BUG #19413: ASAN: stack-buffer-overflow in foldcase_options() with invalid ICU language tag

public inbox for pgsql-bugs@postgresql.org  
help / color / mirror / Atom feed

BUG #19413: ASAN: stack-buffer-overflow in foldcase_options() with invalid ICU language tag
2+ messages / 2 participants
[nested] [flat]

* BUG #19413: ASAN: stack-buffer-overflow in foldcase_options() with invalid ICU language tag
@ 2026-02-19 05:26  PG Bug reporting form <noreply@postgresql.org>
  0 siblings, 1 reply; 2+ messages in thread

From: PG Bug reporting form @ 2026-02-19 05:26 UTC (permalink / raw)
  To: pgsql-bugs@lists.postgresql.org; +Cc: n.kalinin@postgrespro.ru

The following bug has been logged on the website:

Bug reference:      19413
Logged by:          Nikita Kalinin
Email address:      n.kalinin@postgrespro.ru
PostgreSQL version: 18.2
Operating system:   ubuntu 22.04
Description:        

When building with ASAN:
CPPFLAGS="-O0 -ggdb3 -fno-omit-frame-pointer -fsanitize=address
-fsanitize=undefined -fno-sanitize-recover=all
-fno-sanitize=nonnull-attribute -fstack-protector"
LDFLAGS="-fsanitize=address -fsanitize=undefined"

Runtime ASAN options:
ASAN_OPTIONS=detect_leaks=0:abort_on_error=1:disable_coredump=0:strict_string_checks=1:check_initialization_order=1:strict_init_order=1:detct_odr_violation=0:detect_stack_use_after_return=0

The following queries:
CREATE COLLATION lt_insensitive (provider = icu, locale = 'enu-ks-level1',
deterministic = false);
CREATE COLLATION lt_insensitive (provider = icu, locale = 'en-u-ks-level1',
deterministic = false);
CREATE COLLATION x (provider = icu, locale = 'en-u-ks-level1', deterministic
= false);
CREATE COLLATION lt_insensitive (provider = icu, locale = 'en-u-ks-level1',
deterministic = false);

produce this in the log:
==206378==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffc4e1629c3 at pc 0x7025dbac6f8f bp 0x7ffc4e162960 sp 0x7ffc4e162108
READ of size 7 at 0x7ffc4e1629c3 thread T0
    #0 0x7025dbac6f8e in strcmp
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:470
    #1 0x5e20dd343a7b in foldcase_options
/home/test/test/postgres/src/backend/utils/adt/pg_locale_icu.c:1000
    #2 0x5e20dd340b46 in pg_ucasemap_open
/home/test/test/postgres/src/backend/utils/adt/pg_locale_icu.c:523
    #3 0x5e20dd3403b0 in create_pg_locale_icu
/home/test/test/postgres/src/backend/utils/adt/pg_locale_icu.c:385
    #4 0x5e20dd337563 in create_pg_locale
/home/test/test/postgres/src/backend/utils/adt/pg_locale.c:1065
    #5 0x5e20dd338ecd in pg_newlocale_from_collation
/home/test/test/postgres/src/backend/utils/adt/pg_locale.c:1233
    #6 0x5e20dbc3f66b in DefineCollation
/home/test/test/postgres/src/backend/commands/collationcmds.c:387
    #7 0x5e20dce94634 in ProcessUtilitySlow
/home/test/test/postgres/src/backend/tcop/utility.c:1441
    #8 0x5e20dce90e19 in standard_ProcessUtility
/home/test/test/postgres/src/backend/tcop/utility.c:1068
    #9 0x5e20dce8e5f8 in ProcessUtility
/home/test/test/postgres/src/backend/tcop/utility.c:525
    #10 0x5e20dce8997b in PortalRunUtility
/home/test/test/postgres/src/backend/tcop/pquery.c:1148
    #11 0x5e20dce8a6cb in PortalRunMulti
/home/test/test/postgres/src/backend/tcop/pquery.c:1306
    #12 0x5e20dce87477 in PortalRun
/home/test/test/postgres/src/backend/tcop/pquery.c:783
    #13 0x5e20dce70014 in exec_simple_query
/home/test/test/postgres/src/backend/tcop/postgres.c:1277
    #14 0x5e20dce7f5b2 in PostgresMain
/home/test/test/postgres/src/backend/tcop/postgres.c:4809
    #15 0x5e20dce60a21 in BackendMain
/home/test/test/postgres/src/backend/tcop/backend_startup.c:124
    #16 0x5e20dc9daeb3 in postmaster_child_launch
/home/test/test/postgres/src/backend/postmaster/launch_backend.c:268
    #17 0x5e20dc9ec38a in BackendStartup
/home/test/test/postgres/src/backend/postmaster/postmaster.c:3606
    #18 0x5e20dc9e66af in ServerLoop
/home/test/test/postgres/src/backend/postmaster/postmaster.c:1713
    #19 0x5e20dc9e5117 in PostmasterMain
/home/test/test/postgres/src/backend/postmaster/postmaster.c:1403
    #20 0x5e20dc2ee164 in main
/home/test/test/postgres/src/backend/main/main.c:231
    #21 0x7025da62a1c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
    #22 0x7025da62a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #23 0x5e20db2c4cf4 in _start (/tmp/pg/bin/postgres+0x339bcf4) (BuildId:
1e8e5e00d069d99fbf1e4d1d7e56eeb0ddec1ca0)

