Bug#575276: sqlite3: segmentation fault on specific SQL statement (INSERT DEFAULT VALUES with triggers)

Wed, 24 Mar 2010 09:44:18 -0700 

Package: sqlite3
Version: 3.6.22-1
Severity: normal

A bug resulting in a crash (segmentation fault) of sqlite3 has been
detected. Please find attached the script causing problems and a debug
session log.

Tested to be vulnerable:
linux 3.6.23
linux 3.6.22
linux 3.6.4
solaris 3.5.1

Tested to be invulnerable:
linux 2.8.17

Attachments: SQL script, gdb session log.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-3-686 (SMP w/2 CPU cores)
Shell: /bin/sh linked to /bin/dash

BEGIN TRANSACTION;
CREATE TABLE tab_s (src varchar, dst varchar, price decimal(10,2), PRIMARY KEY 
(src,dst));
INSERT INTO "tab_s" VALUES('POZNAN','ITALIA',10);
CREATE TABLE current (src varchar, dst varchar, price decimal(10,2) NOT NULL, 
timestamp TEXT DEFAULT (DATETIME('NOW')));
CREATE TRIGGER update_tab_s after insert on current when (new.price < (select 
price from tab_s where src=new.src AND dst=new.dst))  begin update tab_s set 
price=new.price where src=new.src AND dst=new.dst; end;
CREATE TRIGGER entry_in_tab_s before insert on current begin insert or ignore 
into tab_s values (new.src, new.dst, 99999); end;
COMMIT;

INSERT INTO current DEFAULT VALUES ('a', 'b', 30);

/tmp/sqlite-3.6.23> CFLAGS="-O0 -ggdb" ./configure 
/tmp/sqlite-3.6.23> make
/tmp/sqlite-3.6.23> export LD_PRELOAD=.libs/libsqlite3.so
/tmp/sqlite-3.6.23> gdb .libs/sqlite3
Reading symbols from /tmp/sqlite-3.6.23/.libs/sqlite3...done.
(gdb) r -init script.sql
[Thread debugging using libthread_db enabled]
-- Loading resources from script.sql

_______________________________________________________________________________
     eax:00000000 ebx:B7FDDA10  ecx:00000008  edx:00000007     eflags:00010246
     esi:0804FE90 edi:080496E0  esp:BFFFD8F0  ebp:BFFFDA28     eip:B7F9D0A7
     cs:0073  ds:007B  es:007B  fs:0000  gs:0033  ss:007B    o d I t s Z a P c 
[007B:BFFFD8F0]---------------------------------------------------------[stack]
BFFFD920 : B8 35 05 08  00 00 00 00 - FC 03 00 00  D8 4C 06 08 .5...........L..
BFFFD910 : 00 00 00 00  10 DA FD B7 - 48 D9 FF BF  AD A3 F6 B7 ........H.......
BFFFD900 : 00 00 00 00  B8 35 05 08 - F8 35 05 08  00 00 00 00 .....5...5......
BFFFD8F0 : C8 45 06 08  07 00 00 00 - FF FF FF FF  07 00 00 00 .E..............
[007B:0804FE90]---------------------------------------------------------[ data]
0804FE90 : 55 89 E5 57  56 53 E8 4F - 00 00 00 81  C3 75 22 00 U..WVS.O.....u".
0804FEA0 : 00 83 EC 0C  E8 1B 93 FF - FF 8D BB F0  FE FF FF 8D ................
[0073:B7F9D0A7]---------------------------------------------------------[ code]
0xb7f9d0a7 <sqlite3Insert+3613>:        mov    0xc(%eax),%esi
0xb7f9d0aa <sqlite3Insert+3616>:        mov    -0xac(%ebp),%edx
0xb7f9d0b0 <sqlite3Insert+3622>:        mov    %edx,%eax
0xb7f9d0b2 <sqlite3Insert+3624>:        shl    $0x2,%eax
0xb7f9d0b5 <sqlite3Insert+3627>:        add    %edx,%eax
0xb7f9d0b7 <sqlite3Insert+3629>:        shl    $0x2,%eax
------------------------------------------------------------------------------
0xb7f9d0a7 in sqlite3Insert (pParse=0x8064cd8, pTabList=0x8060358, pList=0x0, 
pSelect=0x0, pColumn=0x0, onError=0x63) at sqlite3.c:75798
75798           sqlite3ExprCodeAndCache(pParse, pList->a[j].pExpr, regCols+i+1);
(gdb) bt
#0  0xb7f9d0a7 in sqlite3Insert (pParse=0x8064cd8, pTabList=0x8060358, 
pList=0x0, pSelect=0x0, pColumn=0x0, onError=0x63) at sqlite3.c:75798
#1  0xb7fba1a2 in yy_reduce (yypParser=0x8065090, yyruleno=0xaf) at 
sqlite3.c:94450
#2  0xb7fbbef8 in sqlite3Parser (yyp=0x8065090, yymajor=0x16, yyminor=..., 
pParse=0x8064cd8) at sqlite3.c:95184
#3  0xb7fbcaad in sqlite3RunParser (pParse=0x8064cd8, zSql=0x8061598 "INSERT 
INTO current DEFAULT VALUES ('a', 'b', 30);", pzErrMsg=0xbfffdc30) at 
sqlite3.c:96010
#4  0xb7fa45c8 in sqlite3Prepare (db=0x80531d0, zSql=0x8061598 "INSERT INTO 
current DEFAULT VALUES ('a', 'b', 30);", nBytes=0xffffffff, saveSqlFlag=0x1, 
pReprepare=0x0, ppStmt=0xbfffdd1c, pzTail=0xbfffdd18) at sqlite3.c:79988
#5  0xb7fa4909 in sqlite3LockAndPrepare (db=0x80531d0, zSql=0x8061598 "INSERT 
INTO current DEFAULT VALUES ('a', 'b', 30);", nBytes=0xffffffff, 
saveSqlFlag=0x1, pOld=0x0, ppStmt=0xbfffdd1c, pzTail=0xbfffdd18) at 
sqlite3.c:80083
#6  0xb7fa4ac1 in sqlite3_prepare_v2 (db=0x80531d0, zSql=0x8061598 "INSERT INTO 
current DEFAULT VALUES ('a', 'b', 30);", nBytes=0xffffffff, ppStmt=0xbfffdd1c, 
pzTail=0xbfffdd18) at sqlite3.c:80158
#7  0x0804b452 in shell_exec (db=0x80531d0, zSql=0x8061598 "INSERT INTO current 
DEFAULT VALUES ('a', 'b', 30);", xCallback=0x804a361 <shell_callback>, 
pArg=0xbfffde78, pzErrMsg=0xbfffddd4) at shell.c:990
#8  0x0804ef31 in process_input (p=0xbfffde78, in=0x8053008) at shell.c:2236
#9  0x0804f28b in process_sqliterc (p=0xbfffde78, sqliterc_override=0xbffff5f4 
"script.sql") at shell.c:2370
#10 0x0804f6af in main (argc=0x3, argv=0xbffff454) at shell.c:2508

Reply via email to