NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit16d58b5

committed

Prevent stack overflow in json-related functions.

Sufficiently-deep recursion heretofore elicited a SIGSEGV. If anapplication constructs PostgreSQL json or jsonb values from arbitraryuser input, application users could have exploited this to terminate allactive database connections. That applies to 9.3, where the json parseradopted recursive descent, and later versions. Only row_to_json() andarray_to_json() were at risk in 9.2, both in a non-security capacity.Back-patch to 9.2, where the json type was introduced.Oskari Saarenmaa, reviewed by Michael Paquier.Security:CVE-2015-5289

1 parent4d95419 commit16d58b5Copy full SHA for 16d58b5

File tree

7 files changed

+54

-0

lines changed

src
- backend/utils/adt
  - json.c
- test/regress
  - expected
  - sql
    - json.sql
    - jsonb.sql

7 files changed

+54

-0

lines changed

`‎src/backend/utils/adt/json.c`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -443,6 +443,8 @@ parse_object(JsonLexContext lex, JsonSemAction sem)`
`443`	`443`	`json_struct_actionoend=sem->object_end;`
`444`	`444`	`JsonTokenTypetok;`
`445`	`445`
	`446`	`+check_stack_depth();`
	`447`	`+`
`446`	`448`	`if (ostart!=NULL)`
`447`	`449`	`(*ostart) (sem->semstate);`
`448`	`450`
`@@ -521,6 +523,8 @@ parse_array(JsonLexContext lex, JsonSemAction sem)`
`521`	`523`	`json_struct_actionastart=sem->array_start;`
`522`	`524`	`json_struct_actionaend=sem->array_end;`
`523`	`525`
	`526`	`+check_stack_depth();`
	`527`	`+`
`524`	`528`	`if (astart!=NULL)`
`525`	`529`	`(*astart) (sem->semstate);`
`526`	`530`
`@@ -1376,6 +1380,8 @@ datum_to_json(Datum val, bool is_null, StringInfo result,`
`1376`	`1380`	`char*outputstr;`
`1377`	`1381`	`text*jsontext;`
`1378`	`1382`
	`1383`	`+check_stack_depth();`
	`1384`	`+`
`1379`	`1385`	`/* callers are expected to ensure that null keys are not passed in */`
`1380`	`1386`	`Assert(!(key_scalar&&is_null));`
`1381`	`1387`

`‎src/test/regress/expected/json.out`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -231,6 +231,15 @@ LINE 1: SELECT '{"abc":1,3}'::json;`
`231`	`231`	`^`
`232`	`232`	`DETAIL: Expected string, but found "3".`
`233`	`233`	`CONTEXT: JSON data, line 1: {"abc":1,3...`
	`234`	`+-- Recursion.`
	`235`	`+SET max_stack_depth = '100kB';`
	`236`	`+SELECT repeat('[', 1000)::json;`
	`237`	`+ERROR: stack depth limit exceeded`
	`238`	`+HINT: Increase the configuration parameter "max_stack_depth" (currently 100kB), after ensuring the platform's stack depth limit is adequate.`
	`239`	`+SELECT repeat('{"a":', 1000)::json;`
	`240`	`+ERROR: stack depth limit exceeded`
	`241`	`+HINT: Increase the configuration parameter "max_stack_depth" (currently 100kB), after ensuring the platform's stack depth limit is adequate.`
	`242`	`+RESET max_stack_depth;`
`234`	`243`	`-- Miscellaneous stuff.`
`235`	`244`	`SELECT 'true'::json;-- OK`
`236`	`245`	`json`

`‎src/test/regress/expected/json_1.out`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -231,6 +231,15 @@ LINE 1: SELECT '{"abc":1,3}'::json;`
`231`	`231`	`^`
`232`	`232`	`DETAIL: Expected string, but found "3".`
`233`	`233`	`CONTEXT: JSON data, line 1: {"abc":1,3...`
	`234`	`+-- Recursion.`
	`235`	`+SET max_stack_depth = '100kB';`
	`236`	`+SELECT repeat('[', 1000)::json;`
	`237`	`+ERROR: stack depth limit exceeded`
	`238`	`+HINT: Increase the configuration parameter "max_stack_depth" (currently 100kB), after ensuring the platform's stack depth limit is adequate.`
	`239`	`+SELECT repeat('{"a":', 1000)::json;`
	`240`	`+ERROR: stack depth limit exceeded`
	`241`	`+HINT: Increase the configuration parameter "max_stack_depth" (currently 100kB), after ensuring the platform's stack depth limit is adequate.`
	`242`	`+RESET max_stack_depth;`
`234`	`243`	`-- Miscellaneous stuff.`
`235`	`244`	`SELECT 'true'::json;-- OK`
`236`	`245`	`json`

