php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #25109 pgsql causes segmentation fault
Submitted: 2003-08-16 11:47 UTC Modified: 2003-08-27 19:33 UTC
From: cunha17 at uol dot com dot br Assigned:
Status: Closed Package: PostgreSQL related
PHP Version: 4CVS-2003-08-20 OS: Redhat Linux 9.0 - Kernel 2.4.21
Private report: No CVE-ID:
 [2003-08-16 11:47 UTC] cunha17 at uol dot com dot br
Description:
------------
I found out that pgsql functions cause segmentation fault if the connection user has no read access on pg_ system tables.

I'm using John Lim's ADOdb class to access a PostgreSQL 7.2.4 database.

This problem has nothing to do with apache since it happens with the CLI interface too.



Reproduce code:
---------------
With an empty postgresql installation, I created an empty database, connected to it, created an user and set all privileges on this new database to this user.
Connected as the new user on the new database I created some tables.

When trying to access this new tables with PHP and ADOdb classes, I got a segmentation fault. At the very end, when running with strace, I got a message before the segmentation fault saying:
'pg_class access denied'
When I grant read access on this table to the new user, I got:
'pg_attribute access denied' and so on...
When I grant read access to all pg_* tables, the problem disappear and PHP runs ok.

Expected result:
----------------
PgSQL Error: Access denied to pg_* system table
or something like that.

Actual result:
--------------
Segmentation Fault if the connection user has no read access on system tables

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-08-20 18:30 UTC] cunha17 at uol dot com dot br
The same problem happened with the latest PHP:
PHP4-STABLE-200308202130
 [2003-08-26 19:06 UTC] iliaa@php.net
Could you please generate a backtrace of the crash and supply the query you've run to trigger it.
 [2003-08-27 17:15 UTC] cunha17 at uol dot com dot br
As I told you I'm using John Lim's ADODB database library for PHP:
http://php.weblogs.com/adodb

I run the following PHP code:
<?
   include_once("framework/adodb/adodb.inc.php");
   $MM_conn_HOSTNAME = "10.67.92.57";
   $MM_conn_DBTYPE = "postgres7";
   $MM_conn_DATABASE = "teste";

   $MM_conn_USERNAME = "teste";
   $MM_conn_PASSWORD = "teste";
   ADOLoadCode($MM_conn_DBTYPE);
   $conn=&ADONewConnection($MM_conn_DBTYPE);
   if($MM_conn_DBTYPE == "access" || $MM_conn_DBTYPE == "odbc"){
                   $conn->Connect($MM_conn_DATABASE, $MM_conn_USERNAME,$MM_conn_PASSWORD);
   } else if($MM_conn_DBTYPE == "ibase") {
                   $conn->Connect($MM_conn_HOSTNAME.":".$MM_conn_DATABASE,$MM_conn_USERNAME,$MM_conn_PASSWORD);
   } else {
                   $conn->Connect($MM_conn_HOSTNAME,$MM_conn_USERNAME,$MM_conn_PASSWORD,$MM_conn_DATABASE);
   }
   $concatOp = $conn->concat_operator;
$rs = $conn->execute("SELECT * from teste") or die($conn->errorMsg());;
print_r($rs->fields);
echo "ok";
?>

And got these last lines of backtrace(strace):

