Hi!
A bug resulting in a crash (segmentation fault) of sqlite3 has been
detected. Please find attached the script causing problems and a debug
session log.
Tested to be vulnerable:
linux 3.6.23
linux 3.6.22
linux 3.6.4
solaris 3.5.1
Tested to be invulnerable:
linux 2.8.17
Best wishes
Tomasz Nowak
/tmp/sqlite-3.6.23> CFLAGS="-O0 -ggdb" ./configure
/tmp/sqlite-3.6.23> make
/tmp/sqlite-3.6.23> export LD_PRELOAD=.libs/libsqlite3.so
/tmp/sqlite-3.6.23> gdb .libs/sqlite3
Reading symbols from /tmp/sqlite-3.6.23/.libs/sqlite3...done.
(gdb) r -init script.sql
[Thread debugging using libthread_db enabled]
-- Loading resources from script.sql
_______________________________________________________________________________
eax:00000000 ebx:B7FDDA10 ecx:00000008 edx:00000007 eflags:00010246
esi:0804FE90 edi:080496E0 esp:BFFFD8F0 ebp:BFFFDA28 eip:B7F9D0A7
cs:0073 ds:007B es:007B fs:0000 gs:0033 ss:007B o d I t s Z a P c
[007B:BFFFD8F0]---------------------------------------------------------[stack]
BFFFD920 : B8 35 05 08 00 00 00 00 - FC 03 00 00 D8 4C 06 08 .5...........L..
BFFFD910 : 00 00 00 00 10 DA FD B7 - 48 D9 FF BF AD A3 F6 B7 ........H.......
BFFFD900 : 00 00 00 00 B8 35 05 08 - F8 35 05 08 00 00 00 00 .....5...5......
BFFFD8F0 : C8 45 06 08 07 00 00 00 - FF FF FF FF 07 00 00 00 .E..............
[007B:0804FE90]---------------------------------------------------------[ data]
0804FE90 : 55 89 E5 57 56 53 E8 4F - 00 00 00 81 C3 75 22 00 U..WVS.O.....u".
0804FEA0 : 00 83 EC 0C E8 1B 93 FF - FF 8D BB F0 FE FF FF 8D ................
[0073:B7F9D0A7]---------------------------------------------------------[ code]
0xb7f9d0a7 <sqlite3Insert+3613>: mov 0xc(%eax),%esi
0xb7f9d0aa <sqlite3Insert+3616>: mov -0xac(%ebp),%edx
0xb7f9d0b0 <sqlite3Insert+3622>: mov %edx,%eax
0xb7f9d0b2 <sqlite3Insert+3624>: shl $0x2,%eax
0xb7f9d0b5 <sqlite3Insert+3627>: add %edx,%eax
0xb7f9d0b7 <sqlite3Insert+3629>: shl $0x2,%eax
------------------------------------------------------------------------------
0xb7f9d0a7 in sqlite3Insert (pParse=0x8064cd8, pTabList=0x8060358, pList=0x0,
pSelect=0x0, pColumn=0x0, onError=0x63) at sqlite3.c:75798
75798 sqlite3ExprCodeAndCache(pParse, pList->a[j].pExpr, regCols+i+1);
(gdb) bt
#0 0xb7f9d0a7 in sqlite3Insert (pParse=0x8064cd8, pTabList=0x8060358,
pList=0x0, pSelect=0x0, pColumn=0x0, onError=0x63) at sqlite3.c:75798
#1 0xb7fba1a2 in yy_reduce (yypParser=0x8065090, yyruleno=0xaf) at
sqlite3.c:94450
#2 0xb7fbbef8 in sqlite3Parser (yyp=0x8065090, yymajor=0x16, yyminor=...,
pParse=0x8064cd8) at sqlite3.c:95184
#3 0xb7fbcaad in sqlite3RunParser (pParse=0x8064cd8, zSql=0x8061598 "INSERT
INTO current DEFAULT VALUES ('a', 'b', 30);", pzErrMsg=0xbfffdc30) at
sqlite3.c:96010
#4 0xb7fa45c8 in sqlite3Prepare (db=0x80531d0, zSql=0x8061598 "INSERT INTO
current DEFAULT VALUES ('a', 'b', 30);", nBytes=0xffffffff, saveSqlFlag=0x1,
pReprepare=0x0, ppStmt=0xbfffdd1c, pzTail=0xbfffdd18) at sqlite3.c:79988
#5 0xb7fa4909 in sqlite3LockAndPrepare (db=0x80531d0, zSql=0x8061598 "INSERT
INTO current DEFAULT VALUES ('a', 'b', 30);", nBytes=0xffffffff,
saveSqlFlag=0x1, pOld=0x0, ppStmt=0xbfffdd1c, pzTail=0xbfffdd18) at
sqlite3.c:80083
#6 0xb7fa4ac1 in sqlite3_prepare_v2 (db=0x80531d0, zSql=0x8061598 "INSERT INTO
current DEFAULT VALUES ('a', 'b', 30);", nBytes=0xffffffff, ppStmt=0xbfffdd1c,
pzTail=0xbfffdd18) at sqlite3.c:80158
#7 0x0804b452 in shell_exec (db=0x80531d0, zSql=0x8061598 "INSERT INTO current
DEFAULT VALUES ('a', 'b', 30);", xCallback=0x804a361 <shell_callback>,
pArg=0xbfffde78, pzErrMsg=0xbfffddd4) at shell.c:990
#8 0x0804ef31 in process_input (p=0xbfffde78, in=0x8053008) at shell.c:2236
#9 0x0804f28b in process_sqliterc (p=0xbfffde78, sqliterc_override=0xbffff5f4
"script.sql") at shell.c:2370
#10 0x0804f6af in main (argc=0x3, argv=0xbffff454) at shell.c:2508
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