`‎src/test/regress/expected/jsonb.out`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -239,6 +239,15 @@ LINE 1: SELECT '{"abc":1,3}'::jsonb;`
`239`	`239`	`^`
`240`	`240`	`DETAIL: Expected string, but found "3".`
`241`	`241`	`CONTEXT: JSON data, line 1: {"abc":1,3...`
	`242`	`+-- Recursion.`
	`243`	`+SET max_stack_depth = '100kB';`
	`244`	`+SELECT repeat('[', 1000)::jsonb;`
	`245`	`+ERROR: stack depth limit exceeded`
	`246`	`+HINT: Increase the configuration parameter "max_stack_depth" (currently 100kB), after ensuring the platform's stack depth limit is adequate.`
	`247`	`+SELECT repeat('{"a":', 1000)::jsonb;`
	`248`	`+ERROR: stack depth limit exceeded`
	`249`	`+HINT: Increase the configuration parameter "max_stack_depth" (currently 100kB), after ensuring the platform's stack depth limit is adequate.`
	`250`	`+RESET max_stack_depth;`
`242`	`251`	`-- Miscellaneous stuff.`
`243`	`252`	`SELECT 'true'::jsonb;-- OK`
`244`	`253`	`jsonb`

`‎src/test/regress/expected/jsonb_1.out`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -239,6 +239,15 @@ LINE 1: SELECT '{"abc":1,3}'::jsonb;`
`239`	`239`	`^`
`240`	`240`	`DETAIL: Expected string, but found "3".`
`241`	`241`	`CONTEXT: JSON data, line 1: {"abc":1,3...`
	`242`	`+-- Recursion.`
	`243`	`+SET max_stack_depth = '100kB';`
	`244`	`+SELECT repeat('[', 1000)::jsonb;`
	`245`	`+ERROR: stack depth limit exceeded`
	`246`	`+HINT: Increase the configuration parameter "max_stack_depth" (currently 100kB), after ensuring the platform's stack depth limit is adequate.`
	`247`	`+SELECT repeat('{"a":', 1000)::jsonb;`
	`248`	`+ERROR: stack depth limit exceeded`
	`249`	`+HINT: Increase the configuration parameter "max_stack_depth" (currently 100kB), after ensuring the platform's stack depth limit is adequate.`
	`250`	`+RESET max_stack_depth;`
`242`	`251`	`-- Miscellaneous stuff.`
`243`	`252`	`SELECT 'true'::jsonb;-- OK`
`244`	`253`	`jsonb`

`‎src/test/regress/sql/json.sql`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,12 @@ SELECT '{"abc":1,"def":2,"ghi":[3,4],"hij":{"klm":5,"nop":[6]}}'::json; -- OK`
`45`	`45`	`SELECT'{"abc":1:2}'::json;-- ERROR, colon in wrong spot`
`46`	`46`	`SELECT'{"abc":1,3}'::json;-- ERROR, no value`
`47`	`47`
	`48`	`+-- Recursion.`
	`49`	`+SET max_stack_depth='100kB';`
	`50`	`+SELECT repeat('[',1000)::json;`
	`51`	`+SELECT repeat('{"a":',1000)::json;`
	`52`	`+RESET max_stack_depth;`
	`53`	`+`
`48`	`54`	`-- Miscellaneous stuff.`
`49`	`55`	`SELECT'true'::json;-- OK`
`50`	`56`	`SELECT'false'::json;-- OK`

`‎src/test/regress/sql/jsonb.sql`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,12 @@ SELECT '{"abc":1,"def":2,"ghi":[3,4],"hij":{"klm":5,"nop":[6]}}'::jsonb; -- OK`
`48`	`48`	`SELECT'{"abc":1:2}'::jsonb;-- ERROR, colon in wrong spot`
`49`	`49`	`SELECT'{"abc":1,3}'::jsonb;-- ERROR, no value`
`50`	`50`
	`51`	`+-- Recursion.`
	`52`	`+SET max_stack_depth='100kB';`
	`53`	`+SELECT repeat('[',1000)::jsonb;`
	`54`	`+SELECT repeat('{"a":',1000)::jsonb;`
	`55`	`+RESET max_stack_depth;`
	`56`	`+`
`51`	`57`	`-- Miscellaneous stuff.`
`52`	`58`	`SELECT'true'::jsonb;-- OK`
`53`	`59`	`SELECT'false'::jsonb;-- OK`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit16d58b5

File tree

7 files changed

7 files changed

`‎src/backend/utils/adt/json.c`

`‎src/test/regress/expected/json.out`

`‎src/test/regress/expected/json_1.out`

`‎src/test/regress/expected/jsonb.out`

`‎src/test/regress/expected/jsonb_1.out`

`‎src/test/regress/sql/json.sql`

`‎src/test/regress/sql/jsonb.sql`

0 commit comments