Address 0x7ffc4e1629c3 is located in stack of thread T0 at offset 51 in
frame
    #0 0x5e20dd34394f in foldcase_options
/home/test/test/postgres/src/backend/utils/adt/pg_locale_icu.c:988

The issue occurs only when strict_string_checks=1 is enabled.
If this option is removed from ASAN_OPTIONS, the problem disappears.
It reproduces only on master. I was not able to reproduce it on
REL_18_STABLE.
Is this expected behavior, or is the real issue that strcmp receives an
invalid argument — lang is not a null-terminated string?


Note: the web form only allowed selecting 18.2, but the issue reproduces on
current git master (future 19) and not on REL_18_STABLE.








^ permalink  raw  reply  [nested|flat] 2+ messages in thread

* Re: BUG #19413: ASAN: stack-buffer-overflow in foldcase_options() with invalid ICU language tag
@ 2026-05-15 16:59  Jeff Davis <pgsql@j-davis.com>
  parent: PG Bug reporting form <noreply@postgresql.org>
  0 siblings, 0 replies; 2+ messages in thread

From: Jeff Davis @ 2026-05-15 16:59 UTC (permalink / raw)
  To: n.kalinin@postgrespro.ru; pgsql-bugs@lists.postgresql.org

On Thu, 2026-02-19 at 05:26 +0000, PG Bug reporting form wrote:
> The following bug has been logged on the website:
> 
> Bug reference:      19413
> Logged by:          Nikita Kalinin
> Email address:      n.kalinin@postgrespro.ru
> PostgreSQL version: 18.2
> Operating system:   ubuntu 22.04
> Description:        
> 
> When building with ASAN:
> CPPFLAGS="-O0 -ggdb3 -fno-omit-frame-pointer -fsanitize=address
> -fsanitize=undefined -fno-sanitize-recover=all
> -fno-sanitize=nonnull-attribute -fstack-protector"
> LDFLAGS="-fsanitize=address -fsanitize=undefined"
> 
> Runtime ASAN options:
> ASAN_OPTIONS=detect_leaks=0:abort_on_error=1:disable_coredump=0:stric
> t_string_checks=1:check_initialization_order=1:strict_init_order=1:de
> tct_odr_violation=0:detect_stack_use_after_return=0
> 
> The following queries:
> CREATE COLLATION lt_insensitive (provider = icu, locale = 'enu-ks-
> level1',
> deterministic = false);
> CREATE COLLATION lt_insensitive (provider = icu, locale = 'en-u-ks-
> level1',
> deterministic = false);
> CREATE COLLATION x (provider = icu, locale = 'en-u-ks-level1',
> deterministic
> = false);
> CREATE COLLATION lt_insensitive (provider = icu, locale = 'en-u-ks-
> level1',
> deterministic = false);

Thank you for the report. This appears to be fixed as of:

https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=06ce97b9994eca91250d7c28f0df9b1ae7829...

due to another report that came later. This bug should have been
referenced in the commit -- sorry.

Let me know if this resolves the issue.

Regards,
	Jeff Davis







^ permalink  raw  reply  [nested|flat] 2+ messages in thread

end of thread, other threads:[~2026-05-15 16:59 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2026-02-19 05:26 BUG #19413: ASAN: stack-buffer-overflow in foldcase_options() with invalid ICU language tag PG Bug reporting form <noreply@postgresql.org>
2026-05-15 16:59 ` Jeff Davis <pgsql@j-davis.com>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox