postgresql: Security Advisory-postgresql-CVE-2016-0773

add CVE-2016-0773 patch for avoiding attackers to cause a denial of service (infinite loop or buffer overflow and crash) via a large Unicode character range in a regular expression. Patch comes from: http://git.postgresql.org/gitweb/?p=postgresql.git;a=summary commit 3bb3f42f3749d40b8d4de65871e8d828b18d4a45 Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2026-04-20 11:38:34 +00:00 · 2016-03-10 10:57:00 +08:00
parent 35d91f32c4
commit 8354a07d12
2 changed files with 223 additions and 0 deletions
--- a/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0773.patch
+++ b/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0773.patch
@@ -0,0 +1,222 @@
+From 3bb3f42f3749d40b8d4de65871e8d828b18d4a45 Mon Sep 17 00:00:00 2001
+From: Tom Lane <tgl@sss.pgh.pa.us>
+Date: Mon, 8 Feb 2016 10:25:40 -0500
+Subject: [PATCH] Fix some regex issues with out-of-range characters and large
+ char ranges.
+
+Previously, our regex code defined CHR_MAX as 0xfffffffe, which is a
+bad choice because it is outside the range of type "celt" (int32).
+Characters approaching that limit could lead to infinite loops in logic
+such as "for (c = a; c <= b; c++)" where c is of type celt but the
+range bounds are chr.  Such loops will work safely only if CHR_MAX+1
+is representable in celt, since c must advance to beyond b before the
+loop will exit.
+
+Fortunately, there seems no reason not to restrict CHR_MAX to 0x7ffffffe.
+It's highly unlikely that Unicode will ever assign codes that high, and
+none of our other backend encodings need characters beyond that either.
+
+In addition to modifying the macro, we have to explicitly enforce character
+range restrictions on the values of \u, \U, and \x escape sequences, else
+the limit is trivially bypassed.
+
+Also, the code for expanding case-independent character ranges in bracket
+expressions had a potential integer overflow in its calculation of the
+number of characters it could generate, which could lead to allocating too
+small a character vector and then overwriting memory.  An attacker with the
+ability to supply arbitrary regex patterns could easily cause transient DOS
+via server crashes, and the possibility for privilege escalation has not
+been ruled out.
+
+Quite aside from the integer-overflow problem, the range expansion code was
+unnecessarily inefficient in that it always produced a result consisting of
+individual characters, abandoning the knowledge that we had a range to
+start with.  If the input range is large, this requires excessive memory.
+Change it so that the original range is reported as-is, and then we add on
+any case-equivalent characters that are outside that range.  With this
+approach, we can bound the number of individual characters allowed without
+sacrificing much.  This patch allows at most 100000 individual characters,
+which I believe to be more than the number of case pairs existing in
+Unicode, so that the restriction will never be hit in practice.
+
+It's still possible for range() to take awhile given a large character code
+range, so also add statement-cancel detection to its loop.  The downstream
+function dovec() also lacked cancel detection, and could take a long time
+given a large output from range().
+
+Per fuzz testing by Greg Stark.  Back-patch to all supported branches.
+
+Security: CVE-2016-0773
+
+Upstream-Status: Backport
+
+Signed-off-by: Tom Lane <tgl@sss.pgh.pa.us>
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+
+Index: postgresql-9.4.5/src/backend/regex/regc_lex.c
+===================================================================
+--- postgresql-9.4.5.orig/src/backend/regex/regc_lex.c	2015-10-06 03:12:06.000000000 +0800
+++ postgresql-9.4.5/src/backend/regex/regc_lex.c	2016-03-10 10:29:57.045784317 +0800
+@@ -792,13 +792,13 @@
+ 			break;
+ 		case CHR('u'):
+ 			c = lexdigits(v, 16, 4, 4);
+-			if (ISERR())
+			if (ISERR() || c < CHR_MIN || c > CHR_MAX)
+ 				FAILW(REG_EESCAPE);
+ 			RETV(PLAIN, c);
+ 			break;
+ 		case CHR('U'):
+ 			c = lexdigits(v, 16, 8, 8);
+-			if (ISERR())
+			if (ISERR() || c < CHR_MIN || c > CHR_MAX)
+ 				FAILW(REG_EESCAPE);
+ 			RETV(PLAIN, c);
+ 			break;
+@@ -816,7 +816,7 @@
+ 		case CHR('x'):
+ 			NOTE(REG_UUNPORT);
+ 			c = lexdigits(v, 16, 1, 255);		/* REs >255 long outside spec */
+-			if (ISERR())
+			if (ISERR() || c < CHR_MIN || c > CHR_MAX)
+ 				FAILW(REG_EESCAPE);
+ 			RETV(PLAIN, c);
+ 			break;
+@@ -872,6 +872,9 @@
+ 
+ /*
+  * lexdigits - slurp up digits and return chr value
+ *
+ * This does not account for overflow; callers should range-check the result
+ * if maxlen is large enough to make that possible.
+  */
+ static chr						/* chr value; errors signalled via ERR */
+ lexdigits(struct vars * v,
+Index: postgresql-9.4.5/src/backend/regex/regc_locale.c
+===================================================================
+--- postgresql-9.4.5.orig/src/backend/regex/regc_locale.c	2015-10-06 03:12:06.000000000 +0800
+++ postgresql-9.4.5/src/backend/regex/regc_locale.c	2016-03-10 10:34:28.757781726 +0800
+@@ -408,8 +408,7 @@
+ 	int			nchrs;
+ 	struct cvec *cv;
+ 	celt		c,
+-				lc,
+-				uc;
+				cc;
+ 
+ 	if (a != b && !before(a, b))
+ 	{
+@@ -427,24 +426,48 @@
+ 
+ 	/*
+ 	 * When case-independent, it's hard to decide when cvec ranges are usable,
+-	 * so for now at least, we won't try.  We allocate enough space for two
+-	 * case variants plus a little extra for the two title case variants.
