0])) ++ ereport(ERROR, ++ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), ++ errmsg("array size exceeds the maximum allowed (%d)", ++ (int) MaxArraySize))); + lb[0] = lowerIndx[0]; ++ if (addedbefore > 1) ++ newhasnulls = true; /* will insert nulls */ + } + if (upperIndx[0] >= (dim[0] + lb[0])) + { +- if (lowerIndx[0] > (dim[0] + lb[0])) ++ /* addedafter = upperIndx[0] - (dim[0] + lb[0]) + 1; */ ++ /* dim[0] += addedafter; */ ++ if (pg_sub_s32_overflow(upperIndx[0], dim[0] + lb[0], &addedafter) || ++ pg_add_s32_overflow(addedafter, 1, &addedafter) || ++ pg_add_s32_overflow(dim[0], addedafter, &dim[0])) ++ ereport(ERROR, ++ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), ++ errmsg("array size exceeds the maximum allowed (%d)", ++ (int) MaxArraySize))); ++ if (addedafter > 1) + newhasnulls = true; /* will insert nulls */ +- addedafter = upperIndx[0] - (dim[0] + lb[0]) + 1; +- dim[0] += addedafter; + } + } + else +diff --git a/src/backend/utils/adt/arrayutils.c b/src/backend/utils/adt/arrayutils.c +index 6988edd..fdaf712 100644 +--- a/src/backend/utils/adt/arrayutils.c ++++ b/src/backend/utils/adt/arrayutils.c +@@ -64,10 +64,6 @@ ArrayGetOffset0(int n, const int *tup, const int *scale) + * This must do overflow checking, since it is used to validate that a user + * dimensionality request doesn't overflow what we can handle. + * +- * We limit array sizes to at most about a quarter billion elements, +- * so that it's not necessary to check for overflow in quite so many +- * places --- for instance when palloc'ing Datum arrays. +- * + * The multiplication overflow check only works on machines that have int64 + * arithmetic, but that is nearly all platforms these days, and doing check + * divides for those that don't seems way too expensive. +@@ -78,8 +74,6 @@ ArrayGetNItems(int ndim, const int *dims) + int32 ret; + int i; + +-#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum))) +- + if (ndim <= 0) + return 0; + ret = 1; +diff --git a/src/include/utils/array.h b/src/include/utils/array.h +index 4ae6c3b..0d6db51 100644 +--- a/src/include/utils/array.h ++++ b/src/include/utils/array.h +@@ -74,6 +74,13 @@ struct ExprContext; + */ + #define MAXDIM 6 + ++/* ++ * Maximum number of elements in an array. We limit this to at most about a ++ * quarter billion elements, so that it's not necessary to check for overflow ++ * in quite so many places --- for instance when palloc'ing Datum arrays. ++ */ ++#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum))) ++ + /* + * Arrays are varlena objects, so must meet the varlena convention that + * the first int32 of the object contains the total object size in bytes. +diff --git a/src/test/regress/expected/arrays.out b/src/test/regress/expected/arrays.out +index 4923cf3..7f9b693 100644 +--- a/src/test/regress/expected/arrays.out ++++ b/src/test/regress/expected/arrays.out +@@ -1380,6 +1380,23 @@ insert into arr_pk_tbl(pk, f1[1:2]) values (1, '{6,7,8}') on conflict (pk) + -- then you didn't get an indexscan plan, and something is busted. + reset enable_seqscan; + reset enable_bitmapscan; ++-- test subscript overflow detection ++-- The normal error message includes a platform-dependent limit, ++-- so suppress it to avoid needing multiple expected-files. ++\set VERBOSITY sqlstate ++insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}'); ++update arr_pk_tbl set f1[2147483647] = 42 where pk = 10; ++ERROR: 54000 ++update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10; ++ERROR: 54000 ++-- also exercise the expanded-array case ++do $$ declare a int[]; ++begin ++ a := '[-2147483648:-2147483647]={1,2}'::int[]; ++ a[2147483647] := 42; ++end $$; ++ERROR: 54000 ++\set VERBOSITY default + -- test [not] (like|ilike) (any|all) (...) + select 'foo' like any (array['%a', '%o']); -- t + ?column? +diff --git a/src/test/regress/sql/arrays.sql b/src/test/regress/sql/arrays.sql +index 5eedc4c..3ad8bdf 100644 +--- a/src/test/regress/sql/arrays.sql ++++ b/src/test/regress/sql/arrays.sql +@@ -415,6 +415,25 @@ insert into arr_pk_tbl(pk, f1[1:2]) values (1, '{6,7,8}') on conflict (pk) + reset enable_seqscan; + reset enable_bitmapscan; + ++-- test subscript overflow detection ++ ++-- The normal error message includes a platform-dependent limit, ++-- so suppress it to avoid needing multiple expected-files. ++\set VERBOSITY sqlstate ++ ++insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}'); ++update arr_pk_tbl set f1[2147483647] = 42 where pk = 10; ++update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10; ++ ++-- also exercise the expanded-array case ++do $$ declare a int[]; ++begin ++ a := '[-2147483648:-2147483647]={1,2}'::int[]; ++ a[2147483647] := 42; ++end $$; ++ ++\set VERBOSITY default ++ + -- test [not] (like|ilike) (any|all) (...) + select 'foo' like any (array['%a', '%o']); -- t + select 'foo' like any (array['%a', '%b']); -- f |