open("/webpages/sistemas/framework1.5/adodb/adodb.inc.php", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0755, st_size=20000, ...}) = 0
fstat64(4, {st_mode=S_IFREG|0755, st_size=20000, ...}) = 0
lseek(4, 0, SEEK_CUR)                   = 0
lseek(4, 0, SEEK_SET)                   = 0
close(4)                                = 0
getcwd("/webpages/sistemas", 4096)      = 19
lstat64("/webpages", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/webpages/sistemas", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat64("/webpages/sistemas/framework1.5", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/webpages/sistemas/framework1.5/adodb", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat64("/webpages/sistemas/framework1.5/adodb/drivers", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat64("/webpages/sistemas/framework1.5/adodb/drivers/adodb-postgres7.inc.php", {st_mode=S_IFREG|0755, st_size=2246, ...}) = 0
open("/webpages/sistemas/framework1.5/adodb/drivers/adodb-postgres7.inc.php", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0755, st_size=2246, ...}) = 0
fstat64(4, {st_mode=S_IFREG|0755, st_size=2246, ...}) = 0
lseek(4, 0, SEEK_CUR)                   = 0
lseek(4, 0, SEEK_SET)                   = 0
read(4, "<?php\r\n/*\r\n V3.40 7 April 2003  "..., 8192) = 2246
read(4, "", 8192)                       = 0
close(4)                                = 0
getcwd("/webpages/sistemas", 4096)      = 19
lstat64("/webpages", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/webpages/sistemas", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat64("/webpages/sistemas/framework1.5", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/webpages/sistemas/framework1.5/adodb", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat64("/webpages/sistemas/framework1.5/adodb/drivers", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat64("/webpages/sistemas/framework1.5/adodb/drivers/adodb-postgres64.inc.php", {st_mode=S_IFREG|0755, st_size=21405, ...}) = 0
open("/webpages/sistemas/framework1.5/adodb/drivers/adodb-postgres64.inc.php", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0755, st_size=21405, ...}) = 0
fstat64(4, {st_mode=S_IFREG|0755, st_size=21405, ...}) = 0
lseek(4, 0, SEEK_CUR)                   = 0
lseek(4, 0, SEEK_SET)                   = 0
read(4, "<?php\r\n/*\r\n V3.40 7 April 2003  "..., 8192) = 8192
brk(0)                                  = 0x85cf000
brk(0x85d0000)                          = 0x85d0000
brk(0)                                  = 0x85d0000
brk(0x85d1000)                          = 0x85d1000
brk(0)                                  = 0x85d1000
brk(0x85d2000)                          = 0x85d2000
brk(0)                                  = 0x85d2000
brk(0x85d3000)                          = 0x85d3000
brk(0)                                  = 0x85d3000
brk(0x85d6000)                          = 0x85d6000
read(4, "\n\t{ \r\n\t\tpg_exec ($this->_connect"..., 8192) = 8192
brk(0)                                  = 0x85d6000
brk(0x85d9000)                          = 0x85d9000
brk(0)                                  = 0x85d9000
brk(0x85dd000)                          = 0x85dd000
brk(0)                                  = 0x85dd000
brk(0x85ec000)                          = 0x85ec000
read(4, "f X field\r\n\t*/\r\n\tfunction TextMa"..., 8192) = 5021
brk(0)                                  = 0x85ec000
brk(0x85ed000)                          = 0x85ed000
brk(0)                                  = 0x85ed000
brk(0x85ee000)                          = 0x85ee000
brk(0)                                  = 0x85ee000
brk(0x85f2000)                          = 0x85f2000
brk(0)                                  = 0x85f2000
brk(0x85f5000)                          = 0x85f5000
read(4, "", 8192)                       = 0
close(4)                                = 0
brk(0)                                  = 0x85f5000
brk(0x85f6000)                          = 0x85f6000
brk(0)                                  = 0x85f6000
brk(0x85f7000)                          = 0x85f7000
brk(0)                                  = 0x85f7000
brk(0x85fb000)                          = 0x85fb000
brk(0)                                  = 0x85fb000
brk(0x85fd000)                          = 0x85fd000
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
setsockopt(4, SOL_TCP, TCP_NODELAY, [1], 4) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(5432), sin_addr=inet_addr("10.67.92.57")}, 16) = 0
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
send(4, "\0\0\1(\4\322\26/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 296, 0) = 296
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
recv(4, "N", 1, 0)                      = 1
fcntl64(4, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
select(5, [], [4], [4], NULL)           = 1 (out [4])
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
send(4, "\0\0\1(\0\2\0\0teste\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 296, 0) = 296
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
select(5, [4], [], [4], NULL)           = 1 (in [4])
recv(4, "R\0\0\0\0K\0\0\26\n\6\307\317\202Z", 16384, 0) = 15
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
send(4, "Qbegin; select getdatabaseencodi"..., 45, 0) = 45
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
select(5, [4], [], [4], NULL)           = 1 (in [4])
recv(4, "CBEGIN\0Pblank\0T\0\1getdatabaseenco"..., 16384, 0) = 79
brk(0)                                  = 0x85fd000
brk(0x85fe000)                          = 0x85fe000
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
send(4, "Qset datestyle=\'ISO\'\0", 21, 0) = 21
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
select(5, [4], [], [4], NULL)           = 1 (in [4])
recv(4, "CSET\0Z", 16384, 0)            = 6
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
send(4, "QSELECT * from teste\0", 21, 0) = 21
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
select(5, [4], [], [4], NULL)           = 1 (in [4])
recv(4, "Pblank\0T\0\2id\0\0\0\0\27\0\4\377\377\377\377texto\0\0"..., 16384, 0) = 81
brk(0)                                  = 0x85fe000
brk(0x85ff000)                          = 0x85ff000
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
send(4, "Qselect oid,typname from pg_type"..., 33, 0) = 33
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
select(5, [4], [], [4], NULL)           = 1 (in [4])
recv(4, "EERROR:  pg_type: permission den"..., 16384, 0) = 38
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

It seems that the problem is some permission denied on the system tables. IMHO PHP should raise an error if the script tries to access a table that the connection user has no access on.
 [2003-08-27 19:33 UTC] iliaa@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 21:01:55 2014 UTC