+	 * so for now at least, we won't try.  We use a range for the originally
+	 * specified chrs and then add on any case-equivalents that are outside
+	 * that range as individual chrs.
+	 *
+	 * To ensure sane behavior if someone specifies a very large range, limit
+	 * the allocation size to 100000 chrs (arbitrary) and check for overrun
+	 * inside the loop below.
+ 	 */
+ 
+-	nchrs = (b - a + 1) * 2 + 4;
+-
+-	cv = getcvec(v, nchrs, 0);
+	cv = getcvec(v, nchrs, 1);
+ 	NOERRN();
+	addrange(cv, a, b);
+ 
+ 	for (c = a; c <= b; c++)
+ 	{
+-		addchr(cv, c);
+-		lc = pg_wc_tolower((chr) c);
+-		if (c != lc)
+-			addchr(cv, lc);
+-		uc = pg_wc_toupper((chr) c);
+-		if (c != uc)
+-			addchr(cv, uc);
+		cc = pg_wc_tolower((chr) c);
+		if (cc != c &&
+			(before(cc, a) || before(b, cc)))
+		{
+			if (cv->nchrs >= cv->chrspace)
+			{
+				ERR(REG_ETOOBIG);
+				return NULL;
+			}
+			addchr(cv, cc);
+		}
+		cc = pg_wc_toupper((chr) c);
+		if (cc != c &&
+			(before(cc, a) || before(b, cc)))
+		{
+			if (cv->nchrs >= cv->chrspace)
+			{
+				ERR(REG_ETOOBIG);
+				return NULL;
+			}
+			addchr(cv, cc);
+		}
+		if (CANCEL_REQUESTED(v->re))
+		{
+			ERR(REG_CANCEL);
+			return NULL;
+		}
+ 	}
+ 
+ 	return cv;
+Index: postgresql-9.4.5/src/backend/regex/regcomp.c
+===================================================================
+--- postgresql-9.4.5.orig/src/backend/regex/regcomp.c	2015-10-06 03:12:06.000000000 +0800
+++ postgresql-9.4.5/src/backend/regex/regcomp.c	2016-03-10 10:35:25.397781185 +0800
+@@ -1569,6 +1569,7 @@
+ 	{
+ 		ch = *p;
+ 		newarc(v->nfa, PLAIN, subcolor(v->cm, ch), lp, rp);
+		NOERR();
+ 	}
+ 
+ 	/* and the ranges */
+@@ -1578,6 +1579,7 @@
+ 		to = *(p + 1);
+ 		if (from <= to)
+ 			subrange(v, from, to, lp, rp);
+		NOERR();
+ 	}
+ }
+ 
+Index: postgresql-9.4.5/src/include/regex/regcustom.h
+===================================================================
+--- postgresql-9.4.5.orig/src/include/regex/regcustom.h	2015-10-06 03:12:06.000000000 +0800
+++ postgresql-9.4.5/src/include/regex/regcustom.h	2016-03-10 10:37:09.989780188 +0800
+@@ -65,7 +65,8 @@
+ #define DIGITVAL(c) ((c)-'0')	/* turn chr digit into its value */
+ #define CHRBITS 32				/* bits in a chr; must not use sizeof */
+ #define CHR_MIN 0x00000000		/* smallest and largest chr; the value */
+-#define CHR_MAX 0xfffffffe		/* CHR_MAX-CHR_MIN+1 should fit in uchr */
+#define CHR_MAX 0x7ffffffe		/* CHR_MAX-CHR_MIN+1 must fit in an int, and
+								 * CHR_MAX+1 must fit in both chr and celt */
+ 
+ /* functions operating on chr */
+ #define iscalnum(x) pg_wc_isalnum(x)
+Index: postgresql-9.4.5/src/test/regress/expected/regex.out
+===================================================================
+--- postgresql-9.4.5.orig/src/test/regress/expected/regex.out	2015-10-06 03:12:06.000000000 +0800
+++ postgresql-9.4.5/src/test/regress/expected/regex.out	2016-03-10 10:38:28.821779436 +0800
+@@ -222,3 +222,5 @@
+  t
+ (1 row)
+ 
+select 'a' ~ '\x7fffffff';  -- invalid chr code
+ERROR:  invalid regular expression: invalid escape \ sequence
+Index: postgresql-9.4.5/src/test/regress/sql/regex.sql
+===================================================================
+--- postgresql-9.4.5.orig/src/test/regress/sql/regex.sql	2015-10-06 03:12:06.000000000 +0800
+++ postgresql-9.4.5/src/test/regress/sql/regex.sql	2016-03-10 10:38:57.845779159 +0800
+@@ -57,3 +57,4 @@
+ select 'a' ~ '.. ()|\1';
+ select 'a' ~ '()*\1';
+ select 'a' ~ '()+\1';
+select 'a' ~ '\x7fffffff';  -- invalid chr code
--- a/meta-oe/recipes-support/postgresql/postgresql.inc
+++ b/meta-oe/recipes-support/postgresql/postgresql.inc
@@ -32,6 +32,7 @@ SRC_URI = "http://ftp.postgresql.org/pub/source/v${PV}/${BP}.tar.bz2 \
    file://postgresql.service \
    file://0001-Use-pkg-config-for-libxml2-detection.patch \
    file://postgresql-CVE-2016-0766.patch \
+    file://postgresql-CVE-2016-0773.patch \
 "

 LEAD_SONAME = "libpq.so"